search

DissectMalware / XLMMacroDeobfuscator

Extract and Deobfuscate XLM macros (a.k.a Excel 4.0 Macros)
Apache License 2.0
568 stars 116 forks source link

Fixed bug in unwraping of string #109

Open cccs-ay opened 2 years ago

cccs-ay commented 2 years ago

For an example of the previous bad behavior, see sample 7a99e0ff0d7f0951c53a21dfabc03fb9e06d1c585de62cc71d962c1c4dde4190

The bug pertains to the unwrapping of strings. A string that should not have been unwrapped was stripped of it's quotes, leading to this situation :

Correct evaluation : =IF(MFCO5<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0, (...)

Evaluation prior to fix : =IF(MFCO5<0, CALL("urlmon","URLDownloadToFileA,"JJCCBB,0," (...)

because the string ","JJCCBB" was being stripped to "JJCCBB

This caused an error in the parsing of the formula, crashing the program.

To fix it, I have changed the unwrapping function to avoid unwrapping when the count of quotes is uneven

DissectMalware commented 2 years ago

I will check the PR soon, sorry for the late response