MCPcopy
hub / github.com/gchq/CyberChef / extractOLE2

Function extractOLE2

src/core/lib/FileSignatures.mjs:3487–3566  ·  view source on GitHub ↗
(bytes, offset)

Source from the content-addressed store, hash-verified

3485 * @returns {Uint8Array}
3486 */
3487export function extractOLE2(bytes, offset) {
3488 const stream = new Stream(bytes.slice(offset));
3489 const entries = [
3490 [[0x52, 0x00, 0x6f, 0x00, 0x6f, 0x00, 0x74, 0x00, 0x20, 0x00, 0x45, 0x00, 0x6e, 0x00, 0x74, 0x00, 0x72, 0x00, 0x79], 19, "Root Entry"],
3491 [[0x57, 0x00, 0x6f, 0x00, 0x72, 0x00, 0x6b, 0x00, 0x62, 0x00, 0x6f, 0x00, 0x6f, 0x00, 0x6b], 15, "Workbook"],
3492 [[0x43, 0x00, 0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00, 0x6e, 0x00, 0x74, 0x00, 0x20, 0x00, 0x55, 0x00, 0x73, 0x00, 0x65, 0x00, 0x72], 23, "Current User"],
3493 [[0x50, 0x00, 0x6f, 0x00, 0x77, 0x00, 0x65, 0x00, 0x72, 0x00, 0x50, 0x00, 0x6f, 0x00, 0x69, 0x00, 0x6e, 0x00, 0x74, 0x00, 0x20, 0x00, 0x44, 0x00, 0x6f, 0x00, 0x63, 0x00, 0x75, 0x00, 0x6d, 0x00, 0x65, 0x00, 0x6e, 0x00, 0x74], 37, "PowerPoint Document"],
3494 [[0x57, 0x00, 0x6f, 0x00, 0x72, 0x00, 0x64, 0x00, 0x44, 0x00, 0x6f, 0x00, 0x63, 0x00, 0x75, 0x00, 0x6d, 0x00, 0x65, 0x00, 0x6e, 0x00, 0x74], 23, "WordDocument"],
3495 [[0x44, 0x00, 0x61, 0x00, 0x74, 0x00, 0x61], 7, "Data"],
3496 [[0x50, 0x00, 0x69, 0x00, 0x63, 0x00, 0x74, 0x00, 0x75, 0x00, 0x72, 0x00, 0x65, 0x00, 0x73], 15, "Pictures"],
3497 [[0x31, 0x00, 0x54, 0x00, 0x61, 0x00, 0x62, 0x00, 0x6c, 0x00, 0x65], 11, "1Table"],
3498 [[0x05, 0x00, 0x53, 0x00, 0x75, 0x00, 0x6d, 0x00, 0x6d, 0x00, 0x61, 0x00, 0x72, 0x00, 0x79, 0x00, 0x49, 0x00, 0x6e, 0x00, 0x66, 0x00, 0x6f, 0x00, 0x72, 0x00, 0x6d, 0x00, 0x61, 0x00, 0x74, 0x00, 0x69, 0x00, 0x6f, 0x00, 0x6e], 37, "SummaryInformation"],
3499 [[0x05, 0x00, 0x44, 0x00, 0x6f, 0x00, 0x63, 0x00, 0x75, 0x00, 0x6d, 0x00, 0x65, 0x00, 0x6e, 0x00, 0x74, 0x00, 0x53, 0x00, 0x75, 0x00, 0x6d, 0x00, 0x6d, 0x00, 0x61, 0x00, 0x72, 0x00, 0x79, 0x00, 0x49, 0x00, 0x6e, 0x00, 0x66, 0x00, 0x6f, 0x00, 0x72, 0x00, 0x6d, 0x00, 0x61, 0x00, 0x74, 0x00, 0x69, 0x00, 0x6f, 0x00, 0x6e], 53, "DocumentSummaryInformation"],
3500 [[0x43, 0x00, 0x6f, 0x00, 0x6d, 0x00, 0x70, 0x00, 0x4f, 0x00, 0x62, 0x00, 0x6a], 13, "Comp Obj"],
3501 [[0x01, 0x00], 2, "Entry"]
3502 ];
3503 let endianness = "le";
3504
3505 // Move to endianess field.
3506 stream.moveForwardsBy(28);
3507 if (stream.readInt(2, endianness) === 0xfffe)
3508 endianness = "be";
3509
3510 // Calculate the size of the normal sectors.
3511 const sizeOfSector = 2 ** stream.readInt(2, endianness);
3512
3513 // Move to root directory offset field.
3514 stream.moveTo(48);
3515
3516 // Read root directory offset.
3517 const rootStuff = stream.readInt(4, endianness);
3518
3519 // Calculate root directory offset.
3520 let total = 512 + (rootStuff * sizeOfSector);
3521 stream.moveTo(total);
3522
3523 // While valid directory entries.
3524 let found = true;
3525 while (found) {
3526 found = false;
3527
3528 // Attempt to determine what directory entry it is.
3529 for (const element of entries) {
3530
3531 // If the byte pattern matches.
3532 if (stream.getBytes(element[1]).join("") === element[0].join("")) {
3533 stream.moveBackwardsBy(element[1]);
3534 found = true;
3535
3536 // Move forwards by the size of the comp obj.
3537 if (element[2] === "Comp Obj") {
3538
3539 // The size of the Comp Obj entry - 128. Since we add 128 later.
3540 total += 128 * 6;
3541 stream.moveTo(total);
3542 } else if (element[2] === "Entry") {
3543
3544 // If there is an entry move backwards by 126 to then move forwards by 128. Hence a total displacement of 2.

Callers

nothing calls this directly

Calls 6

moveForwardsByMethod · 0.95
readIntMethod · 0.95
moveToMethod · 0.95
getBytesMethod · 0.95
moveBackwardsByMethod · 0.95
carveMethod · 0.95

Tested by

no test coverage detected