Reversing Office files

[dracula23064]

Is there anyone who can help me reverse office files (particularly malicious ones) like word, ppt, xls ..etc. ??

[Kulverstukas]

Maybe you should ask what problems you encountered, instead of asking for general help, because ain't getting it.

[proxx]

http://digital-forensics.sans.org/blog/2012/05/29/extract-flash-from-malicious-office-documents
http://digital-forensics.sans.org/blog/2009/11/23/extracting-vb-macros-from-malicious-documents

Happy ?

[dracula23064]

I am trying to bypass CVE-2012-0158 MS-Word exploit with Avast. I am doing it at hex level as of now. To get to the code level I need to know how exactly office files execute. For this I used Immunity debugger. I have found many signatures which Avast detects . I have tried many hex possibilities to bypass but of no use . So I was trying to get to that part of the code where actually avast triggers. The problem is that i cannot get to that point where detection is made. In the Hexdumps  I am not able to find the signatures as found in static office file hex values. And yeah the detection I am talking is about scan time only and not runtime.
thank you proxx.. those links are good but not what i wanted

[meepirates]

Can anyone say what is this ff 64 34 67 73 1f 45 d8 8b 18 b6 ca ae a9 4f 49
how can i encode it?? 

[Kulverstukas]

That looks like HEX and why would you need to encode it? I think you meant decode and it translates to garbage, so it's taken from some binary data.

[Architect]

L OH fucking L.

[meepirates]

That looks like HEX and why would you need to encode it? I think you meant decode and it translates to garbage, so it's taken from some binary data.

Oh yeah i mean decoding. Help me with this. Please look the examples below. The left 1's are some numbers followed by the hex representation of the encoded version. But how to encode 101 to that long HEX?  If you have any links to learn about this kinda reverse engineering please give me. It would be a great help. These is a project given to me so i got to do this.

     101                  ff 64 34 67 73 1f 45 d8 8b 18 b6 ca ae a9 4f 49
     911                  ff 64 34 67 73 1f 20 46 72 e5 8f 4e a0 e6 4c 71
     948                  ff 64 34 67 73 1f 20 41 7d cd 1f d9 6d 2e da 6e
    1144                 ff 64 34 67 73 1f 45 df 16 3a e3 6c e6 59 ea 3d
    1223                 ff 64 34 67 73 1f 45 da 9d 29 70 e2 e6 47 3a 7c
    1850                 ff 64 34 67 73 1f 45 d0 b9 91 fe 9d ec fd 46 89
    4400                 ff 64 34 67 73 1f 53 3c d8 3d 2d 64 bf 7d 5e 9f
    4574                 ff 64 34 67 73 1f 53 3f 9e a5 fd 84 c0 a3 91 3c

[Deque]

Oh yeah i mean decoding. Help me with this. Please look the examples below. The left 1's are some numbers followed by the hex representation of the encoded version. But how to encode 101 to that long HEX?  If you have any links to learn about this kinda reverse engineering please give me. It would be a great help. These is a project given to me so i got to do this.

     101                  ff 64 34 67 73 1f 45 d8 8b 18 b6 ca ae a9 4f 49
     911                  ff 64 34 67 73 1f 20 46 72 e5 8f 4e a0 e6 4c 71
     948                  ff 64 34 67 73 1f 20 41 7d cd 1f d9 6d 2e da 6e
    1144                 ff 64 34 67 73 1f 45 df 16 3a e3 6c e6 59 ea 3d
    1223                 ff 64 34 67 73 1f 45 da 9d 29 70 e2 e6 47 3a 7c
    1850                 ff 64 34 67 73 1f 45 d0 b9 91 fe 9d ec fd 46 89
    4400                 ff 64 34 67 73 1f 53 3c d8 3d 2d 64 bf 7d 5e 9f
    4574                 ff 64 34 67 73 1f 53 3f 9e a5 fd 84 c0 a3 91 3c

What does this have to do with reversing office files?
You should probably make your own thread.
And this looks like the output of a hex editor. There is usually a third row showing the same interpreted as strings. But you won't see much there if you have a binary in your hex editor. There is nothing to decode. Hex is the best representation for binaries.