From d02c84562f0273643a123cd6e94aa4c084cd0b64 Mon Sep 17 00:00:00 2001
From: decalage2 <decalage@laposte.net>
Date: Tue, 1 Nov 2016 16:53:15 +0100
Subject: [PATCH] pyxswf, xxxswf: fixed to run on Python 2+3 (issue #62)

---
 oletools/pyxswf.py                   | 11 +++++++----
 oletools/thirdparty/xxxswf/xxxswf.py | 28 +++++++++++++++-------------
 2 files changed, 22 insertions(+), 17 deletions(-)

diff --git a/oletools/pyxswf.py b/oletools/pyxswf.py
index 50fc0c4..00a974e 100755
--- a/oletools/pyxswf.py
+++ b/oletools/pyxswf.py
@@ -56,11 +56,13 @@ http://www.decalage.info/python/oletools
 #                      - improved usage display with -h
 # 2016-09-06 v0.50 PL: - updated to match the rtfobj API
 # 2016-10-25       PL: - fixed print for Python 3
+# 2016-11-01       PL: - replaced StringIO by BytesIO for Python 3
 
 __version__ = '0.50'
 
 #------------------------------------------------------------------------------
 # TODO:
+# + update xxxswf to latest version
 # + add support for LZMA-compressed flash files (ZWS header)
 #   references: http://blog.malwaretracker.com/2014/01/cve-2013-5331-evaded-av-by-using.html
 #   http://code.metager.de/source/xref/adobe/flash/crossbridge/tools/swf-info.py
@@ -72,7 +74,8 @@ __version__ = '0.50'
 
 #=== IMPORTS =================================================================
 
-import optparse, sys, os, rtfobj, StringIO
+import optparse, sys, os, rtfobj
+from io import BytesIO
 from thirdparty.xxxswf import xxxswf
 import thirdparty.olefile as olefile
 
@@ -122,7 +125,7 @@ def main():
                     f = ole._open(direntry.isectStart, direntry.size)
                     # check if data contains the SWF magic: FWS or CWS
                     data = f.getvalue()
-                    if 'FWS' in data or 'CWS' in data:
+                    if b'FWS' in data or b'CWS' in data:
                         print('OLE stream: %s' % repr(direntry.name))
                         # call xxxswf to scan or extract Flash files:
                         xxxswf.disneyland(f, direntry.name, options)
@@ -133,9 +136,9 @@ def main():
     elif options.rtf:
         for filename in args:
             for index, orig_len, data in rtfobj.rtf_iter_objects(filename):
-                if 'FWS' in data or 'CWS' in data:
+                if b'FWS' in data or b'CWS' in data:
                     print('RTF embedded object size %d at index %08X' % (len(data), index))
-                    f = StringIO.StringIO(data)
+                    f = BytesIO(data)
                     name = 'RTF_embedded_object_%08X' % index
                     # call xxxswf to scan or extract Flash files:
                     xxxswf.disneyland(f, name, options)
diff --git a/oletools/thirdparty/xxxswf/xxxswf.py b/oletools/thirdparty/xxxswf/xxxswf.py
index 1f95659..12bb152 100644
--- a/oletools/thirdparty/xxxswf/xxxswf.py
+++ b/oletools/thirdparty/xxxswf/xxxswf.py
@@ -5,6 +5,8 @@
 #   - Tag Parser
 #   - ActionScript Decompiler
 
+# 2016-11-01 PL: - A few changes for Python 2+3 compatibility
+
 import fnmatch 
 import hashlib
 import imp
@@ -14,7 +16,7 @@ import re
 import struct
 import sys
 import time
-from StringIO import StringIO
+from io import BytesIO
 from optparse import OptionParser
 import zlib
 
@@ -63,14 +65,14 @@ def yaraScan(d):
 def findSWF(d):
 # d = buffer of the read file 
 # Search for SWF Header Sigs in files
-    return [tmp.start() for tmp in re.finditer('CWS|FWS', d.read())]
+    return [tmp.start() for tmp in re.finditer(b'CWS|FWS', d.read())]
 
 def hashBuff(d):
 # d = buffer of the read file 
 # This function hashes the buffer
 # source: http://stackoverflow.com/q/5853830
     if type(d) is str:
-      d = StringIO(d)
+      d = BytesIO(d)
     md5 = hashlib.md5()
     while True:
         data = d.read(128)
@@ -99,16 +101,16 @@ def verifySWF(f,addr):
         print(' - [ERROR] Invalid SWF Size')
         return None
     if type(t) is str:
-      f = StringIO(t)
+      f = BytesIO(t)
     # Error check for version above 20
     if ver > 20:
         print(' - [ERROR] Invalid SWF Version')
         return None
     
-    if 'CWS' in header:
+    if b'CWS' in header:
         try:
             f.read(3)
-            tmp = 'FWS' + f.read(5) + zlib.decompress(f.read())
+            tmp = b'FWS' + f.read(5) + zlib.decompress(f.read())
             print(' - CWS Header')
             return tmp
         
@@ -117,7 +119,7 @@ def verifySWF(f,addr):
             print('- [ERROR]: Zlib decompression error. Invalid CWS SWF')
             return None
         
-    elif 'FWS' in header:
+    elif b'FWS' in header:
         try:
             tmp = f.read(size)
             print(' - FWS Header')
@@ -144,20 +146,20 @@ def headerInfo(f):
     # [HEADER]        Movie width: 217.00
     # [HEADER]        Movie height: 85.00
     if type(f) is str:
-      f = StringIO(f)
+      f = BytesIO(f)
     sig = f.read(3)             
     print('\t[HEADER] File header: %s' % sig)
-    if 'C' in sig:
+    if b'C' in sig:
         print('\t[HEADER] File is zlib compressed.')
     version = struct.unpack('<b', f.read(1))[0]
     print('\t[HEADER] File version: %d' % version)
     size = struct.unpack('<i', f.read(4))[0]
     print('\t[HEADER] File size: %d' % size)
     # deflate compressed SWF
-    if 'C' in sig:
+    if b'C' in sig:
         f = verifySWF(f,0)
         if type(f) is str:
-            f = StringIO(f)
+            f = BytesIO(f)
         f.seek(0, 0)
         x = f.read(8)
     ta = f.tell()
@@ -245,10 +247,10 @@ def CWSize(f):
 
 def compressSWF(f):
     if type(f) is str:
-      f = StringIO(f)
+      f = BytesIO(f)
     try:
         f.read(3)
-        tmp = 'CWS' + f.read(5) + zlib.compress(f.read())
+        tmp = b'CWS' + f.read(5) + zlib.compress(f.read())
         return tmp
     except:
         pass
--
libgit2 0.21.4