Tools

Disclaimer: All tools have been tested on 32-bit Windows XP and 7. They are available free for personal or business use. These tools have been packed with UPX and used to analyze malicious content so anti-virus software may falsely identify them as infected or suspicious. No warranties expressed or implied; use at your own risk!

If you find these tools helpful, please consider donating: 1KzoZzFWuK2P7DhYPKVW1N5V6cf9PFYH3G (BTC)
 

Binary File Converter
Version: 0.1
Download: Link
MD5: f2906927ee7f6a07dcdf9d14f3bd1c03
Description: Converts small binary files into text and vice versa which enables you to move content into and out of locked-down, remote hosts via VPN, RDC, SecureDesktop, etc as long as access to the clipboard is allowed.
Credits: Tom Moran (textbox), Rocky Mountain Computer Consulting (ctrl-a select)
Last Update: 07/27/13
 

Converter
Version: 0.12
Download: Link
MD5: ADF8A49A96C9D9A78EC4413004EC38E2
Description: Convert data to/from many different formats, format data, search/replace data, extract data, find XOR/ROT/SFT keys, import/export/split/join/convert files, and more. This tool was originally made for analyzing and deobfuscating malicious scripts so it wasn’t designed to handle large datasets.
Credits: Sebatian L. (XOR), James Johnston of TechKnow Professional Services (cZLIB). This program also contains cryptography software by David Ireland of DI Management Services Pty Ltd (Radix 64, MD5), Phil Fresle and David Midkiff (SHA256), David Zimmer of Sandsprite (sc2exe, Beautify), Einar Lielmanis (JSBeautifier), Paul Mather (splitter), Tom Moran (textbox), Rocky Mountain Computer Consulting (ctrl-a select)
Last Update: 10/05/14
 

Data Converter
Version: 0.10
Download: Link
MD5: 39487C31A5D555673A7022BD22FB2CDA
Description: Converts text, hex, or decimal values using XOR, ROTate, and ShiFT methods. You can do an XOR keyword search or enumerate all keys to a file. You can import a binary file, perform add/subtracts before/after an XOR/ROT/SFT action, and write out the results to a text or binary file.
Credits: Sebatian L. (XOR), Tom Moran (textbox), Rocky Mountain Computer Consulting (ctrl-a select)
Last Update: 10/05/14
 

File Converter
Version: 0.7
Download: Link
MD5: 5D3791AF6C66E6DA443586DD9D3F7B3B
Description: Converts large binary files to/from hex files with or without XOR encryption/decryption. Supports hex and decimal XOR keys.
Credits: Sebatian L. (XOR), Rocky Mountain Computer Consulting (ctrl-a select)
Last Update: 02/17/14
 

PHP Converter
Version: 0.3
Download: Link
MD5: 9D33DE25F776620DCACA11116E828247
Description: Deobfuscates/obfuscates PHP scripts.
Credits: James Johnston of TechKnow Professional Services (cZLIB). This program also contains cryptography software by David Ireland of DI Management Services Pty Ltd (Radix 64), Tom Moran (textbox), Rocky Mountain Computer Consulting (ctrl-a select)
Last Update: 07/11/14
 

PHP Script Decoder
Version: 0.1
Download: Link
MD5: 74D1D1391086A55C454D38C84ED0510D
Description: Provides functionality to perform custom search/replace methods to deobfuscate PHP scripts.
Credits: Tom Moran (textbox), Rocky Mountain Computer Consulting (ctrl-a select)
Last Update: 06/01/14
 

Pinpoint
Version: 0.2
Download: Link
MD5: FE6F9AC4D5BAB5351BFF378E519ADF38
Description: Fetches a webpage and then enumerates and analyzes its components to help identify any infected files. Pinpoint gives you various options when making an HTTP request including spoofing the user-agent string and referer. Pinpoint will not render any of the content.
Last Update: 02/08/14
 

Registry Dumper
Version: 0.1
Download: Link
MD5: C0132727C0B5D985E0DA57BAC8A0F682
Description: With Registry Dumper, you can scan for null characters in registry keys and dump them to a text file. You can also create and delete hidden keys by inserting the word “[null]” into the keyname. This tool requires .NET Framework 4.5.
Credits: Hoang Khanh Nguyen (NTRegistry.DLL)
Last Update: 12/06/14
 

Revelo
Version: 0.5.3
Download: Link
MD5: 45112AA9BEF51FA5997577B494576E72
Description: Deobfuscate Javascript using a variety of different methods; includes a built-in JS beautifier, DOM walker, firewall, packet sniffer, and proxy. Note: If analyzing malicious content, please use in a virtual machine. If the script calls Java, Acrobat, or some other plug-in, Revelo won’t protect you.
Credits: Eric Wolcott (firewall), Michael D. (proxy), Einar Lielmanis (JSBeautifier), David Zimmer (Beautify), James Crowley (cookies), Tom Moran (textbox), Rocky Mountain Computer Consulting (ctrl-a select)
Last Update: 02/06/14
 

Sandbox Tester
Version: 0.1
Download: Link
MD5: E47C4248C4FC8096A81636FD5FD546B1
Description: Creates a dropper that deploys several methods to get past automated malware analysis tools. The dropper safely drops an Eicar file and pops up a message upon execution.
Last Update: 08/16/12
 

Scout
Version: 0.2
Download: Link
MD5: D5F19BC648C302EF20112636777D414D
Description: Uses the Pinpoint engine to download and analyze webpage components to identify infected files. This function works fine in 32-bit Windows. Scout has a built-in HTTP Request Simulator that will render user-specified HTML files, catch the resulting HTTP requests, then drop the responses. Scout includes the ability to screenshot the webpage using PhantomJS (download PhantomJS and copy the .exe to the same folder as Scout). Use Scout in a VM since it could potentially cause your computer to become infected.
Credits: Michael D. (proxy), Tom Moran (textbox), Rocky Mountain Computer Consulting (ctrl-a select)
Last Update: 10/05/14
 

Script Decoder
Version: 0.1
Download: Link
MD5: 6E4E1A7C3C4CF5EC902DBA76E3CE20BF
Description: Decodes data that has been encoded using Microsoft Script Encoder (ScrEnc).
Credits: Lewis E. Moten III (Script Decoder Program)
Last Update: 12/06/14
 

Secret Decoder Ring
Version: 0.1
Download: Link
MD5: 109D9B3C5F91AC469C9C43AE4C800294
Description: Performs character substitution and position-based character lookups. Several exploit packs use this technique to hide URLs. Now you can analyze, decode, and encode URLs.
Last Update: 11/17/12
 

Sounder
Version: 0.2
Download: Link
MD5: 0C3931EB4CFE1F5DF9A0BC8E7E945602
Description: Analyzes web server logs to find possible phishing sites via URLs left behind in referers. It also checks the potential websites for phishing keywords and takes screenshots. Sounder requires PhantomJS if you wish to take screenshots (download PhantomJS and copy the .exe to the same folder as Sounder).
Credits: Rocky Mountain Computer Consulting (ctrl-a select), Rocky Mountain Computer Consulting (ini read/write)
Last Update: 10/05/14
 

Word to Decimal
Version: 0.1
Download: Link
MD5: 77B82316CA09F8D63BBC9C683D85C4DC
Description: Converts Qword, Dword, and Word values to decimal. It can also perform basic XOR decoding.
Credits: Tom Moran (textbox), Rocky Mountain Computer Consulting (ctrl-a select)
Last Update: 05/23/14
 

ZeuS ENC Decrypter
Version: 0.1
Download: Link
MD5: 7363350921ED73C3DF68CC68F375E50B
Description: Automatically finds the four-byte XOR key then XOR-decrypts and LZNT1-decompresses GameOver ZeuS’ .enc files into PE files.
Credits: ALex Ionescu (NZNT1), Rocky Mountain Computer Consulting (ctrl-a select)
Last Update: 02/11/14