Forum Discussion
Powershell Deobsfuscation Ep.7
I was working on this and got stuck with Ep.7. Appreciate if anyone can assist with this Powershell de-obfuscation.
Step 1: I removed the splits accordingly and converted from hexadecimal
Step 2: Next, there was another set of splits to perform and ascii conversion. Ended up with the small snip of string at the bottom with a lot of (spaces and tabs) at the beginning. Basically empty spaces before coming to this short scripts.
I am not sure on how to move from here. Anyone can assist with this pls?
Anonymous got it done. Could not deob it using CyberChef, used PowerShell commands to run the part that I can't deob earlier and saved the output in another txt file. I removed the IEX part from the script before execution. That worked for me!
8 Replies
- netcat
Advocate
While my lab for ep7 looks different:
The code you see can be implemented in python, not sure if CyberChef can handle the lengths.
It's not the last example in https://en.wikipedia.org/wiki/Esoteric_programming_language while it looks similar. - netcat
You noticed that it's not "empty", but tabs and spaces?
PRABAKARANRAMAMURTHYYes. Tried converting them to 1s and 0s and from there used the binary conversion. It still did not work.
- PRABAKARANRAMAMURTHY
Anonymous got it done. Could not deob it using CyberChef, used PowerShell commands to run the part that I can't deob earlier and saved the output in another txt file. I removed the IEX part from the script before execution. That worked for me!
Hi PRABAKARANRAMAMURTHY really glad you got there! ray96 does that help you?
Hi ray96 did you try the lab again? Any success?
- PRABAKARANRAMAMURTHY
Hi Anonymous,
Tried a few times but no luck still. Is there any hints from your end?
your sequnce of tabs and spaces will have certain cycles, that are matching the pipeline at the very bottom of the latter screenshot.
so first find the delimiter for groups (making a character code), then find a delimiter for digits of the character code and finally understand how each digit is calculated.
It is solvable with Cyberchef.
