irt/docker_file_analysis
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add markdown wiki with 473 pages and zk browser

Browse Source 
Generate interlinked wiki from master inventory: 397 tool pages,
15 workflow pages, 27 recipe pages, 33 category pages, plus index.
All pages use [[wiki-links]] for cross-navigation between tools,
workflows, recipes, and categories (1782 links total).

Install zk for interactive browsing with fzf search, tag filtering,
and backlink discovery. Add 'fhelp wiki' command and Makefile target.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
tobias
2026-03-28 19:50:36 +01:00
parent b13db23a5e
commit e62a14dafc
478 changed files with 7683 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
data/generated/wiki/workflows/string-deobfuscation-workflow.md
+62
View File
@@ -0,0 +1,62 @@
# String & Data Deobfuscation
> Decode obfuscated strings and data in malware. Covers XOR, Base64, stack strings, custom algorithms, and multi-layer encoding.
**FOR610 Labs:** 1.5, 5.2
## Steps
### Step 1: Automated Extraction
**Tools:** [[tools/floss|floss]], [[tools/strings|strings]]
Start with FLOSS for automatic deobfuscation (static + stack + decoded strings). Compare against plain strings output. FLOSS --no-static for only decoded strings.
```bash
floss specimen.exe
strings binary.exe
```
### Step 2: Encoding Detection
**Tools:** [[tools/xorsearch|xorsearch]], [[tools/bbcrack|bbcrack]]
Identify encoding algorithm. XORSearch: detect XOR with known plaintext (http:, MZ, This program). bbcrack: brute-force XOR, ROL, ADD at multiple levels.
```bash
XORSearch -W -d 3 file.bin
bbcrack -l 1 specimen.dll
```
### Step 3: Single-Byte XOR Recovery
**Tools:** [[tools/brxor-py|brxor-py]], [[tools/xortool|xortool]]
For single-byte XOR: brxor.py <file> finds English words. xortool <file> guesses key length and probable key. xortool-xor -s <key> -i <file> -o decoded.bin to decode.
```bash
brxor.py specimen.dll
xortool <encoded_file>
```
### Step 4: Multi-Byte / Custom Decoding
**Tools:** [[tools/translate-py|translate-py]], [[tools/cyberchef|cyberchef]]
For custom algorithms: translate.py 'byte ^ key' or complex expressions. CyberChef for visual recipe building (XOR → Base64 → Gunzip chains). Document the recipe.
```bash
translate.py "byte ^ 35" < input.bin > output.bin
cyberchef
```
### Step 5: Stack String Recovery
**Tools:** [[tools/strdeob-pl|strdeob-pl]], [[tools/floss|floss]]
For strings built on the stack (MOV byte-by-byte): strdeob.pl <file> or FLOSS stack string detection. Common in evasive malware to avoid string extraction.
```bash
strdeob.pl specimen.exe
floss specimen.exe
```
### Step 6: Validation & IOC Extraction
Review decoded strings. Extract IOCs: C2 addresses, registry keys, file paths, API names, credentials. Compare against known malware family patterns.
#strings #xor #deobfuscation #floss #cyberchef #encoding #workflow