tobias
f3ccc09c3d
Build comprehensive malware analysis knowledge base from 3 sources: - SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes - REMnux salt-states: 340 packages parsed from GitHub - REMnux docs: 280+ tools scraped from docs.remnux.org Master inventory merges all sources into 447 tools with help tiers (rich/standard/basic). Pipeline generates: tools.db (397 entries), 397 cheatsheets with multi-tool recipes, 15 workflow guides, 224 TLDR pages, and coverage reports. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
32 lines
1.1 KiB
Plaintext
32 lines
1.1 KiB
Plaintext
# translate.py
|
|
# Transform data using Python expressions (XOR, ADD, etc.)
|
|
# FOR610 Labs: 3.4 | Sections: 3 | Author: Didier Stevens
|
|
# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation
|
|
|
|
% xor, transformation, decoding, didier-stevens
|
|
|
|
# Basic usage
|
|
translate.py "byte ^ 35" < input.bin > output.bin
|
|
|
|
|
|
# --- Recipes (multi-tool chains) ---
|
|
|
|
# >> Decode Base64 + XOR Shellcode
|
|
# Find Base64 strings
|
|
base64dump.py <script.ps1> -n 10
|
|
# Decode Base64, then XOR with key
|
|
base64dump.py <script.ps1> -s <selection> -d | translate.py 'byte ^ <key>' > shellcode.bin
|
|
|
|
# >> Full Office Macro Decode Chain
|
|
# Step 1: List streams and extract VBA
|
|
oledump.py <document>
|
|
oledump.py <document> -s <macro_stream> -v
|
|
# Step 2: Extract Base64 from data stream
|
|
oledump.py <document> -s <data_stream> -d | base64dump.py -s 1 -d > stage1.ps1
|
|
# Step 3: Decode second Base64 layer + decompress
|
|
base64dump.py stage1.ps1 -s 3 -d | gunzip > stage2.ps1
|
|
# Step 4: XOR decode the shellcode
|
|
base64dump.py stage2.ps1 -s 2 -d | translate.py 'byte ^ 35' > shellcode.bin
|
|
# Step 5: Emulate the shellcode
|
|
scdbgc /f shellcode.bin /s -1
|