p-Code dissasembler

Hi,

After a recently ransomware attack I'm a bit paranoic, and discovering about the "VBA stomp" got me a bit concerned about how I've got compromised. I'm trying to translate the Vesselin Bontchev's VBA p-code disassembler
more specifically, the pcodedmp.py python file, which is slightly below 1300 lines of python code.

In order to be a bit more usable it should be converted to a more readable format, so it's convenient to use Nicolas Zilio's pcode2code, but this is another topic.

Both files URI (Bontchev's and Zilio's) are referred in the BAS file inside the attachment if anybody want to get the original python files.

The thing is that I'm not a Python user, and although all the code seems easy to be ported, there are some caveats for me to get completed, because of language specific functions and external modules. It's something I'll not easy find on a Beginners Python tutorial.

That's why I'm asking for some help. I not asking for someone to translate all the code for me (although any help is always wellcome ). Else any revision of the code is appreciated.

I've just started some hours ago with this, so it's in early stages. After prettifying the thing, getting the ":" substitution for the "Then", and closing IfThen-EndIf, For-Next, While-Loop, and getting some UDT and declaring some variables (that could change as I get more confidence about what the file does). I must get rid of the String format warnings, but that's for sure easy to accomplish. I upload the module as it's just now.

The main procedure is at the end, mainDecode, that must open an output file. I could not see where does it open any BIN or OLE file but I'm very new with the code.

The point is that taking a quick look, these following procedures could drive me nuts, I've moved them to the top of the module, just to have them at firsthand:

Please Login or Register  to view this content.

Any help translating them is really appreciated.

Best regards

The unpack_from python function is a VBA template implementation for the "from struct import unpack_from"

Some more working on this:
The hexdump function is kinda like a Hexadecimal viewer in strings, so get something close to:
Still not working, but we are on the way... just need to rip buffer of bytes from the source file with Open FilePathName Binary Input #iFileInput and we are to go

Please Login or Register  to view this content.

As per the decode... it looks like it's a StrConv or similar function, so supposing we have a FromUnicode conversion and Latin1 ~ 1142 then could be somthing like this (still not working, even not tried to debug):

Please Login or Register  to view this content.

Hi
I've only just found out about the script and I, like you, am feeling slightly paranoid about pCode. Do you still need help porting this? Happy to help out if I can.

I have not yet finished the translation, although I went a lot far from the code posted. Have some other VBA projects right now with a deadline, so I'll try to come back here anytime soon when less of a rush.

OK, well let me know. Happy to help out if I can. I have a number of VBA projects on the go, but they're all hobby projects, so no deadline as such! I'll take a look at what you've posted here in the meantime. Sorry for not responding sooner, I didn't get a notification to say that you had replied.

Hi - how is it going? I just randomly remembered that you were working on this. Hope things have calmed down for you. :-)