tobias
e62a14dafc
Generate interlinked wiki from master inventory: 397 tool pages, 15 workflow pages, 27 recipe pages, 33 category pages, plus index. All pages use [[wiki-links]] for cross-navigation between tools, workflows, recipes, and categories (1782 links total). Install zk for interactive browsing with fzf search, tag filtering, and backlink discovery. Add 'fhelp wiki' command and Makefile target. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
23 lines
901 B
Markdown
23 lines
901 B
Markdown
# Full Office Macro Decode Chain
|
|
> Complete pipeline: Office doc → VBA → Base64 → gunzip → XOR → shellcode
|
|
|
|
**Tools:** [[tools/oledump-py|oledump-py]], [[tools/base64dump-py|base64dump-py]], [[tools/gunzip|gunzip]], [[tools/translate-py|translate-py]], [[tools/scdbgc|scdbgc]]
|
|
**FOR610 Lab:** 3.4
|
|
|
|
## Commands
|
|
```bash
|
|
# Step 1: List streams and extract VBA
|
|
oledump.py <document>
|
|
oledump.py <document> -s <macro_stream> -v
|
|
# Step 2: Extract Base64 from data stream
|
|
oledump.py <document> -s <data_stream> -d | base64dump.py -s 1 -d > stage1.ps1
|
|
# Step 3: Decode second Base64 layer + decompress
|
|
base64dump.py stage1.ps1 -s 3 -d | gunzip > stage2.ps1
|
|
# Step 4: XOR decode the shellcode
|
|
base64dump.py stage2.ps1 -s 2 -d | translate.py 'byte ^ 35' > shellcode.bin
|
|
# Step 5: Emulate the shellcode
|
|
scdbgc /f shellcode.bin /s -1
|
|
```
|
|
|
|
#recipe #oledump-py #base64dump-py #gunzip #translate-py #scdbgc
|