/// <summary>
/// Deobfuscate a legacy XLS document to enable simpler analysis.
/// </summary>
/// <param name="path">Path to the XLS file to deobfuscate</param>
/// <param name="neuterFile">Flag to insert a HALT() expression into all Auto_Open start locations. NOT IMPLEMENTED</param>
/// <param name="outputFileName">The output filename used for the generated document. Defaults to deobfuscated.xls</param>
public static void Deobfuscate(FileInfo path, bool neuterFile = false, string outputFileName = "deobfuscated.xls")
{
if (path == null)
{
Console.WriteLine("path argument must be specified in Deobfuscate mode. Run deobfuscate -h for usage instructions.");
return;
}
if (path.Exists == false)
{
Console.WriteLine("path file does not exist.");
return;
}
if (neuterFile)
{
throw new NotImplementedException("XLS Neutering Not Implemented Yet");
}
WorkbookStream wbs = new WorkbookStream(path.FullName);
WorkbookEditor wbEditor = new WorkbookEditor(wbs);
wbEditor.NormalizeAutoOpenLabels();
wbEditor.UnhideSheets();
ExcelDocWriter writer = new ExcelDocWriter();
string outputPath = AssemblyDirectory + Path.DirectorySeparatorChar + outputFileName;
Console.WriteLine("Writing deobfuscated document to {0}", outputPath);
writer.WriteDocument(outputPath, wbEditor.WbStream);
}
/// <summary>
/// Deobfuscate a legacy XLS document to enable simpler analysis.
/// </summary>
/// <param name="path">Path to the XLS file to deobfuscate</param>
/// <param name="neuterFile">Flag to insert a HALT() expression into all Auto_Open start locations. NOT IMPLEMENTED</param>
/// <param name="password">XOR Obfuscation decryption password to try. Defaults to VelvetSweatshop if FilePass record is found.</param>
/// <param name="outputFileName">The output filename used for the generated document. Defaults to deobfuscated.xls</param>
public static void Deobfuscate(FileInfo path, bool neuterFile = false, string password = "******", string outputFileName = "deobfuscated.xls")
{
if (path == null)
{
Console.WriteLine("path argument must be specified in Deobfuscate mode. Run deobfuscate -h for usage instructions.");
return;
}
if (path.Exists == false)
{
Console.WriteLine("path file does not exist.");
return;
}
if (neuterFile)
{
throw new NotImplementedException("XLS Neutering Not Implemented Yet");
}
WorkbookStream wbs = new WorkbookStream(path.FullName);
if (wbs.HasPasswordToOpen())
{
Console.WriteLine("FilePass record found - attempting to decrypt with password " + password);
XorObfuscation xorObfuscation = new XorObfuscation();
try
{
wbs = xorObfuscation.DecryptWorkbookStream(wbs, password);
}
catch (ArgumentException argEx)
{
Console.WriteLine("Password " + password + " does not match the verifier value of the document FilePass. Try a different password.");
return;
}
}
WorkbookEditor wbEditor = new WorkbookEditor(wbs);
wbEditor.NormalizeAutoOpenLabels();
wbEditor.UnhideSheets();
ExcelDocWriter writer = new ExcelDocWriter();
string outputPath = Directory.GetCurrentDirectory() + Path.DirectorySeparatorChar + outputFileName;
Console.WriteLine("Writing deobfuscated document to {0}", outputPath);
writer.WriteDocument(outputPath, wbEditor.WbStream);
}