From: balzer on
How to deobfuscate file stroed inside Array

%b=Array(c(077),c(090),c(144),c(000),c(003),c(000),c(000),c(000),c(004),c(000),c(000)::this
line is 248413 characters long::c(000),c(000),c(000),c(000 ),"")

Is this binary or ASCII strings obfuscated?

From: Tom St Denis on
On May 12, 5:59 am, "balzer" <nos...(a)news.eternal-september.org>
wrote:
> How to deobfuscate file stroed inside Array
>
> %b=Array(c(077),c(090),c(144),c(000),c(003),c(000),c(000),c(000),c(004),c(0 00),c(000)::this
> line is 248413 characters long::c(000),c(000),c(000),c(000 ),"")
>
> Is this binary or ASCII strings obfuscated?

first two bytes presumably are MZ, it could be an EXE header.

Tom
From: balzer on

"Tom St Denis" <tom(a)iahu.ca> wrote in message
news:9a8297c3-54b9-4e24-a969-3bc1bcd0c8c7(a)q30g2000yqd.googlegroups.com...
On May 12, 5:59 am, "balzer" <nos...(a)news.eternal-september.org>
wrote:
> How to deobfuscate file stroed inside Array
>
> %b=Array(c(077),c(090),c(144),c(000),c(003),c(000),c(000),c(000),c(004),c(0
> 00),c(000)::this
> line is 248413 characters long::c(000),c(000),c(000),c(000 ),"")
>
> Is this binary or ASCII strings obfuscated?

first two bytes presumably are MZ, it could be an EXE header.

Tom
---------
which method used to convert EXE to this strings? Its not base64.


From: jbriggs444 on
On May 12, 7:08 am, "balzer" <nos...(a)news.eternal-september.org>
wrote:
> "Tom St Denis" <t...(a)iahu.ca> wrote in messagenews:9a8297c3-54b9-4e24-a969-3bc1bcd0c8c7(a)q30g2000yqd.googlegroups.com...
> On May 12, 5:59 am, "balzer" <nos...(a)news.eternal-september.org>
> wrote:
>
> > How to deobfuscate file stroed inside Array
>
> > %b=Array(c(077),c(090),c(144),c(000),c(003),c(000),c(000),c(000),c(004),c(0
> > 00),c(000)::this
> > line is 248413 characters long::c(000),c(000),c(000),c(000 ),"")
>
> > Is this binary or ASCII strings obfuscated?
>
> first two bytes presumably are MZ, it could be an EXE header.
>
> Tom
> ---------
> which method used to convert EXE to this strings? Its not base64.

[Log on to a Windows machine and go to the DOS prompt]
C:\> dir *.exe
....
putty.exe
....
C:\> notepad putty.exe

MZ...(gibberish here)...This program cannot be run in DOS mode...

Note the first two characters in the file contents. Compare to other
executable files. Note pattern.
From: balzer on

"jbriggs444" <jbriggs444(a)gmail.com> wrote in message
news:b23d01a7-a00a-4409-84c2-3d376301737d(a)42g2000prb.googlegroups.com...
On May 12, 7:08 am, "balzer" <nos...(a)news.eternal-september.org>
wrote:
> "Tom St Denis" <t...(a)iahu.ca> wrote in
> messagenews:9a8297c3-54b9-4e24-a969-3bc1bcd0c8c7(a)q30g2000yqd.googlegroups.com...
> On May 12, 5:59 am, "balzer" <nos...(a)news.eternal-september.org>
> wrote:
>
> > How to deobfuscate file stroed inside Array
>
> > %b=Array(c(077),c(090),c(144),c(000),c(003),c(000),c(000),c(000),c(004),c(0
> > 00),c(000)::this
> > line is 248413 characters long::c(000),c(000),c(000),c(000 ),"")
>
> > Is this binary or ASCII strings obfuscated?
>
> first two bytes presumably are MZ, it could be an EXE header.
>
> Tom
> ---------
> which method used to convert EXE to this strings? Its not base64.

[Log on to a Windows machine and go to the DOS prompt]
C:\> dir *.exe
....
putty.exe
....
C:\> notepad putty.exe

MZ...(gibberish here)...This program cannot be run in DOS mode...

Note the first two characters in the file contents. Compare to other
executable files. Note pattern.
--------

well, I guess every byte is encoded in octal or decimal notation? What is
encoding utility for this? Some online tool that convert exe to strings?