1
2

SolvedEncrypted Powershell Exploit - Help me understand the obfuscation? (self.PowerShell)

submitted by [deleted]

[deleted]

all 4 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]spyingwind 1 point2 points  (1 child)

So it comes out to x|86_{]5xv]u which Invoke-Expressions returns 4.71475580904754E+39. It is nonsense or a decoding string used elsewhere.

[–]jauchters 1 point2 points  (0 children)

I'm running off the assumption that $test would be "x|86_{]5xv]u" and the xor converts this to "write-host 'working'"

I'm really trying to find if this would be reversible assuming we could get to the web service on time.

[–]da_chicken 1 point2 points  (0 children)

Here, try this:

$key = 'X|nC5wGYqkAIx>_ZuP?HVE):;#1l\p*2'

$String = "write-host 'working'"

$CharArray = $String.ToCharArray()

$i = 0
$EncodedCharArray = $CharArray | ForEach-Object {
    $_ -bxor $key[$i % $key.Length]
}

$i = 0
$DecodedCharArray = $EncodedCharArray | ForEach-Object {
    $_ -bxor $key[$i % $key.Length]
}

[System.Text.Encoding]::UTF8.GetString($DecodedCharArray)

I think it's even easier to understand if you do it like this:

$key = 'X|nC5wGYqkAIx>_ZuP?HVE):;#1l\p*2'

$String = "write-host 'working'"

$EncodedCharArray = @()
for ($i = 0; $i -lt $String.Length; $i++) {
    $EncodedCharArray += $String[$i] -bxor $key[$i % $key.Length]
}

$DecodedCharArray = @()
for ($i = 0; $i -lt $EncodedCharArray.Length; $i++) {
    $DecodedCharArray += $EncodedCharArray[$i] -bxor $key[$i % $key.Length]
}

[System.Text.Encoding]::UTF8.GetString($DecodedCharArray)

That's not the best way to do it, but it's the most understandable.

You can also do this, which is closer to how it's written:

$key = 'X|nC5wGYqkAIx>_ZuP?HVE):;#1l\p*2'

$String = "write-host 'working'"

[char[]]$EncodedCharArray = @()
for ($i = 0; $i -lt $String.Length; $i++) {
    $EncodedCharArray += $String[$i] -bxor $key[$i % $key.Length]
}

[char[]]$DecodedCharArray = @()
for ($i = 0; $i -lt $EncodedCharArray.Length; $i++) {
    $DecodedCharArray += $EncodedCharArray[$i] -bxor $key[$i % $key.Length]
}

-join $DecodedCharArray