Merge branch 'master' into dev

CybercentreCanada · Mar 24, 2023 · c908538 · c908538
2 parents c8c58e5 + 9362dde
commit c908538
Showing 1 changed file with 18 additions and 3 deletions.
diff --git a/deobs.py b/deobs.py
@@ -81,12 +81,19 @@ def add1b(s: bytes, k: int) -> bytes:
     @staticmethod
     def charcode(text: bytes) -> Optional[bytes]:
         """ Replace character codes with the corresponding characters """
-        # To do: what decimal encodings exist in scripting languages and how to decode them?
+        # Todo: something to handle powershell bytes syntax
 
     @staticmethod
     def charcode_hex(text: bytes) -> Optional[bytes]:
         """ Replace hex character codes with the corresponding characters """
-        output = regex.sub(rb'(?i)(?:\\x|0x|%)([a-f0-9]{2})', lambda m: binascii.unhexlify(m.group(1)), text)
+        output = regex.sub(rb'(?i)(?:\\x|%)([a-f0-9]{2})', lambda m: binascii.unhexlify(m.group(1)), text)
+        return output if output != text else None
+
+    # Todo: find a way to prevent charcode_oct from mangling windows filepaths with sections that start with 0-7
+    @staticmethod
+    def charcode_oct(text: bytes) -> Optional[bytes]:
+        """ Replace octal character codes with the corresponding characters """
+        output = regex.sub(rb'\\([0-7]{1,3})', partial(DeobfuScripter.codepoint_sub, base=8), text)
         return output if output != text else None
 
     @staticmethod
@@ -102,6 +109,12 @@ def charcode_xml(text: bytes) -> Optional[bytes]:
         output = regex.sub(rb'&#([0-9]{1,7});', partial(DeobfuScripter.codepoint_sub, base=10), output)
         return output if output != text else None
 
+    @staticmethod
+    def hex_constant(text: bytes) -> Optional[bytes]:
+        """ Replace hexadecimal integer constants with decimal ones"""
+        output = regex.sub(rb'(?i)\b0x([a-f0-9]{1,16})\b', lambda m: str(int(m.group(1), 16)).encode('utf-8'), text)
+        return output if output != text else None
+
     @staticmethod
     def chr_decode(text: bytes) -> Optional[bytes]:
         """ Replace calls to chr with the corresponding character """
@@ -472,8 +485,10 @@ def execute(self, request: ServiceRequest) -> None:
             ('MSWord macro vars', self.mswordmacro_vars),
             ('Powershell vars', self.powershell_vars),
             ('Hex Charcodes', self.charcode_hex),
+            # ('Octal Charcodes', self.charcode_oct),
             ('Unicode Charcodes', self.charcode_unicode),
-            ('XML Charcodes', self.charcode_xml)
+            ('XML Charcodes', self.charcode_xml),
+            ('Hex Int Constants', self.hex_constant),
         ]
         second_pass.extend(first_pass)
         final_pass: TechniqueList = []