Introducing Reneo

Reneo is a Windows tool to help incident responders, forensics specialists, and security researchers analyze and reverse engineer malicious and obfuscated scripts and other content. This tool can convert from/to various formats, transform, deobfuscate, encode/decode, encrypt/decrypt, and hash strings.

The benefit of using this tool is that you can access many different utilities from a single, portable executable without relying on online converters or disclosing your content to some online service.

Reneo means “to unravel or solve” in Latin.

This is basically a re-write of Converter but with additional functionality and conveniences. For example, you can maximize the app, open multiple dialog boxes at the same time, and do some basic conversions from the command line. Just type “reneo /?” or “reneo -?” and a popup with instructions will appear.

Here’s an example of using Reneo on a live script.

This PowerShell script came from a malicious Word macro. The gibberish in the middle is a string of decimal values separated by garbage characters which is removed at the end. The result is then xor’d with 0x31.

First thing is to copy that string into Reneo then click on Edit > Text Transformer. Since we want to end up with decimal values separated by commas, I enter this into the method called “Replace All Chars…”.

Here’s the result.

I click on the button in the center and try converting from Decimal to Text to see what this looks like.

As expected, I get nothing useful because it’s “encrypted”. I then click on Decode/Decrypt > Simple Decrypter and make the following choices — decimal input, hex key, XOR method, single key action, and enter 31.

And I get the decrypted script.

Here’s one more example. This one is another malicious PowerShell script. I copy the base64-encoded portion to Reneo.

If I convert the above using Base64 to Text, the result will have a bunch of null characters because of Unicode so the better way is to Convert > Base64 to Hex then Format > Unicode to Hex and finally Convert to Hex to Text.

The top part of the script references the element position in the array below. I click on Decode/Decrypt > Script Decoder and copy the comma-separated array from the script into the popup box, leaving just the array position in the Input textbox. I removed the “-f” at the beginning of the array, chose the PowerShell method then click on “Start”. The result still requires some cleanup because the PowerShell script does some search/replacements at the end to make the result functional but I can already see what this script does.

Reneo is free for business or personal use. It has been packed to combine multiple DLLs and therefore may get incorrectly flagged by anti-virus.

You can get Reneo from the Tools page.

Happy reversing!

Posted on: 06/24/2018