PowerShell Deobfuscation: Ep.8 - Stuck Halfway

Question

I was working on Ep.8 of PowerShell Deob. Got stuck in second step.

Step 1: Base64 & RAW Inflate (Twice)

Step 2: Stuck with this weird looking code. Tried to run with PowerShell and received error.

Anyone able to help with this?

netcat · Answer

I used python for this, most likely you can use a&nbsp;PowerShell program, too.

netcat · Answer

Well, start with "${&nbsp; &nbsp; &nbsp; &nbsp;}".&nbsp; You know what this is, isn't it? And "+=", "${}", etc.?If not, read the PowerShell specification, or play with in PowerShell to get an understanding what happens.All in all, very ugly, but not impossible to decode.I can't (well I could) post my decoder here, so can't really give details on how I did it.

prabakaranramamurthy · Answer

Hi netcat​, how do we move forward with python/powershell for this?

samdickison · Answer

Hey PRABAKARANRAMAMURTHY​ - just checking in to see if you managed to get through with&nbsp;netcat​'s help.

Forum Discussion

PowerShell Deobfuscation: Ep.8 - Stuck Halfway

4 Replies

Featured Places

Help & Support Forum

Related Content

PowerShell Deobfuscation: Ep.9

PowerShell Deobfuscation: Ep 8 help

Powershell Deobsfuscation Ep.7

Powershell Deobsfuscation Ep.7

Powershell Deobsfuscation Ep.7

Recent Discussions

Help with Introduction to Python Scripting: Ep.7 – Demonstrate Your Skills

Privilege Escalation: Windows – Finding Passwords

Microsoft Defender for Cloud: Inventory, Resource Health and Recommendations.

Malware Analysis: Shlayer

CSP Hash Incorrect Despite Correct Script and Hash (CSP Lab Issue?)