# String & Data Deobfuscation > Decode obfuscated strings and data in malware. Covers XOR, Base64, stack strings, custom algorithms, and multi-layer encoding. **FOR610 Labs:** 1.5, 5.2 ## Steps ### Step 1: Automated Extraction **Tools:** [[tools/floss|floss]], [[tools/strings|strings]] Start with FLOSS for automatic deobfuscation (static + stack + decoded strings). Compare against plain strings output. FLOSS --no-static for only decoded strings. ```bash floss specimen.exe strings binary.exe ``` ### Step 2: Encoding Detection **Tools:** [[tools/xorsearch|xorsearch]], [[tools/bbcrack|bbcrack]] Identify encoding algorithm. XORSearch: detect XOR with known plaintext (http:, MZ, This program). bbcrack: brute-force XOR, ROL, ADD at multiple levels. ```bash XORSearch -W -d 3 file.bin bbcrack -l 1 specimen.dll ``` ### Step 3: Single-Byte XOR Recovery **Tools:** [[tools/brxor-py|brxor-py]], [[tools/xortool|xortool]] For single-byte XOR: brxor.py finds English words. xortool guesses key length and probable key. xortool-xor -s -i -o decoded.bin to decode. ```bash brxor.py specimen.dll xortool ``` ### Step 4: Multi-Byte / Custom Decoding **Tools:** [[tools/translate-py|translate-py]], [[tools/cyberchef|cyberchef]] For custom algorithms: translate.py 'byte ^ key' or complex expressions. CyberChef for visual recipe building (XOR → Base64 → Gunzip chains). Document the recipe. ```bash translate.py "byte ^ 35" < input.bin > output.bin cyberchef ``` ### Step 5: Stack String Recovery **Tools:** [[tools/strdeob-pl|strdeob-pl]], [[tools/floss|floss]] For strings built on the stack (MOV byte-by-byte): strdeob.pl or FLOSS stack string detection. Common in evasive malware to avoid string extraction. ```bash strdeob.pl specimen.exe floss specimen.exe ``` ### Step 6: Validation & IOC Extraction Review decoded strings. Extract IOCs: C2 addresses, registry keys, file paths, API names, credentials. Compare against known malware family patterns. #strings #xor #deobfuscation #floss #cyberchef #encoding #workflow