============================================================
  String & Data Deobfuscation
============================================================

  Decode obfuscated strings and data in malware. Covers XOR, Base64, stack strings, custom algorithms, and multi-layer encoding.

  Related FOR610 Labs: 1.5, 5.2

────────────────────────────────────────────────────────────

  Step 1: Automated Extraction
  Tools: floss, strings
  Start with FLOSS for automatic deobfuscation (static +
  stack + decoded strings). Compare against plain
  strings output. FLOSS --no-static for only decoded
  strings.

    $ floss specimen.exe
    $ strings binary.exe

  Step 2: Encoding Detection
  Tools: xorsearch, bbcrack
  Identify encoding algorithm. XORSearch: detect XOR
  with known plaintext (http:, MZ, This program).
  bbcrack: brute-force XOR, ROL, ADD at multiple levels.

    $ XORSearch -W -d 3 file.bin
    $ bbcrack -l 1 specimen.dll

  Step 3: Single-Byte XOR Recovery
  Tools: brxor-py, xortool
  For single-byte XOR: brxor.py <file> finds English
  words. xortool <file> guesses key length and probable
  key. xortool-xor -s <key> -i <file> -o decoded.bin to
  decode.

    $ brxor.py specimen.dll
    $ xortool <encoded_file>

  Step 4: Multi-Byte / Custom Decoding
  Tools: translate-py, cyberchef
  For custom algorithms: translate.py 'byte ^ key' or
  complex expressions. CyberChef for visual recipe
  building (XOR → Base64 → Gunzip chains). Document the
  recipe.

    $ translate.py "byte ^ 35" < input.bin > output.bin
    $ cyberchef

  Step 5: Stack String Recovery
  Tools: strdeob-pl, floss
  For strings built on the stack (MOV byte-by-byte):
  strdeob.pl <file> or FLOSS stack string detection.
  Common in evasive malware to avoid string extraction.

    $ strdeob.pl specimen.exe
    $ floss specimen.exe

  Step 6: Validation & IOC Extraction
  Review decoded strings. Extract IOCs: C2 addresses,
  registry keys, file paths, API names, credentials.
  Compare against known malware family patterns.

────────────────────────────────────────────────────────────
  Tip: 'fhelp cheat <tool>' for full examples
       'Ctrl+G' for interactive cheatsheet browser
