Forum Discussion
PowerShell Deobfuscation: Ep.8 - Stuck Halfway
I was working on Ep.8 of PowerShell Deob. Got stuck in second step.
Step 1: Base64 & RAW Inflate (Twice)
Step 2: Stuck with this weird looking code. Tried to run with PowerShell and received error.
Anyone able to help with this?
5 Replies
- netcat
Silver III
I used python for this, most likely you can use a PowerShell program, too.
- PRABAKARANRAMAMURTHY
Bronze II
Hi netcat, how do we move forward with python/powershell for this?
- netcat
Silver III
Well, start with "${ }". You know what this is, isn't it? And "+=", "${}", etc.?
If not, read the PowerShell specification, or play with in PowerShell to get an understanding what happens.All in all, very ugly, but not impossible to decode.
I can't (well I could) post my decoder here, so can't really give details on how I did it.
- SamDickison
Community Manager
Hey PRABAKARANRAMAMURTHY - just checking in to see if you managed to get through with netcat's help.
- GusC
Bronze III
Try
Set-PSDebug -Trace 1
and put
Write-Output to the beginning of the script and then running it in a console.
you should then get a lot of CHAR output.
Put that in CyberChef and decode from there.
The labs change every time though as they use invoke obfuscation during vm spinup