CyberChef icon indicating copy to clipboard operation
CyberChef copied to clipboard

Published 20 hours ago verified publisher icon gchq

Adding Basic Arithmetic operation

Open scottdermott opened this issue 3 years ago • 3 comments

Various malware samples use obfuscation to avoid detection. A common technique is to use simple arithmetic within Chr() or [char] to avoid detection

For example : Chr(104+1-1) & "t" & Chr(120+4-8) & "ps" & "://"

Sum & subtract operations are not a viable solution for this kind of string -> basic calculation -> number that can be converted from a valid Charcode

Using the following recipe this very easy to decode the obfuscated string:

Subsection('chr\\((.*?)\\)',false,true,false)
Basic_Arithmetic()
From_Charcode('CRLF',10)

Output: https://

scottdermott avatar Nov 25 '21 20:11 scottdermott

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Nov 25 '21 20:11 CLAassistant

Thanks for you input! There is already an open PR to add arithmetic, but in a different way. You can see it here. Would you be able to achieve what you want using that PR?

mt3571 avatar Nov 26 '21 16:11 mt3571

Thanks for you input! There is already an open PR to add arithmetic, but in a different way. You can see it here. Would you be able to achieve what you want using that PR?

Hi, I had a look at the PR and I don't think it would be possible using that operation.

The Operation I added evaluates a basic add and/or subtract maths string and returns a numeric value without doing a javascript evil eval() (See screenshot)

Screenshot 2021-11-26 at 17 23 32

scottdermott avatar Nov 26 '21 17:11 scottdermott