threadtear icon indicating copy to clipboard operation
threadtear copied to clipboard

Published 20 hours ago verified publisher icon GraxCode

Smoke support

Open rexlManu opened this issue 4 years ago • 6 comments

Maby add smoke support?

Here a two files: https://workupload.com/archive/cZAa2Z3F

The second with 2 in the name is deobfuscated with yours, but the classes are not clear.

rexlManu avatar Apr 16 '20 16:04 rexlManu

The two files are rats that i got bcs i got infected

rexlManu avatar Apr 16 '20 16:04 rexlManu

I made a flow obfuscation remover today that also works on smoke. Check out Generic -> Remove obvious flow obfuscation.

Also what do you mean by "the classes are not clear"? Name obfuscation can't be reversed, only re-obfuscated for better readability.

GraxCode avatar Apr 18 '20 10:04 GraxCode

To make a working smoke deobfuscator i need more samples. Please post them here if you can.

GraxCode avatar Apr 19 '20 11:04 GraxCode

Is smoke still used anymore?

GraxCode avatar Oct 01 '20 21:10 GraxCode

Mostly only in old hack clients. When we check smoke, its already not updated anymore. The website is down and https://twitter.com/smokeobfuscator?lang=de is also dead. So you can close this issue.

rexlManu avatar Oct 02 '20 20:10 rexlManu

Can you re-upload the samples?

Princekin avatar Oct 28 '20 14:10 Princekin