Tools

Disclaimer: All tools have been tested on 32-bit Windows XP and 7. They are available free for personal or business use. These tools have been packed with UPX and used to analyze malicious content so anti-virus software may falsely identify them as infected or suspicious. No warranties expressed or implied; use at your own risk!

If you find these tools helpful, please consider donating: 1KzoZzFWuK2P7DhYPKVW1N5V6cf9PFYH3G (BTC)
 

Binary File Converter
Version: 0.1
Download: Link
MD5: f2906927ee7f6a07dcdf9d14f3bd1c03
Description: Converts small binary files into text and vice versa which enables you to move content into and out of locked-down, remote hosts via VPN, RDC, SecureDesktop, etc as long as access to the clipboard is allowed.
Credits: Tom Moran (textbox), VB Helper (ctrl-a select)
Last Update: 07/27/13
 

Converter
Version: 0.11
Download: Link
MD5: 97976AEDF4B3C8B47E6C2F325EDE2212
Description: Convert data to/from many different formats, format data, search/replace data, extract data, find XOR/ROT/SFT keys, import/export/split/join/convert files, and more. This tool was originally made for analyzing and deobfuscating malicious scripts so it wasn’t designed to handle large datasets.
Credits: Sebatian L. (XOR), James Johnston of TechKnow Professional Services (cZLIB). This program also contains cryptography software by David Ireland of DI Management Services Pty Ltd (Radix 64, MD5), Phil Fresle and David Midkiff (SHA256), David Zimmer of Sandsprite (sc2exe, Beautify), Einar Lielmanis (JSBeautifier), Paul Mather (splitter), Tom Moran (textbox), VB Helper (ctrl-a select)
Last Update: 02/17/14
 

Data Converter
Version: 0.9
Download: Link
MD5: 0CA1DE23313CC329E724D376CC82BFF2
Description: Converts text, hex, or decimal values using XOR, ROTate, and ShiFT methods. You can do an XOR keyword search or enumerate all keys to a file. You can import a binary file, perform add/subtracts before/after an XOR/ROT/SFT action, and write out the results to a text or binary file.
Credits: Sebatian L. (XOR), Tom Moran (textbox), VB Helper (ctrl-a select)
Last Update: 02/17/14
 

File Converter
Version: 0.7
Download: Link
MD5: 5D3791AF6C66E6DA443586DD9D3F7B3B
Description: Converts large binary files to/from hex files with or without XOR encryption/decryption. Supports hex and decimal XOR keys.
Credits: Sebatian L. (XOR), VB Helper (ctrl-a select)
Last Update: 02/17/14
 

PHP Converter
Version: 0.3
Download: Link
MD5: 9D33DE25F776620DCACA11116E828247
Description: Deobfuscates/obfuscates PHP scripts.
Credits: James Johnston of TechKnow Professional Services (cZLIB). This program also contains cryptography software by David Ireland of DI Management Services Pty Ltd (Radix 64), Tom Moran (textbox), VB Helper (ctrl-a select)
Last Update: 07/11/14
 

PHP Script Decoder
Version: 0.1
Download: Link
MD5: 74D1D1391086A55C454D38C84ED0510D
Description: Provides functionality to perform custom search/replace methods to deobfuscate PHP scripts.
Credits: Tom Moran (textbox), VB Helper (ctrl-a select)
Last Update: 06/01/14
 

Pinpoint
Version: 0.2.0
Download: Link
MD5: FE6F9AC4D5BAB5351BFF378E519ADF38
Description: Fetches a webpage and then enumerates and analyzes its components to help identify any infected files. Pinpoint gives you various options when making an HTTP request including spoofing the user-agent string and referer. Pinpoint will not render any of the content.
Last Update: 02/08/14
 

Revelo
Version: 0.5.3
Download: Link
MD5: 45112AA9BEF51FA5997577B494576E72
Description: Deobfuscate Javascript using a variety of different methods; includes a built-in JS beautifier, DOM walker, firewall, packet sniffer, and proxy. Note: If analyzing malicious content, please use in a virtual machine. If the script calls Java, Acrobat, or some other plug-in, Revelo won’t protect you.
Credits: Eric Wolcott (firewall), Michael D. (proxy), Einar Lielmanis (JSBeautifier), David Zimmer (Beautify), James Crowley (cookies), Tom Moran (textbox), VB Helper (ctrl-a select)
Last Update: 02/06/14
 

Sandbox Tester
Version: 0.1
Download: Link
MD5: E47C4248C4FC8096A81636FD5FD546B1
Description: Creates a dropper that deploys several methods to get past automated malware analysis tools. The dropper safely drops an Eicar file and pops up a message upon execution.
Last Update: 08/16/12
 

Scout
Version: 0.1
Download: Link
MD5: 4C715D11CD4C8628443CE8E0539E67AA
Description: Uses the Pinpoint engine to download and analyze webpage components to identify infected files. This function works fine in 32-bit Windows. Scout has a built-in HTTP Request Simulator that will render user-specified HTML files, catch the resulting HTTP requests, then drop the responses. Scout includes the ability to screenshot the webpage using PhantomJS (download PhantomJS and copy the .exe to the same folder as Scout). Use Scout in a VM since it could potentially cause your computer to become infected.
Credits: Michael D. (proxy), Tom Moran (textbox), VB Helper (ctrl-a select)
Last Update: 03/25/14
 

Secret Decoder Ring
Version: 0.1
Download: Link
MD5: 109D9B3C5F91AC469C9C43AE4C800294
Description: Performs character substitution and position-based character lookups. Several exploit packs use this technique to hide URLs. Now you can analyze, decode, and encode URLs.
Last Update: 11/17/12
 

Word to Decimal
Version: 0.1
Download: Link
MD5: 77B82316CA09F8D63BBC9C683D85C4DC
Description: Converts Qword, Dword, and Word values to decimal. It can also perform basic XOR decoding.
Credits: Tom Moran (textbox), VB Helper (ctrl-a select)
Last Update: 05/23/14
 

ZeuS ENC Decrypter
Version: 0.1
Download: Link
MD5: 7363350921ED73C3DF68CC68F375E50B
Description: Automatically finds the four-byte XOR key then XOR-decrypts and LZNT1-decompresses GameOver ZeuS’ .enc files into PE files.
Credits: ALex Ionescu (NZNT1), VB Helper (ctrl-a select)
Last Update: 02/11/14