Deobfuscation

Search…
Deobfuscation
Examine Static Properties
CyberChef
Decode and otherwise analyze data using this browser app.
Website: https://github.com/gchq/CyberChef/
Author: GCHQ
License: Apache License 2.0: https://github.com/gchq/CyberChef/blob/master/LICENSE
Notes: cyberchef
State File: remnux.tools.cyberchef​
Malchive
Perform static analysis of various aspects of malicious code.
Website: https://github.com/MITRECND/malchive
Author: The MITRE Corporation, https://github.com/MITRECND/malchive/graphs/contributors
License: License 2.0: https://github.com/MITRECND/malchive/blob/main/LICENSE
Notes: Malchive command-line tools start with the prefix malutil-. See utilities documentation for details.
State File: remnux.python3-packages.malchive​
1768.py
Analyze Cobalt Strike beacons.
Website: https://blog.didierstevens.com/2021/05/22/update-1768-py-version-0-0-6/
Author: Didier Stevens: https://twitter.com/DidierStevens
License: Public Domain
Notes: For an overview of this tool, see the Quick Tip article.
State File: remnux.scripts.1768​
cs-decrypt-metadata.py
Decrypt Cobalt Strike metadata.
Website: https://blog.didierstevens.com/2021/11/12/update-cs-decrypt-metadata-py-version-0-0-2/
Author: Didier Stevens: https://twitter.com/DidierStevens
License: Public Domain
State File: remnux.scripts.cs-decrypt-metadata​
Cobalt Strike Configuration Extractor (CSCE) and Parser
Analyze Cobalt Strike beacons.
Website: https://github.com/strozfriedberg/cobaltstrike-config-extractor
Author: Aon / Stroz Friedberg
License: Apache License 2.0: https://github.com/strozfriedberg/cobaltstrike-config-extractor/blob/master/LICENSE
Notes: csce, list-cs-settings
State File: remnux.python3-packages.csce​
sets.py
Perform set operations on lines or bytes in text files.
Website: https://blog.didierstevens.com/2021/05/22/update-1768-py-version-0-0-6/
Author: Didier Stevens: https://twitter.com/DidierStevens
License: Public Domain
State File: remnux.scripts.sets​
xortool
Analyze XOR-encoded data.
Website: https://github.com/hellman/xortool
Author: Aleksei Hellman
License: MIT License: https://github.com/hellman/xortool/blob/master/LICENSE
State File: remnux.python3-packages.xortool​
RATDecoders
Python3 Decoders for Remote Access Trojans
Website: https://github.com/kevthehermit/RATDecoders
Author: Kevin Breen: https://twitter.com/KevTheHermit
License: MIT License: https://github.com/kevthehermit/RATDecoders/blob/master/LICENSE
Notes: malconf
State File: remnux.python3-packages.ratdecoders​
DC3-MWCP
Parsing configuration information from malware.
Website: https://github.com/Defense-Cyber-Crime-Center/DC3-MWCP
Author: Defense Cyber Crime Center - United States Government
License: Some parts Public Domain, some MIT License: https://github.com/Defense-Cyber-Crime-Center/DC3-MWCP/blob/master/LICENSE.txt
Notes: mwcp
State File: remnux.python3-packages.dc3-mwcp​
unicode
Display Unicode character properties.
Website: https://github.com/garabik/unicode
Author: Radovan Garabik
License: GNU General Public License (GPL) v3: https://github.com/garabik/unicode/blob/master/COPYING
State File: remnux.python3-packages.unicode​
Chepy
Decode and otherwise analyze data using this command-line tool and Python library.
Website: https://github.com/securisec/chepy
Author: Hapsida Securisec: https://twitter.com/securisec
License: GNU General Public License (GPL) v3: https://github.com/securisec/chepy/blob/master/LICENSE
Notes: chepy
State File: remnux.python3-packages.chepy​
Balbuzard
Extract and deobfuscate patterns from suspicious files.
Website: https://github.com/decalage2/balbuzard
Author: Philippe Lagadec: https://twitter.com/decalage2
License: Free, custom license: https://github.com/decalage2/balbuzard
Notes: balbuzard, bbcrack, bbharvest, bbtrans
State File: remnux.python-packages.balbuzard​
base64dump
Locate and decode strings encoded in Base64 and other common encodings.
Website: https://blog.didierstevens.com/2020/07/03/update-base64dump-py-version-0-0-12/
Author: Didier Stevens: https://twitter.com/DidierStevens
License: Public Domain
Notes: base64dump.py
State File: remnux.scripts.base64dump​
xor-kpa.py
Implement a XOR known plaintext attack.
Website: https://blog.didierstevens.com/2017/06/06/update-xor-kpa-py-version-0-0-5/
Author: Didier Stevens: https://twitter.com/DidierStevens
License: Public Domain
State File: remnux.scripts.xor-kpa​
NoMoreXOR.py
Help guess a file's 256-byte XOR by using frequency analysis.
Website: https://github.com/hiddenillusion/NoMoreXOR
Author: Glenn P. Edwards Jr.
License: Free, unknown license
State File: remnux.scripts.nomorexor​
unXOR
Deobfuscate XOR'ed files.
Website: https://github.com/tomchop/unxor/
Author: Thomas Chopitea
License: Apache License 2.0: https://github.com/tomchop/unxor/blob/master/LICENSE
State File: remnux.scripts.unxor​
brxor.py
Bruteforce XOR'ed strings to find those that are English words.
Website: https://github.com/REMnux/distro/blob/master/files/brxor.py
Author: Alexander Hanel, Trenton Tait
License: Free, unknown license
State File: remnux.scripts.brxor​
xorBruteForcer.py
Bruteforce an XOR-encoded file.
Website: https://eternal-todo.com/category/bruteforcer
Author: Jose Miguel Esparza
License: Free, unknown license
State File: remnux.scripts.xorbruteforcer​
strdeob.pl
Locate and decode stack strings in executable files.
Website: https://github.com/REMnux/distro/blob/master/files/strdeob.pl
Author: TotalHash
License: Free, unknown license
State File: remnux.scripts.strdeob​
ex_pe_xor.py
Search an XOR'ed file for indications of executable binaries.
Website: http://hooked-on-mnemonics.blogspot.com/2014/04/expexorpy.html
Author: Alexander Hanel
License: Free, unknown license
State File: remnux.scripts.ex_pe_xor​
cut-bytes.py
Cut out a part of a data stream.
Website: https://blog.didierstevens.com/2015/10/14/cut-bytes-py/
Author: Didier Stevens: https://twitter.com/DidierStevens
License: Public Domain
State File: remnux.scripts.cut-bytes​
format-bytes.py
Decompose structured binary data with format strings.
Website: https://blog.didierstevens.com/2020/02/17/update-format-bytes-py-version-0-0-13/
Author: Didier Stevens: https://twitter.com/DidierStevens
License: Public Domain
State File: remnux.scripts.format-bytes​
translate.py
Translate bytes according to a Python expression.
Website: https://blog.didierstevens.com/programs/translate/
Author: Didier Stevens: https://twitter.com/DidierStevens
License: Public Domain
State File: remnux.scripts.translate​
XORStrings
Search for XOR encoded strings in a file.
Website: https://blog.didierstevens.com/2013/04/15/new-tool-xorstrings/
Author: Didier Stevens
License: Free, unknown license
State File: remnux.packages.xorstrings​
XORSearch
Locate and decode strings obfuscated using common techniques.
Website: https://blog.didierstevens.com/programs/xorsearch/
Author: Didier Stevens: https://twitter.com/DidierStevens
License: Public Domain
Notes: xorsearch
State File: remnux.packages.xorsearch​
FLOSS
Extract and deobfuscate strings from PE executables.
Website: https://github.com/fireeye/flare-floss
Author: FireEye Inc, Willi Ballenthin: https://twitter.com/williballenthin, Moritz Raabe
License: Apache License 2.0: https://github.com/fireeye/flare-floss/blob/master/LICENSE.txt
Notes: floss
State File: remnux.packages.flare-floss​
ELF Files
Next - Discover the Tools
Statically Analyze Code
Last modified 8mo ago
Copy link
On this page
CyberChef
Malchive
1768.py
cs-decrypt-metadata.py
Cobalt Strike Configuration Extractor (CSCE) and Parser
sets.py
xortool
RATDecoders
DC3-MWCP
unicode
Chepy
Balbuzard
base64dump
xor-kpa.py
NoMoreXOR.py
unXOR
brxor.py
xorBruteForcer.py
strdeob.pl
ex_pe_xor.py
cut-bytes.py
format-bytes.py
translate.py
XORStrings
XORSearch
FLOSS