# Deobfuscation ## CyberChef Decode and otherwise analyze data using this browser app. **Website**: \ **Author**: GCHQ\ **License**: Apache License 2.0: \ **Notes**: cyberchef\ **State File**: [remnux.tools.cyberchef](https://github.com/REMnux/salt-states/blob/master/remnux/tools/cyberchef.sls) ## Malchive Perform static analysis of various aspects of malicious code. **Website**: \ **Author**: The MITRE Corporation, \ **License**: Apache License 2.0: \ **Notes**: Malchive command-line tools start with the prefix `malutil-`. See [utilities documentation](https://github.com/MITRECND/malchive/wiki/Utilities) for details.\ **State File**: [remnux.python3-packages.malchive](https://github.com/REMnux/salt-states/blob/master/remnux/python3-packages/malchive.sls) ## Cobalt Strike Configuration Extractor (CSCE) and Parser Analyze Cobalt Strike beacons. **Website**: \ **Author**: Aon / Stroz Friedberg\ **License**: Apache License 2.0: \ **Notes**: csce, list-cs-settings\ **State File**: [remnux.python3-packages.csce](https://github.com/REMnux/salt-states/blob/master/remnux/python3-packages/csce.sls) ## xortool Analyze XOR-encoded data. **Website**: \ **Author**: Aleksei Hellman\ **License**: MIT License: \ **State File**: [remnux.python3-packages.xortool](https://github.com/REMnux/salt-states/blob/master/remnux/python3-packages/xortool.sls) ## DC3-MWCP Parsing configuration information from malware. **Website**: \ **Author**: Defense Cyber Crime Center - United States Government\ **License**: Some parts Public Domain, some MIT License: \ **Notes**: mwcp\ **State File**: [remnux.python3-packages.dc3-mwcp](https://github.com/REMnux/salt-states/blob/master/remnux/python3-packages/dc3-mwcp.sls) ## unicode Display Unicode character properties. **Website**: \ **Author**: Radovan Garabik\ **License**: GNU General Public License (GPL) v3: \ **State File**: [remnux.python3-packages.unicode](https://github.com/REMnux/salt-states/blob/master/remnux/python3-packages/unicode.sls) ## Chepy Decode and otherwise analyze data using this command-line tool and Python library. **Website**: \ **Author**: securisec: \ **License**: GNU General Public License (GPL) v3: \ **Notes**: chepy\ **State File**: [remnux.python3-packages.chepy](https://github.com/REMnux/salt-states/blob/master/remnux/python3-packages/chepy.sls) ## Balbuzard Extract and deobfuscate patterns from suspicious files. **Website**: \ **Author**: Philippe Lagadec / Corey Forman (digitalsleuth)\ **License**: Free, custom license: \ **Notes**: balbuzard, bbcrack, bbharvest, bbtrans\ **State File**: [remnux.python3-packages.balbuzard](https://github.com/REMnux/salt-states/blob/master/remnux/python3-packages/balbuzard.sls) ## NoMoreXOR.py Help guess a file's 256-byte XOR by using frequency analysis. **Website**: \ **Author**: Glenn P. Edwards Jr.\ **License**: Free, unknown license\ **State File**: [remnux.scripts.nomorexor](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/nomorexor.sls) ## unXOR Deobfuscate XOR'ed files. **Website**: \ **Author**: Thomas Chopitea\ **License**: Apache License 2.0: \ **State File**: [remnux.scripts.unxor](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/unxor.sls) ## brxor.py Bruteforce XOR'ed strings to find those that are English words. **Website**: \ **Author**: Alexander Hanel, Trenton Tait\ **License**: Free, unknown license\ **State File**: [remnux.scripts.brxor](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/brxor.sls) ## xorBruteForcer.py Bruteforce an XOR-encoded file. **Website**: \ **Author**: Jose Miguel Esparza\ **License**: Free, unknown license\ **State File**: [remnux.scripts.xorbruteforcer](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/xorbruteforcer.sls) ## strdeob.pl Locate and decode stack strings in executable files. **Website**: \ **Author**: TotalHash\ **License**: Free, unknown license\ **State File**: [remnux.scripts.strdeob](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/strdeob.sls) ## XORStrings Search for XOR encoded strings in a file. **Website**: \ **Author**: Didier Stevens\ **License**: Free, unknown license\ **State File**: [remnux.packages.xorstrings](https://github.com/REMnux/salt-states/blob/master/remnux/packages/xorstrings.sls) ## XORSearch Locate and decode strings obfuscated using common techniques. **Website**: \ **Author**: Didier Stevens: \ **License**: Public Domain\ **Notes**: xorsearch\ **State File**: [remnux.packages.xorsearch](https://github.com/REMnux/salt-states/blob/master/remnux/packages/xorsearch.sls) ## FLOSS Extract and deobfuscate strings from PE executables. **Website**: \ **Author**: Mandiant, Willi Ballenthin: , Moritz Raabe\ **License**: Apache License 2.0: \ **Notes**: floss\ **State File**: [remnux.packages.flare-floss](https://github.com/REMnux/salt-states/blob/master/remnux/packages/flare-floss.sls) ## ex\_pe\_xor.py Search an XOR'ed file for indications of executable binaries. **Website**: \ **Author**: Alexander Hanel\ **License**: Free, unknown license\ **State File**: [remnux.scripts.ex-pe-xor](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/ex-pe-xor.sls) ## cs-decrypt-metadata.py Decrypt Cobalt Strike metadata. **Website**: \ **Author**: Didier Stevens: \ **License**: Public Domain\ **State File**: [remnux.scripts.didier-stevens-scripts](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/didier-stevens-scripts.sls) ## base64dump.py Locate and decode strings encoded in Base64 and other common encodings. **Website**: \ **Author**: Didier Stevens: \ **License**: Public Domain\ **State File**: [remnux.scripts.didier-stevens-scripts](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/didier-stevens-scripts.sls) ## xor-kpa.py Implement a XOR known plaintext attack. **Website**: \ **Author**: Didier Stevens: \ **License**: Public Domain\ **State File**: [remnux.scripts.didier-stevens-scripts](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/didier-stevens-scripts.sls) ## cut-bytes.py Cut out a part of a data stream. **Website**: \ **Author**: Didier Stevens: \ **License**: Public Domain\ **State File**: [remnux.scripts.didier-stevens-scripts](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/didier-stevens-scripts.sls) ## format-bytes.py Decompose structured binary data with format strings. **Website**: \ **Author**: Didier Stevens: \ **License**: Public Domain\ **State File**: [remnux.scripts.didier-stevens-scripts](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/didier-stevens-scripts.sls) ## translate.py Translate bytes according to a Python expression. **Website**: \ **Author**: Didier Stevens: \ **License**: Public Domain\ **State File**: [remnux.scripts.didier-stevens-scripts](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/didier-stevens-scripts.sls) ## sets.py Perform set operations on lines or bytes in text files. **Website**: \ **Author**: Didier Stevens: \ **License**: Public Domain\ **State File**: [remnux.scripts.didier-stevens-scripts](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/didier-stevens-scripts.sls) ## 1768.py Analyze Cobalt Strike beacons. **Website**: \ **Author**: Didier Stevens: \ **License**: Public Domain\ **State File**: [remnux.scripts.didier-stevens-scripts](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/didier-stevens-scripts.sls) ## xorsearch.py Search for XOR, ROL, ROT, and SHIFT encoded strings with YARA and regex support. **Website**: \ **Author**: Didier Stevens: \ **License**: Public Domain\ **State File**: [remnux.scripts.didier-stevens-scripts](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/didier-stevens-scripts.sls) ## re-search.py Search files using regular expressions from a built-in library or custom patterns. **Website**: \ **Author**: Didier Stevens: \ **License**: Public Domain\ **State File**: [remnux.scripts.didier-stevens-scripts](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/didier-stevens-scripts.sls) ## hex-to-bin.py Convert hexadecimal text dumps to binary data. **Website**: \ **Author**: Didier Stevens: \ **License**: Public Domain\ **State File**: [remnux.scripts.didier-stevens-scripts](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/didier-stevens-scripts.sls) ## numbers-to-string.py Translate number sequences into ASCII characters. **Website**: \ **Author**: Didier Stevens: \ **License**: Public Domain\ **State File**: [remnux.scripts.didier-stevens-scripts](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/didier-stevens-scripts.sls) ## cs-analyze-processdump.py Analyze Cobalt Strike beacon process dumps to detect sleep mask encoding. **Website**: \ **Author**: Didier Stevens: \ **License**: Public Domain\ **State File**: [remnux.scripts.didier-stevens-scripts](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/didier-stevens-scripts.sls) ## cs-extract-key.py Extract AES and HMAC keys from Cobalt Strike beacon process memory. **Website**: \ **Author**: Didier Stevens: \ **License**: Public Domain\ **State File**: [remnux.scripts.didier-stevens-scripts](https://github.com/REMnux/salt-states/blob/master/remnux/scripts/didier-stevens-scripts.sls) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.