Forum Discussion
Powershell Deobsfuscation Ep.7
I was working on this and got stuck with Ep.7. Appreciate if anyone can assist with this Powershell de-obfuscation.
Step 1: I removed the splits accordingly and converted from hexadecimal
Step 2: Next, there was another set of splits to perform and ascii conversion. Ended up with the small snip of string at the bottom with a lot of (spaces and tabs) at the beginning. Basically empty spaces before coming to this short scripts.
I am not sure on how to move from here. Anyone can assist with this pls?
TillyCorless got it done. Could not deob it using CyberChef, used PowerShell commands to run the part that I can't deob earlier and saved the output in another txt file. I removed the IEX part from the script before execution. That worked for me!
7 Replies
- netcat
Silver III
While my lab for ep7 looks different:
The code you see can be implemented in python, not sure if CyberChef can handle the lengths.
It's not the last example in https://en.wikipedia.org/wiki/Esoteric_programming_language while it looks similar. - netcat
Silver III
You noticed that it's not "empty", but tabs and spaces?
- PRABAKARANRAMAMURTHY
Bronze II
Yes. Tried converting them to 1s and 0s and from there used the binary conversion. It still did not work.
- PRABAKARANRAMAMURTHY
Bronze II
TillyCorless got it done. Could not deob it using CyberChef, used PowerShell commands to run the part that I can't deob earlier and saved the output in another txt file. I removed the IEX part from the script before execution. That worked for me!
- TillyCorless
Community Manager
Hi PRABAKARANRAMAMURTHY really glad you got there! ray96 does that help you?
- TillyCorless
Community Manager
Hi ray96 did you try the lab again? Any success?
- PRABAKARANRAMAMURTHY
Bronze II
Hi TillyCorless,
Tried a few times but no luck still. Is there any hints from your end?