Forum Discussion

ray96

Bronze II

2 months ago

Solved

Powershell Deobsfuscation Ep.7

I was working on this and got stuck with Ep.7. Appreciate if anyone can assist with this Powershell de-obfuscation.

Step 1: I removed the splits accordingly and converted from hexadecimal

Step 2: Next, there was another set of splits to perform and ascii conversion. Ended up with the small snip of string at the bottom with a lot of (spaces and tabs) at the beginning. Basically empty spaces before coming to this short scripts.

I am not sure on how to move from here. Anyone can assist with this pls?

defensive cyber

offensive cyber

PRABAKARANRAMAMURTHY
24 days ago
TillyCorless got it done. Could not deob it using CyberChef, used PowerShell commands to run the part that I can't deob earlier and saved the output in another txt file. I removed the IEX part from the script before execution. That worked for me!

7 Replies

netcat
Silver II
2 months ago
While my lab for ep7 looks different:
The code you see can be implemented in python, not sure if CyberChef can handle the lengths.
It's not the last example in https://en.wikipedia.org/wiki/Esoteric_programming_language while it looks similar.
netcat
Silver II
25 days ago
You noticed that it's not "empty", but tabs and spaces?
- PRABAKARANRAMAMURTHY
  Bronze II
  25 days ago
  Yes. Tried converting them to 1s and 0s and from there used the binary conversion. It still did not work.
PRABAKARANRAMAMURTHY
Bronze II
24 days ago
TillyCorless got it done. Could not deob it using CyberChef, used PowerShell commands to run the part that I can't deob earlier and saved the output in another txt file. I removed the IEX part from the script before execution. That worked for me!
- TillyCorless
  Community Manager
  24 days ago
  Hi PRABAKARANRAMAMURTHY really glad you got there! ray96 does that help you?
TillyCorless
Community Manager
30 days ago
Hi ray96 did you try the lab again? Any success?
- PRABAKARANRAMAMURTHY
  Bronze II
  25 days ago
  Hi TillyCorless,
  Tried a few times but no luck still. Is there any hints from your end?

Forum Discussion

Powershell Deobsfuscation Ep.7

7 Replies

Featured Places

Help & Support Forum

Related Content

Powershell Deobsfuscation Ep.7

Powershell Deobsfuscation Ep.7

PowerShell Deobfuscation: Ep.9

Assistance: PowerShell Deobfuscation: Ep.4 - Logical and Structural Obfuscation - Question 7

PowerShell Deobfuscation: Ep 8 help

Recent Discussions

S3: Demonstrate Your Skills

World Cup Special - Immersive Squad

Radare2 Reverse Engineering: Ep.2 – Windows Binary Part 2

Radare2 Reverse Engineering: Ep.1 – Windows Binary Part 1

Wizard Spider DFIR: Ep.10 – Demonstrate Your Skills