Converter Updated

The latest version includes several new features which I’d like to highlight here:

Enhanced Range Search/Replace
The feature can be found by going to this menu item under Tools:

2015-06-20_01

You can now add incrementers as a text replacement as seen in this graphic. Just add ^i if you want to start with 0 or ^I if you want to start with 1. If you check the “Keep Enclosed Contents” box, the “from” and “to” values will be included in the results (inclusive).

2015-06-20_02

The other option is called “Keep Value From String… and To String…” which just keeps the in-between values.

2015-06-20_03

New Hashing Algorithms
Added new hashing algorithms (credit: Karim Wafi) under the stats menu:

2015-06-20_04

Convert Mixed Format
I moved the mixed format options from under the Format menu to its own form under the Tools menu. I included examples so you can understand what it’s used for.

2015-06-20_05

I also added a “Mixed Entities to Hex” feature. There’s a button on the main screen called “Decode HTML” to decode HTML entities but if your input string has a mixture of HTML entities and other text, it fails. This feature will convert your input to hex then you can convert it back to text to get your results.

2015-06-20_06

Microsoft Script Decoder
Microsoft Script Encoded strings are now being seen in the wild. I added a script encoder and decoder function in two places (credit: Jean-Luc Antoine and Shawn Stugart).

If you have a large file to convert, you can use the Convert Script File option by going here:

2015-06-20_07

This is the form which allows you to choose an input file, output file, and option.

2015-06-20_08

Your input file you wish to decode needs to contain only the script which starts with #@~^… and ends with ^#~@.

2015-06-20_09

If you have a short string to decode then you can use the Script Encoder/Decoder feature which is located under the Tools menu.

2015-06-20_10

Just paste in the script and make sure it contains the starting and ending key values.

2015-06-20_11

Deobfuscating “Sundown EK”
Now let’s use some of the features to deobfuscate “Sundown’s” landing pages. Here’s a look at exploit chain in Fiddler (credit: Kafeine):

2015-06-20_12

The first file is the landing page which looks like this:

2015-06-20_13

Paste that into Converter, choose Tools > Convert Mixed Format, click on the Mixed Entities to Hex option and click on Convert. To makes things a bit easier, choose the “Percent” output format at the bottom. (This saves you from having to do a Format > Hex Format – % in the next step.)

2015-06-20_14

Click on the “Copy Output to Input” button then click on the “Hex to Text” button. Almost done…you can see some hex values in there.

2015-06-20_15

So click on the “Copy Output to Input” button then click on the “Unescape” button. Now we’re done.

2015-06-20_16

Back to Fiddler…I chose the 10th item called “street4.php.htm”. Here’s what that looks like:

2015-06-20_17

There’s three scripts on this page. Two are encoded as “JScript.Encode” and the third as “VBScript.Encode”, however, it’s the same encoder. I did the first one above so let me do the second.

2015-06-20_18

Click on “Send Data to Main” then click on the “Unescape” button.

2015-06-20_19

For the third script, let me paste that into its own file.

2015-06-20_20

I make my selections and click Convert.

2015-06-20_21

And we’re done!

2015-06-20_22

Here are the other changes/fixes that were made to Converter:

  • Update the Beautify JS and HTML function (credit: jsbeautifier.org)
  • Correctly rotate non-CSV hex values and the text values in the Key Search/Convert feature
  • Clear the output text box when the Import Binary File function starts
  • Update the results when the space and colon delimiter options is used in conjunction with Format > Hex function
  • Add new input delimiter to Convert Base feature
  • Include last value when doing Octal to Hex function
  • Add new options colon, space and unicode to Format > Hex Format feature

You can download Converter here. Thank you for your support!

This entry was posted in Malscript, Tools and tagged , , , , , . Bookmark the permalink.