Description
Extracts and decodes base64 strings (or other encodings) found inside the provided file. base64dump looks for sequences of base64 characters (or other encodings) in the provided file and tries to decode them.
| Platform | N/A – Python |
| Author | Didier Stevens |
| License | Free / Public Domain |
| URL | https://blog.didierstevens.com/ |
Usage
Usage: base64dump.py [options] [file]
Extract base64 strings from file
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-m, --man Print manual
-e ENCODING, --encoding=ENCODING
select encoding to use (default base64)
-s SELECT, --select=SELECT
select item nr for dumping (a for all)
-d, --dump perform dump
-x, --hexdump perform hex dump
-a, --asciidump perform ascii dump
-S, --strings perform strings dump
-n NUMBER, --number=NUMBER
minimum number of bytes in decoded data
-c CUT, --cut=CUT cut data
-w, --ignorewhitespace
ignore whitespaceExamples
base64dump.py file.txt
The following output shows the sections that base64dump.py has attempted to decode using base64. However, this file isn’t using the default base64 encoding so see the next example.
remnux@remnux:~$ base64dump.py file.txt
ID Size Encoded Decoded MD5 decoded
-- ---- ------- ------- -----------
1: 8 function ~�ܶ*' b1d8813f892c457768a77f88837a6289
2: 8 wstwaxap ��pk.� b5d83e3988cda1f8e903e138131cba91
3: 8 yaoduhc= ɪ.�. c2b2fd4a95ff2e8d6ed65268e8e0a7f7
4: 8 DDpNVDfX .:MT7� 9a6466eb801a8374f53d7102a7066290
5: 8 function ~�ܶ*' b1d8813f892c457768a77f88837a6289
6: 8 kzV0IivL �5t"+� a8c4a29cd68eb8da8e0bbe87b3a916c4
7: 8 rqYY0o0m ��.ҍ& 23cad0abd1ac80f7ede1c4a52425625a
8: 8 N1tTAUIH 7[S.B. 118b846fe67df0a2788da838295a1271
9: 8 rqYY0o0m ��.ҍ& 23cad0abd1ac80f7ede1c4a52425625a
10: 8 N1tTAUIH 7[S.B. 118b846fe67df0a2788da838295a1271
11: 8 rqYY0o0m ��.ҍ& 23cad0abd1ac80f7ede1c4a52425625a
12: 8 rqYY0o0m ��.ҍ& 23cad0abd1ac80f7ede1c4a52425625a
13: 8 rqYY0o0m ��.ҍ& 23cad0abd1ac80f7ede1c4a52425625a
14: 8 rqYY0o0m ��.ҍ& 23cad0abd1ac80f7ede1c4a52425625a
15: 8 rqYY0o0m ��.ҍ& 23cad0abd1ac80f7ede1c4a52425625a
16: 8 function ~�ܶ*' b1d8813f892c457768a77f88837a6289
17: 8 S3GBCRNU Kq�..T d04eae77c1362316d251db3a3af7a8d5
18: 8 ecBcfdoM y�\}�. b185fd8b77394b6c5902b8291c1aa2b6
19: 8 brIW1yTY n�.�$� ed0645bcfb574a402ccebc8785ca56f0
20: 8 unescape �w�q�^ b282069f16d4d9dbee625d0c231a53fd
21: 8 VWAbzxUP U`.�.. e603829f07f2b06cbe2b53af4d94b716
22: 8 0x400000 �.4�M4 084838d4f4261ed700f3d5ca57681d9f
23: 8 WCoEYFdo X*.`Wh 9e71afc328eab02982d2cd44d58697bc
24: 8 brIW1yTY n�.�$� ed0645bcfb574a402ccebc8785ca56f0
25: 8 N1tTAUIH 7[S.B. 118b846fe67df0a2788da838295a1271
26: 8 VWAbzxUP U`.�.. e603829f07f2b06cbe2b53af4d94b716
27: 8 rqYY0o0m ��.ҍ& 23cad0abd1ac80f7ede1c4a52425625a
28: 8 unescape �w�q�^ b282069f16d4d9dbee625d0c231a53fd
29: 8 rqYY0o0m ��.ҍ& 23cad0abd1ac80f7ede1c4a52425625a
30: 8 kzV0IivL �5t"+� a8c4a29cd68eb8da8e0bbe87b3a916c4
31: 8 rqYY0o0m ��.ҍ& 23cad0abd1ac80f7ede1c4a52425625a
32: 8 N1tTAUIH 7[S.B. 118b846fe67df0a2788da838295a1271
33: 8 jpwZA7Ef ..�. cd49f8f2c65a543daf4dca9899ebf1ea
34: 8 ecBcfdoM y�\}�. b185fd8b77394b6c5902b8291c1aa2b6
35: 8 0x400000 �.4�M4 084838d4f4261ed700f3d5ca57681d9f
36: 8 xEzYibKs �L؉�� 40ea154032b38b073adc25c546dba81d
37: 8 jpwZA7Ef ..�. cd49f8f2c65a543daf4dca9899ebf1ea
38: 8 DDpNVDfX .:MT7� 9a6466eb801a8374f53d7102a7066290
39: 8 xEzYibKs �L؉�� 40ea154032b38b073adc25c546dba81d
40: 8 rqYY0o0m ��.ҍ& 23cad0abd1ac80f7ede1c4a52425625a
41: 8 brIW1yTY n�.�$� ed0645bcfb574a402ccebc8785ca56f0
42: 8 function ~�ܶ*' b1d8813f892c457768a77f88837a6289
43: 8 Qy9QDRgu C/P... 16adea19ef8d17f9a2b3368f9e381e08
44: 8 S3GBCRNU Kq�..T d04eae77c1362316d251db3a3af7a8d5
45: 8 YTDNPHwC a0�<|. 5c5496bec5bfb00cecf1a6a3c00036a8
46: 8 unescape �w�q�^ b282069f16d4d9dbee625d0c231a53fd
47: 8 YTDNPHwC a0�<|. 5c5496bec5bfb00cecf1a6a3c00036a8
48: 8 YTDNPHwC a0�<|. 5c5496bec5bfb00cecf1a6a3c00036a8
49: 8 YTDNPHwC a0�<|. 5c5496bec5bfb00cecf1a6a3c00036a8
50: 4 this �.� 8e5a04323b343a97433a353a663678b3
51: 16 collectEmailInfo r�ey�D���"w� 128fa58edb7890e176d063411c06b917
52: 4 subj ��� 6214419727646d38fa39dc0c6bc72ee4
53: 8 YTDNPHwC a0�<|. 5c5496bec5bfb00cecf1a6a3c00036a8
54: 8 Qy9QDRgu C/P... 16adea19ef8d17f9a2b3368f9e381e08
55: 16 collectEmailInfo r�ey�D���"w� 128fa58edb7890e176d063411c06b917
56: 4 subj ��� 6214419727646d38fa39dc0c6bc72ee4base64dump.py -e pu file.txt
This example shows how base64dump.py attempts to decode “percent u” encoded base64. You’re normally interested in the section with the largest size.
remnux@remnux:~$ base64dump.py -e pu file.txt
ID Size Encoded Decoded MD5 decoded
-- ---- ------- ------- -----------
1: 1260 %u00e8%u0000%u5d �....]��.��...�= 889060967c0b481fa97ba2fb3447963c
2: 12 %u9090%u9090 ���� a5cc288c0d8fad7eda458b7241548977
3: 12 %u0c0c%u0c0c .... d5aba5b36cbaf9dcb46a48418c3d6241base64dump.py -e pu file.txt s 1 -d > file.bin
In this example, base64dump.py decodes and dumps section 1 from this file and outputs the results to a file named collab.bin. See the previous example for section definitions.
remnux@remnux:~$ base64dump.py -e pu file.txt -s 1 -d > file.bin
remnux@remnux:~$ ls -l file.bin
-rw-rw-r-- 1 remnux remnux 420 Aug 17 18:58 collab.bin
remnux@remnux:~$ file file.bin
collab.bin: data