From ab6a1e759d2d961be8cb126ec46999badc1168a7 Mon Sep 17 00:00:00 2001
From: decalage2 <decalage@laposte.net>
Date: Thu, 16 Mar 2017 22:16:50 +0100
Subject: [PATCH] olevba: fixed issue #149 for option --reveal (keep parentheses around VBA expressions)

---
 oletools/olevba.py | 12 ++++++++++--
 setup.py           |  2 +-
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/oletools/olevba.py b/oletools/olevba.py
index ad46525..789c995 100644
--- a/oletools/olevba.py
+++ b/oletools/olevba.py
@@ -191,7 +191,7 @@ from __future__ import print_function
 # 2017-02-07       PL: - temporary fix for issue #132
 #                      - added keywords for Mac-specific macros (issue #130)
 # 2017-03-08       PL: - fixed absolute imports
-# 2017-03-16       PL: - fixed issue #148 for option --reveal
+# 2017-03-16       PL: - fixed issues #148 and #149 for option --reveal
 
 __version__ = '0.51dev3'
 
@@ -2841,13 +2841,21 @@ class VBA_Parser(object):
         # normally now self.vba_code_all_modules contains source code from all modules
         # Need to collapse long lines:
         deobf_code = vba_collapse_long_lines(self.vba_code_all_modules)
+        deobf_code = filter_vba(deobf_code)
         for kw_type, decoded, encoded in analysis:
             if kw_type == 'VBA string':
                 #print '%3d occurences: %r => %r' % (deobf_code.count(encoded), encoded, decoded)
                 # need to add double quotes around the decoded strings
                 # after escaping double-quotes as double-double-quotes for VBA:
                 decoded = decoded.replace('"', '""')
-                deobf_code = deobf_code.replace(encoded, '"%s"' % decoded)
+                decoded = '"%s"' % decoded
+                # if the encoded string is enclosed in parentheses,
+                # keep them in the decoded version:
+                if encoded.startswith('(') and encoded.endswith(')'):
+                    decoded = '(%s)' % decoded
+                deobf_code = deobf_code.replace(encoded, decoded)
+        # # TODO: there is a bug somewhere which creates double returns '\r\r'
+        # deobf_code = deobf_code.replace('\r\r', '\r')
         return deobf_code
         #TODO: repasser l'analyse plusieurs fois si des chaines hex ou base64 sont revelees
 
diff --git a/setup.py b/setup.py
index 8051207..8c6dba2 100644
--- a/setup.py
+++ b/setup.py
@@ -41,7 +41,7 @@ import os, fnmatch
 #--- METADATA -----------------------------------------------------------------
 
 name         = "oletools"
-version      = '0.51dev2'
+version      = '0.51dev3'
 desc         = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR"
 long_desc    = open('oletools/README.rst').read()
 author       = "Philippe Lagadec"
--
libgit2 0.21.4