def parse (page, data, parent): offset = 0 try: while offset < len(data) - 4: verinst = struct.unpack("<H",data[offset:offset+2])[0] offset += 2 rtype = struct.unpack("<H",data[offset:offset+2])[0] offset += 2 rlen = struct.unpack("<I",data[offset:offset+4])[0] offset += 4 rdata = data[offset-8:offset+rlen] iter1 = page.model.append(parent,None) rname = "%02x ver %02x inst %02x"%(rtype,verinst&0xf,(verinst&0xFFF0)/0x10) if rec_ids.has_key(rtype): rname = rec_ids[rtype] + " ver %02x inst %02x"%(verinst&0xf,(verinst&0xFFF0)/0x10) page.model.set_value(iter1,0,rname) page.model.set_value(iter1,1,("ppt",rtype)) page.model.set_value(iter1,2,rlen) page.model.set_value(iter1,3,rdata) page.model.set_value(iter1,7,"%02x"%rtype) page.model.set_value(iter1,6,page.model.get_string_from_iter(iter1)) if rtype == 0x1011: if (verinst&0xFFF0)/0x10 == 1: decomp = zlib.decompressobj() uncompdata = decomp.decompress(data[offset+4:offset+rlen]) else: uncompdata = data[offset+4:offset+rlen] ole.open(uncompdata,page,iter1) offset += rlen except: print "Failed in ppt parse"
def parse (page, data, parent): offset = 0 try: while offset < len(data) - 4: verinst = struct.unpack("<H",data[offset:offset+2])[0] offset += 2 rtype = struct.unpack("<H",data[offset:offset+2])[0] offset += 2 rlen = struct.unpack("<I",data[offset:offset+4])[0] offset += 4 rdata = data[offset-8:offset+rlen] iter1 = page.model.append(parent,None) rname = "%02x ver %02x inst %02x"%(rtype,verinst&0xf,(verinst&0xFFF0)/0x10) if rtype in rec_ids: rname = rec_ids[rtype] + " ver %02x inst %02x"%(verinst&0xf,(verinst&0xFFF0)/0x10) page.model.set_value(iter1,0,rname) page.model.set_value(iter1,1,("ppt",rtype)) page.model.set_value(iter1,2,rlen) page.model.set_value(iter1,3,rdata) page.model.set_value(iter1,7,"%02x"%rtype) page.model.set_value(iter1,6,page.model.get_string_from_iter(iter1)) if rtype == 0x1011: if (verinst&0xFFF0)/0x10 == 1: decomp = zlib.decompressobj() uncompdata = decomp.decompress(data[offset+4:offset+rlen]) else: uncompdata = data[offset+4:offset+rlen] ole.open(uncompdata,page,iter1) offset += rlen except: print("Failed in ppt parse")
def ptr_search(page, data, version, parent): model = page.model namelist = 0 fontlist = 0 childlist = 0 ptr = model.get_value(parent, 4) shift = ptr.shift pdata = ptr.data vbaflag = 0 if ptr.type == 0xd: vbaflag = 1 vbadata = "" if version > 5: [offset] = struct.unpack('<L', pdata[shift:shift + 4]) if offset >= len(pdata): return 0 lnum = struct.unpack('<L', pdata[offset + shift - 4:offset + shift])[0] # FIXME! verify num = struct.unpack('<L', pdata[offset + shift:offset + shift + 4])[0] offset = offset + 8 + shift elif version > 2: lnum = struct.unpack('<H', pdata[0x6 + shift:0x6 + shift + 2])[0] num = struct.unpack('<H', pdata[0xa + shift:0xa + shift + 2])[0] offset = 0xa + shift + 2 if ptr.type == 0x14: num = struct.unpack('<H', pdata[0x82 + shift:0x82 + shift + 2])[0] offset = 0x82 + shift + 2 if ptr.type == 0x1d: num = struct.unpack('<H', pdata[0x1e + shift:0x1e + shift + 2])[0] offset = 0x1e + shift + 2 if ptr.type == 0x1e: num = struct.unpack('<H', pdata[0x36 + shift:0x36 + shift + 2])[0] offset = 0x36 + shift + 2 if ptr.type == 0x4e: num = struct.unpack('<H', pdata[0x1e + shift:0x1e + shift + 2])[0] offset = 0x1e + shift + 2 else: offset = 0xa + shift + 2 if ptr.type == 0x14: num = struct.unpack('<H', pdata[0x82 + shift:0x82 + shift + 2])[0] offset = 0x82 + shift + 2 if ptr.type == 0x1d or ptr.type > 0x45: num = struct.unpack('<H', pdata[0x1e + shift:0x1e + shift + 2])[0] offset = 0x1e + shift + 2 if ptr.type == 0x1e: num = struct.unpack('<H', pdata[0x36 + shift:0x36 + shift + 2])[0] offset = 0x36 + shift + 2 if ptr.type == 0x1a: num = struct.unpack('<H', pdata[0x12 + shift:0x12 + shift + 2])[0] offset = 0x12 + shift + 2 if ptr.type == 0x18: num = struct.unpack('<H', pdata[0x2e + shift:0x2e + shift + 2])[0] offset = 0x2e + shift + 2 if ptr.type == 0x15: num = struct.unpack('<H', pdata[0x42 + shift:0x42 + shift + 2])[0] offset = 0x42 + shift + 2 if ptr.type == 0x27: num = struct.unpack('<H', pdata[0x0a + shift:0x0a + shift + 2])[0] offset = 0x0a + shift + 2 for i in range(num): pntr = pointer() if version < 6: plen = 16 npdata = pdata[offset + i * plen:offset + i * plen + 16] pntr.type = struct.unpack('<h', npdata[0:2])[0] & 0xFF pntr.format = struct.unpack('<h', npdata[2:4])[0] & 0xFF [pntr.address] = struct.unpack('<L', npdata[4:8]) [pntr.offset] = struct.unpack('<L', npdata[8:12]) [pntr.length] = struct.unpack('<L', npdata[12:16]) else: plen = 18 npdata = pdata[offset + i * plen:offset + i * plen + 18] [pntr.type] = struct.unpack('<L', npdata[0:4]) [pntr.address] = struct.unpack('<L', npdata[4:8]) [pntr.offset] = struct.unpack('<L', npdata[8:12]) [pntr.length] = struct.unpack('<L', npdata[12:16]) [pntr.format] = struct.unpack('<h', npdata[16:18]) itername = '%02x\t %02x\t%04x' % (pntr.type, childlist, pntr.length) name2 = "%02x" % pntr.type if pntr.type == 0: namelist += 1 fontlist += 1 childlist += 1 else: idx = " %02x" % childlist if streamtype.has_key(pntr.type): if pntr.type == 0x33: idx = "%02x" % namelist namelist += 1 else: if pntr.type == 0xd7: idx = " %02x" % fontlist fontlist += 1 else: idx = " %02x" % childlist childlist += 1 if (pntr.type == 0x15 and pntr.format & 1 == 0): itername = "Page BG " + idx + '\t%04x' % (pntr.length) else: itername = streamtype[ pntr.type] + idx + '\t%04x' % (pntr.length) name2 = streamtype[pntr.type] else: childlist += 1 if vsdchunks.chunktype.has_key(pntr.type): itername = vsdchunks.chunktype[ pntr.type] + idx + '\t%04x' % (pntr.length) if pntr.format & 2 == 2: #compressed res = inflate.inflate(pntr, data) pntr.shift = 4 else: res = data[pntr.offset:pntr.offset + pntr.length] pntr.shift = 0 pntr.data = res # FIXME!!! same change for add_pgiter required to take "pntr.type" iter1 = model.append(parent, None) model.set_value(iter1, 0, itername) model.set_value(iter1, 1, ("vsd", "pntr", pntr.type)) model.set_value(iter1, 2, plen) model.set_value(iter1, 3, npdata) model.set_value(iter1, 4, pntr) model.set_value(iter1, 6, model.get_string_from_iter(iter1)) if pntr.format != 0: model.set_value(iter1, 7, "%02x" % pntr.format) if len(res) > 0: iter2 = model.append(iter1, None) model.set_value(iter2, 0, "[Data referenced by %s]" % name2) if pntr.format >> 4 == 4: model.set_value(iter2, 1, ("vsd", "str4", pntr.type)) else: model.set_value(iter2, 1, ("vsd", "str")) model.set_value(iter2, 2, len(res)) model.set_value(iter2, 3, res) model.set_value(iter2, 6, model.get_string_from_iter(iter2)) model.set_value(iter2, 5, "#96dfcf") if vbaflag == 1: vbadata += res[4:len(res)] # print "ptr type/fmt %02x %02x"%(pntr.type,pntr.format) if (pntr.format >> 4 == 5 and pntr.type != 0x16) or pntr.type == 0x40: if pntr.type == 0x1e: model.set_value(iter2, 1, ("vsd", "str4", pntr.type)) # it's not a stream4, but... try: ptr_search(page, data, version, iter1) except: print "ptr_search failed in %02x" % pntr.type if pntr.type == 0x16: get_colors(page, res, version, iter1) if pntr.format >> 4 > 7: vsdchunks.parse(page, version, iter1, pntr) if version < 5 and vsdchunks.chunklist.has_key(pntr.type): vsdchunks.v5parse(page, version, iter1, pntr) if vbaflag == 1: ole.open(vbadata, page, iter2) if ptr.format >> 4 == 5 and ptr.type != 0x45: if ptr.format & 6 == 6: hlen = struct.unpack("<I", pdata[4:8])[0] ch_data = pdata[8:4 + hlen] ch_id = struct.unpack("<I", ch_data[:4])[0] ch_name = key2txt(ch_id, vsdchunks.chunktype) ins_pgiter(page, ch_name, "vsd", "chnk %s" % ch_id, ch_data, parent, 1) prep_pgiter(page, "List", "vsd", "str5tail", pdata[offset + num * plen:], model.iter_nth_child(parent, 0))
def ptr_search (page, data, version, parent): model = page.model namelist = 0 fontlist = 0 childlist = 0 ptr = model.get_value (parent,4) shift = ptr.shift pdata = ptr.data vbaflag = 0 if ptr.type == 0xd: vbaflag = 1 vbadata = "" if version > 5: [offset] = struct.unpack ('<L', pdata[shift:shift+4]) if offset >= len(pdata): return 0 lnum = struct.unpack ('<L', pdata[offset+shift-4:offset+shift])[0] # FIXME! verify num = struct.unpack ('<L', pdata[offset+shift:offset+shift+4])[0] offset = offset+8+shift elif version > 2: lnum = struct.unpack ('<H', pdata[0x6+shift:0x6+shift+2])[0] num = struct.unpack ('<H', pdata[0xa+shift:0xa+shift+2])[0] offset = 0xa+shift+2 if ptr.type == 0x14: num = struct.unpack ('<H', pdata[0x82+shift:0x82+shift+2])[0] offset = 0x82+shift+2 if ptr.type == 0x1d: num = struct.unpack ('<H', pdata[0x1e+shift:0x1e+shift+2])[0] offset = 0x1e+shift+2 if ptr.type == 0x1e: num = struct.unpack ('<H', pdata[0x36+shift:0x36+shift+2])[0] offset = 0x36+shift+2 if ptr.type == 0x4e: num = struct.unpack ('<H', pdata[0x1e+shift:0x1e+shift+2])[0] offset = 0x1e+shift+2 else: offset = 0xa+shift+2 if ptr.type == 0x14: num = struct.unpack ('<H', pdata[0x82+shift:0x82+shift+2])[0] offset = 0x82+shift+2 if ptr.type == 0x1d or ptr.type > 0x45: num = struct.unpack ('<H', pdata[0x1e+shift:0x1e+shift+2])[0] offset = 0x1e+shift+2 if ptr.type == 0x1e: num = struct.unpack ('<H', pdata[0x36+shift:0x36+shift+2])[0] offset = 0x36+shift+2 if ptr.type == 0x1a: num = struct.unpack ('<H', pdata[0x12+shift:0x12+shift+2])[0] offset = 0x12+shift+2 if ptr.type == 0x18: num = struct.unpack ('<H', pdata[0x2e+shift:0x2e+shift+2])[0] offset = 0x2e+shift+2 if ptr.type == 0x15: num = struct.unpack ('<H', pdata[0x42+shift:0x42+shift+2])[0] offset = 0x42+shift+2 if ptr.type == 0x27: num = struct.unpack ('<H', pdata[0x0a+shift:0x0a+shift+2])[0] offset = 0x0a+shift+2 for i in range(num): pntr = pointer() if version < 6: plen = 16 npdata = pdata[offset+i*plen:offset+i*plen+16] pntr.type = struct.unpack ('<h', npdata[0:2])[0]&0xFF pntr.format = struct.unpack ('<h', npdata[2:4])[0]&0xFF [pntr.address] = struct.unpack ('<L', npdata[4:8]) [pntr.offset] = struct.unpack ('<L', npdata[8:12]) [pntr.length] = struct.unpack ('<L', npdata[12:16]) else: plen = 18 npdata = pdata[offset+i*plen:offset+i*plen+18] [pntr.type] = struct.unpack ('<L', npdata[0:4]) [pntr.address] = struct.unpack ('<L', npdata[4:8]) [pntr.offset] = struct.unpack ('<L', npdata[8:12]) [pntr.length] = struct.unpack ('<L', npdata[12:16]) [pntr.format] = struct.unpack ('<h', npdata[16:18]) itername = '%02x\t %02x\t%04x'%(pntr.type,childlist,pntr.length) name2 = "%02x"%pntr.type if pntr.type == 0: namelist += 1 fontlist += 1 childlist +=1 else: idx = " %02x"%childlist if streamtype.has_key (pntr.type): if pntr.type == 0x33: idx = "%02x"%namelist namelist += 1 else: if pntr.type == 0xd7: idx = " %02x"%fontlist fontlist += 1 else: idx = " %02x"%childlist childlist +=1 if (pntr.type == 0x15 and pntr.format&1 == 0): itername = "Page BG "+idx+'\t%04x'%(pntr.length) else: itername = streamtype[pntr.type]+idx+'\t%04x'%(pntr.length) name2 = streamtype[pntr.type] else: childlist +=1 if vsdchunks.chunktype.has_key(pntr.type): itername = vsdchunks.chunktype[pntr.type]+idx+'\t%04x'%(pntr.length) if pntr.format&2 == 2 : #compressed res = inflate.inflate(pntr, data) pntr.shift = 4 else: res = data[pntr.offset:pntr.offset+pntr.length] pntr.shift = 0 pntr.data = res # FIXME!!! same change for add_pgiter required to take "pntr.type" iter1 = model.append(parent,None) model.set_value(iter1,0,itername) model.set_value(iter1,1,("vsd","pntr",pntr.type)) model.set_value(iter1,2,plen) model.set_value(iter1,3,npdata) model.set_value(iter1,4,pntr) model.set_value(iter1,6,model.get_string_from_iter(iter1)) if pntr.format != 0: model.set_value(iter1,7,"%02x"%pntr.format) if len(res) > 0: iter2 = model.append(iter1,None) model.set_value(iter2,0,"[Data referenced by %s]"%name2) if pntr.format >>4 == 4: model.set_value(iter2,1,("vsd","str4",pntr.type)) else: model.set_value(iter2,1,("vsd","str")) model.set_value(iter2,2,len(res)) model.set_value(iter2,3,res) model.set_value(iter2,6,model.get_string_from_iter(iter2)) model.set_value(iter2,5,"#96dfcf") if vbaflag == 1: vbadata += res[4:len(res)] # print "ptr type/fmt %02x %02x"%(pntr.type,pntr.format) if (pntr.format>>4 == 5 and pntr.type != 0x16) or pntr.type == 0x40: if pntr.type == 0x1e: model.set_value(iter2,1,("vsd","str4",pntr.type)) # it's not a stream4, but... try: ptr_search (page, data, version, iter1) except: print "ptr_search failed in %02x"%pntr.type if pntr.type == 0x16: get_colors (page, res, version, iter1) if pntr.format >>4 > 7: vsdchunks.parse (page, version, iter1, pntr) if version < 5 and vsdchunks.chunklist.has_key (pntr.type): vsdchunks.v5parse (page, version, iter1, pntr) if vbaflag == 1: ole.open (vbadata, page, iter2) if ptr.format >> 4 == 5 and ptr.type != 0x45: if ptr.format&6 == 6: hlen = struct.unpack("<I",pdata[4:8])[0] ch_data = pdata[8:4+hlen] ch_id = struct.unpack("<I",ch_data[:4])[0] ch_name = key2txt(ch_id,vsdchunks.chunktype) ins_pgiter(page,ch_name,"vsd","chnk %s"%ch_id,ch_data,parent,1) prep_pgiter(page,"List","vsd","str5tail",pdata[offset+num*plen:],model.iter_nth_child(parent,0))