Because of some bureaucratic slowdowns this release took longer than usual. On the upside, it comes packed with news!
We have added support for the XLSB format (via pyxlsb2), so that now Cerbero Suite decompiles both XLS and XLSB formulas. Not only that, Cerbero Suite now previews spreadsheets even better than Microsoft Excel does!
But even more exciting, we have introduced the Silicon Excel Emulator to emulate Microsoft Excel formulas.
In order to emulate a formula, it’s enough to select it in the spreadsheet and to press “Ctrl+E” (or using the context menu).
While the emulator doesn’t support all the functions available in Excel, we made it extremely simple to extend it from Python. When a function is not supported, the emulator simply prints out its arguments:
warning: unimplemented function 'CALL' arg_0: "Shell32" arg_1: "ShellExecuteA" arg_2: "JJCCCCJ" arg_3: 0 arg_4: "Open" arg_5: "C:\ProgramData\nCjBmqQ.exe" arg_6: arg_7: 0 arg_8: 0
In most cases, this is enough to understand what’s happening. When it isn’t and we need something more, we can easily hook into the emulator engine via Python and extend it:
from Pro.SiliconSpreadsheet import * from Pro.UI import proContext class EmulatorHelper(SiliconExcelEmulatorHelper): def __init__(self): super(EmulatorHelper, self).__init__() def evaluateFunction(self, emu, ctx, opts, depth, e): function_name = e.toString() print(function_name) return SiliconExcelEmulatorValue() v = proContext().findView("Analysis [file name]") if v.isValid(): view = SiliconSpreadsheetWorkspaceView(v) helper = EmulatorHelper() emu = view.getExcelEmulator() emu.setHelper(helper) else: print("error: couldn't find view")
This little snippet of Python code does nothing else than to hook the Silicon Excel Emulator being used in a spreadsheet preview and to log every function being called. We can, however, just as easily modify the behavior of a function or implement its functionality by returning a valid value. We’ll show you how to do this in future articles and videos.
The new version of Cerbero Suite comes also with other improvements. For instance, it is now possible to edit the prototype of functions in the decompiler by pressing “Y”.
And you can now edit the prototype of a function in the same way also in the native UI for Ghidra.
This is the complete list of news for version 4.5:
– added spreadsheet preview for XLS and XLSB files
– added XLSB format support
+ added Microsoft Excel macro emulator
+ added editing of function prototypes in the decompiler
+ added editing of function prototypes in the native UI for Ghidra
+ improved Ghidra native UI
– improved XLS macro decompiler
– improved XLS format support
– exposed XLS classes to Python
– exposed new cell table view to Python
– minor improvements
We’ll soon publish material to demonstrate how to reverse engineer malicious Excel documents.