crypto: added PowerPoint transparent password '/01Hannes Ruescher/01', fixes #627

decalage2
1 parent 461d78ed
Showing 2 changed files with 19 additions and 9 deletions
oletools/crypto.py
setup.py
@@ -64,7 +64,7 @@ http://www.decalage.info/python/oletools
 # === LICENSE =================================================================
-# crypto is copyright (c) 2014-2019 Philippe Lagadec (http://www.decalage.info)
+# crypto is copyright (c) 2014-2021 Philippe Lagadec (http://www.decalage.info)
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -93,8 +93,10 @@ http://www.decalage.info/python/oletools
 # 2019-02-14 v0.01 CH: - first version with encryption check from oleid
 # 2019-04-01 v0.54 PL: - fixed bug in is_encrypted_ole
 # 2019-05-23       PL: - added DEFAULT_PASSWORDS list
+# 2021-05-22 v0.60 PL: - added PowerPoint transparent password
+#                        '/01Hannes Ruescher/01' (issue #627)
-__version__ = '0.55'
+__version__ = '0.60.dev2'
 import sys
 import struct
@@ -309,12 +311,20 @@ def _is_encrypted_ole(ole):
     return False
-#: one way to achieve "write protection" in office files is to encrypt the file
+#: one way to achieve "write protection" in Excel files is to encrypt the file
 #: using this password
-WRITE_PROTECT_ENCRYPTION_PASSWORD = 'VelvetSweatshop'
+# ref: https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-offcrypto/6b4a08cb-195a-442e-b31c-7c94624a8c29#Appendix_A_25
+# ref: https://twitter.com/BouncyHat/status/1308897568773083138
+EXCEL_TRANSPARENT_PASSWORD = 'VelvetSweatshop'
+
+# PowerPoint password which is transparent for the user:
+# ref: https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-offcrypto/57fc02f0-c1de-4fc6-908f-d146104662f5
+# ref: https://twitter.com/BouncyHat/status/1308897932389896192
+POWERPOINT_TRANSPARENT_PASSWORD = '/01Hannes Ruescher/01'
 #: list of common passwords to be tried by default, used by malware
-DEFAULT_PASSWORDS = [WRITE_PROTECT_ENCRYPTION_PASSWORD, '123', '1234', '12345', '123456', '4321']
+DEFAULT_PASSWORDS = [EXCEL_TRANSPARENT_PASSWORD, POWERPOINT_TRANSPARENT_PASSWORD,
+                     '123', '1234', '12345', '123456', '4321']
 def _check_msoffcrypto():
@@ -33,6 +33,7 @@ to install this package.
 # 2019-05-23 v0.55 PL: - added pcodedmp as dependency
 # 2019-09-24       PL: - removed oletools.thirdparty.DridexUrlDecoder
 # 2019-11-10       PL: - changed pyparsing from 2.2.0 to 2.1.0 for issue #481
+# 2021-05-22 v0.60 PL: - entry points: added ftguess, removed olevba3/mraptor3
 #--- TODO ---------------------------------------------------------------------
@@ -52,7 +53,7 @@ import os, fnmatch
 #--- METADATA -----------------------------------------------------------------
 name         = "oletools"
-version      = '0.56.2'
+version      = '0.60.dev2'
 desc         = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR"
 long_desc    = open('oletools/README.rst').read()
 author       = "Philippe Lagadec"
@@ -268,8 +269,9 @@ package_data={
 entry_points = {
     'console_scripts': [
         'ezhexviewer=oletools.ezhexviewer:main',
+        'ftguess=oletools.ftguess:main',
         'mraptor=oletools.mraptor:main',
-        'mraptor3=oletools.mraptor3:main',
+        'msodde=oletools.msodde:main',
         'olebrowse=oletools.olebrowse:main',
         'oledir=oletools.oledir:main',
         'oleid=oletools.oleid:main',
@@ -277,11 +279,9 @@ entry_points = {
         'olemeta=oletools.olemeta:main',
         'oletimes=oletools.oletimes:main',
         'olevba=oletools.olevba:main',
-        'olevba3=oletools.olevba3:main',
         'pyxswf=oletools.pyxswf:main',
         'rtfobj=oletools.rtfobj:main',
         'oleobj=oletools.oleobj:main',
-        'msodde=oletools.msodde:main',
         'olefile=olefile.olefile:main',
     ],
 }