Forum Discussion

Advocate

10 months ago

Solved

PowerShell Deobfuscation: Ep.8 - Stuck Halfway

I was working on Ep.8 of PowerShell Deob. Got stuck in second step. Step 1: Base64 & RAW Inflate (Twice) Step 2: Stuck with this weird looking code. Tried to run with PowerShell and received...

GusC
5 months ago
Try
Set-PSDebug -Trace 1
and put
Write-Output to the beginning of the script and then running it in a console.
you should then get a lot of CHAR output.
Put that in CyberChef and decode from there.
The labs change every time though as they use invoke obfuscation during vm spinup

PRABAKARANRAMAMURTHY

Advocate

10 months ago

Hi netcat, how do we move forward with python/powershell for this?

netcat

Advocate

10 months ago

Well, start with "${ }". You know what this is, isn't it? And "+=", "${}", etc.?
If not, read the PowerShell specification, or play with in PowerShell to get an understanding what happens.

All in all, very ugly, but not impossible to decode.
I can't (well I could) post my decoder here, so can't really give details on how I did it.

Forum Discussion

PowerShell Deobfuscation: Ep.8 - Stuck Halfway

Featured Places

Help

Related Content

PowerShell Deobfuscation: Ep.10

PowerShell Deobfuscation: Ep.9

PowerShell Deobfuscation: Ep 8 help

Assistance: PowerShell Deobfuscation: Ep.4 - Logical and Structural Obfuscation - Question 7

Powershell Deobsfuscation Ep.7

Recent Discussions

Microsoft Sentinel Deployment & Log Ingestion: Ingesting Platform Logs via Diagnostic Settings

Which equation does Metrolio use to calculate the maximum speed?

Microsoft Foundry Guardrails: Jailbreak Protection issue with http://metroliochat.com

Threat Research: Dependency Confusion lab -Listener not showing a successful connection with target server

Gemini CLI Lab issue