From: balzer on 12 May 2010 05:59 How to deobfuscate file stroed inside Array %b=Array(c(077),c(090),c(144),c(000),c(003),c(000),c(000),c(000),c(004),c(000),c(000)::this line is 248413 characters long::c(000),c(000),c(000),c(000 ),"") Is this binary or ASCII strings obfuscated?
From: Tom St Denis on 12 May 2010 06:58 On May 12, 5:59 am, "balzer" <nos...(a)news.eternal-september.org> wrote: > How to deobfuscate file stroed inside Array > > %b=Array(c(077),c(090),c(144),c(000),c(003),c(000),c(000),c(000),c(004),c(0 00),c(000)::this > line is 248413 characters long::c(000),c(000),c(000),c(000 ),"") > > Is this binary or ASCII strings obfuscated? first two bytes presumably are MZ, it could be an EXE header. Tom
From: balzer on 12 May 2010 07:08 "Tom St Denis" <tom(a)iahu.ca> wrote in message news:9a8297c3-54b9-4e24-a969-3bc1bcd0c8c7(a)q30g2000yqd.googlegroups.com... On May 12, 5:59 am, "balzer" <nos...(a)news.eternal-september.org> wrote: > How to deobfuscate file stroed inside Array > > %b=Array(c(077),c(090),c(144),c(000),c(003),c(000),c(000),c(000),c(004),c(0 > 00),c(000)::this > line is 248413 characters long::c(000),c(000),c(000),c(000 ),"") > > Is this binary or ASCII strings obfuscated? first two bytes presumably are MZ, it could be an EXE header. Tom --------- which method used to convert EXE to this strings? Its not base64.
From: jbriggs444 on 12 May 2010 07:55 On May 12, 7:08 am, "balzer" <nos...(a)news.eternal-september.org> wrote: > "Tom St Denis" <t...(a)iahu.ca> wrote in messagenews:9a8297c3-54b9-4e24-a969-3bc1bcd0c8c7(a)q30g2000yqd.googlegroups.com... > On May 12, 5:59 am, "balzer" <nos...(a)news.eternal-september.org> > wrote: > > > How to deobfuscate file stroed inside Array > > > %b=Array(c(077),c(090),c(144),c(000),c(003),c(000),c(000),c(000),c(004),c(0 > > 00),c(000)::this > > line is 248413 characters long::c(000),c(000),c(000),c(000 ),"") > > > Is this binary or ASCII strings obfuscated? > > first two bytes presumably are MZ, it could be an EXE header. > > Tom > --------- > which method used to convert EXE to this strings? Its not base64. [Log on to a Windows machine and go to the DOS prompt] C:\> dir *.exe .... putty.exe .... C:\> notepad putty.exe MZ...(gibberish here)...This program cannot be run in DOS mode... Note the first two characters in the file contents. Compare to other executable files. Note pattern.
From: balzer on 12 May 2010 08:36
"jbriggs444" <jbriggs444(a)gmail.com> wrote in message news:b23d01a7-a00a-4409-84c2-3d376301737d(a)42g2000prb.googlegroups.com... On May 12, 7:08 am, "balzer" <nos...(a)news.eternal-september.org> wrote: > "Tom St Denis" <t...(a)iahu.ca> wrote in > messagenews:9a8297c3-54b9-4e24-a969-3bc1bcd0c8c7(a)q30g2000yqd.googlegroups.com... > On May 12, 5:59 am, "balzer" <nos...(a)news.eternal-september.org> > wrote: > > > How to deobfuscate file stroed inside Array > > > %b=Array(c(077),c(090),c(144),c(000),c(003),c(000),c(000),c(000),c(004),c(0 > > 00),c(000)::this > > line is 248413 characters long::c(000),c(000),c(000),c(000 ),"") > > > Is this binary or ASCII strings obfuscated? > > first two bytes presumably are MZ, it could be an EXE header. > > Tom > --------- > which method used to convert EXE to this strings? Its not base64. [Log on to a Windows machine and go to the DOS prompt] C:\> dir *.exe .... putty.exe .... C:\> notepad putty.exe MZ...(gibberish here)...This program cannot be run in DOS mode... Note the first two characters in the file contents. Compare to other executable files. Note pattern. -------- well, I guess every byte is encoded in octal or decimal notation? What is encoding utility for this? Some online tool that convert exe to strings? |