From afeead80c7efab197c82f40461c4e7c014fd2478 Mon Sep 17 00:00:00 2001
From: decalage2 <decalage@laposte.net>
Date: Mon, 7 Oct 2019 22:32:57 +0200
Subject: [PATCH] olevba: added a workaround in detect_vba_stomping to fix #489

---
 oletools/olevba.py | 3 +++
 1 file changed, 3 insertions(+), 0 deletions(-)

diff --git a/oletools/olevba.py b/oletools/olevba.py
index 941d4a0..c088891 100644
--- a/oletools/olevba.py
+++ b/oletools/olevba.py
@@ -3557,6 +3557,9 @@ class VBA_Parser(object):
                     #     funcdefn = args.strip('()')
                     #     keywords.add(funcdefn)
                     if mnemonic in ('ArgsCall', 'ArgsLd', 'St', 'Ld', 'MemSt', 'Label'):
+                        # sometimes ArgsCall is followed by "(Call)", if so we remove it (issue #489)
+                        if args.startswith('(Call) '):
+                            args = args[7:]
                         # add 1st argument:
                         name = args.split(None, 1)[0]
                         # sometimes pcodedmp reports names like "id_FFFF", which are not
--
libgit2 0.21.4