Oh So Sick
New member
- Joined
- Jan 29, 2023
- Messages
- 3
- Programming Experience
- Beginner
Hello everyone,
I need your help again because I’m looking to deobfuscate a string.
First I have a few questions for you experts regarding my code that you will find below:
- Is it possible to make it simpler?
- Do you see mistakes or illogical things?
- Is it possible to extract the desired parts in BYTES in order to avoid unnecessary conversion and weighing down the code?
So for my problem... I have a file that is encoded in 2 steps.
The first step of encoding (BYTES multiplied by 2) seems raised to me: I manage to open with my program the file and deobfuscate by dividing by 2 the BYTES.
But! For there is always a but! After executing this code on a file I notice that there is a second level of encoding that reacts in 2 different ways depending on the start and end delimiter! Let me explain.
For the code contained in the delimiters 5E54/545E (5E54"CODE EN HEX"545E) or 5E5E/1A14: in this example C2 (in HEX) = a (in ASCII) but this applies to all the HEX that define a characteristic and that follow each other!
- a = C2
- aa = 3C643AC23E
- aaa = 3C643AC23E
- aaaa = 3C663AC23E
- aaaaa = 3C683AC23E
- aaaaaa = 3C6A3AC23E
- aaaaaaa = 3C6C3AC23E
- aaaaaaaa = 3C6E3AC23E
- aaaaaaaaa = 3C703AC23E
- aaaaaaaaaa = 3C723AC23E
- aaaaaaaaaaa (10) = 3C62603AC23E
- aaaaaaaaaaaa = 3C62623AC23E
- aaaaaaaaaaaaaaaaaaaaaa (20) = 3C64603AC23E
- aaa... (100) = 3C6260603AC23E (guess)
And for codes not contained in this delimiter:
- a = C2
- aa = C2C2
- aaa = 3C643AC23E
- ...
I specify that this example is valid before having divided by 2 the BYTES, after division the set of HEX is divided by 2 (C2 = 61 ; 3C = 1E ; ...)
So, since I start in C# this part becomes extremely complicated for me! So let me ask you a few questions before I start without knowing where I’m going: how? Do you have any leads on what I should use to do this? and the simplest method in your opinion?
My goal is to find, analyze, and replace the parts of the STRING encoded with this second level. For example 3C643AC23E by C2C2.
Thank you in advance for your contribution!
My program :
I open the file and divide each BYTES by 2. This is the first level of coding:
Then I modify the code to extract only the parts that interest me:
And I converted to BYTES to save to a new file:
I need your help again because I’m looking to deobfuscate a string.
First I have a few questions for you experts regarding my code that you will find below:
- Is it possible to make it simpler?
- Do you see mistakes or illogical things?
- Is it possible to extract the desired parts in BYTES in order to avoid unnecessary conversion and weighing down the code?
So for my problem... I have a file that is encoded in 2 steps.
The first step of encoding (BYTES multiplied by 2) seems raised to me: I manage to open with my program the file and deobfuscate by dividing by 2 the BYTES.
But! For there is always a but! After executing this code on a file I notice that there is a second level of encoding that reacts in 2 different ways depending on the start and end delimiter! Let me explain.
For the code contained in the delimiters 5E54/545E (5E54"CODE EN HEX"545E) or 5E5E/1A14: in this example C2 (in HEX) = a (in ASCII) but this applies to all the HEX that define a characteristic and that follow each other!
- a = C2
- aa = 3C643AC23E
- aaa = 3C643AC23E
- aaaa = 3C663AC23E
- aaaaa = 3C683AC23E
- aaaaaa = 3C6A3AC23E
- aaaaaaa = 3C6C3AC23E
- aaaaaaaa = 3C6E3AC23E
- aaaaaaaaa = 3C703AC23E
- aaaaaaaaaa = 3C723AC23E
- aaaaaaaaaaa (10) = 3C62603AC23E
- aaaaaaaaaaaa = 3C62623AC23E
- aaaaaaaaaaaaaaaaaaaaaa (20) = 3C64603AC23E
- aaa... (100) = 3C6260603AC23E (guess)
And for codes not contained in this delimiter:
- a = C2
- aa = C2C2
- aaa = 3C643AC23E
- ...
I specify that this example is valid before having divided by 2 the BYTES, after division the set of HEX is divided by 2 (C2 = 61 ; 3C = 1E ; ...)
So, since I start in C# this part becomes extremely complicated for me! So let me ask you a few questions before I start without knowing where I’m going: how? Do you have any leads on what I should use to do this? and the simplest method in your opinion?
My goal is to find, analyze, and replace the parts of the STRING encoded with this second level. For example 3C643AC23E by C2C2.
Thank you in advance for your contribution!
My program :
I open the file and divide each BYTES by 2. This is the first level of coding:
Read file:
var fileContent = string.Empty;
var filePath = string.Empty;
using (OpenFileDialog openFileDialog = new OpenFileDialog())
{
openFileDialog.InitialDirectory = "%userprofile%";
openFileDialog.Filter = "bin files (*.bin)|*.bin";
openFileDialog.FilterIndex = 2;
openFileDialog.RestoreDirectory = true;
if (openFileDialog.ShowDialog() == DialogResult.OK)
{
filePath = openFileDialog.FileName;
var fileStream = openFileDialog.OpenFile();
byte[] readBytes = File.ReadAllBytes(filePath);
for (var i = 0; i < readBytes.Length; i++)
{
readBytes[i] /= 2;
}
foreach (byte s in readBytes)
{
Console.WriteLine(s);
}
byte[] data = readBytes;
string hex = BitConverter.ToString(data).Replace("-", string.Empty);
Then I modify the code to extract only the parts that interest me:
Extract parts:
int pFrom = hex.IndexOf("2A60602A");
int pStart = hex.IndexOf("23322931342B391E18181805") + "23322931342B391E18181805".Length;
int pTo = hex.LastIndexOf("2A4560602A") + "2A4560602A".Length;
string startCode = hex.Substring(pStart, pFrom - pStart);
string endCode = hex.Substring(pTo);
string newCode = startCode + endCode;
And I converted to BYTES to save to a new file:
Save new file:
int numberCharsCode = newCode.Length;
byte[] newCodeBytes = new byte[numberCharsCode / 2];
for (int w = 0; w < numberCharsCode; w += 2)
{
newCodeBytes[w / 2] = Convert.ToByte(newCode.Substring(w, 2), 16);
}
string newFilePath = filePath.Replace(".bin", "_decrypted.bin");
File.WriteAllBytes(newFilePath, newCodeBytes);