The latest version includes several new features which I’d like to highlight here:
Enhanced Range Search/Replace
The feature can be found by going to this menu item under Tools:
You can now add incrementers as a text replacement as seen in this graphic. Just add ^i if you want to start with 0 or ^I if you want to start with 1. If you check the “Keep Enclosed Contents” box, the “from” and “to” values will be included in the results (inclusive).
The other option is called “Keep Value From String… and To String…” which just keeps the in-between values.
New Hashing Algorithms
Added new hashing algorithms (credit: Karim Wafi) under the stats menu:
Convert Mixed Format
I moved the mixed format options from under the Format menu to its own form under the Tools menu. I included examples so you can understand what it’s used for.
I also added a “Mixed Entities to Hex” feature. There’s a button on the main screen called “Decode HTML” to decode HTML entities but if your input string has a mixture of HTML entities and other text, it fails. This feature will convert your input to hex then you can convert it back to text to get your results.
Microsoft Script Decoder
Microsoft Script Encoded strings are now being seen in the wild. I added a script encoder and decoder function in two places (credit: Jean-Luc Antoine and Shawn Stugart).
If you have a large file to convert, you can use the Convert Script File option by going here:
This is the form which allows you to choose an input file, output file, and option.
Your input file you wish to decode needs to contain only the script which starts with #@~^… and ends with ^#~@.
If you have a short string to decode then you can use the Script Encoder/Decoder feature which is located under the Tools menu.
Just paste in the script and make sure it contains the starting and ending key values.
Deobfuscating “Sundown EK”
Now let’s use some of the features to deobfuscate “Sundown’s” landing pages. Here’s a look at exploit chain in Fiddler (credit: Kafeine):
The first file is the landing page which looks like this:
Paste that into Converter, choose Tools > Convert Mixed Format, click on the Mixed Entities to Hex option and click on Convert. To makes things a bit easier, choose the “Percent” output format at the bottom. (This saves you from having to do a Format > Hex Format – % in the next step.)
Click on the “Copy Output to Input” button then click on the “Hex to Text” button. Almost done…you can see some hex values in there.
So click on the “Copy Output to Input” button then click on the “Unescape” button. Now we’re done.
Back to Fiddler…I chose the 10th item called “street4.php.htm”. Here’s what that looks like:
There’s three scripts on this page. Two are encoded as “JScript.Encode” and the third as “VBScript.Encode”, however, it’s the same encoder. I did the first one above so let me do the second.
Click on “Send Data to Main” then click on the “Unescape” button.
For the third script, let me paste that into its own file.
I make my selections and click Convert.
And we’re done!
Here are the other changes/fixes that were made to Converter:
- Update the Beautify JS and HTML function (credit: jsbeautifier.org)
- Correctly rotate non-CSV hex values and the text values in the Key Search/Convert feature
- Clear the output text box when the Import Binary File function starts
- Update the results when the space and colon delimiter options is used in conjunction with Format > Hex function
- Add new input delimiter to Convert Base feature
- Include last value when doing Octal to Hex function
- Add new options colon, space and unicode to Format > Hex Format feature
You can download Converter here. Thank you for your support!