Are you still around? I am taking another look at this and was wondering how you extracted that. It appears to be base64 encoded and compressed but I couldn’t figure out how to decompress it. The base64 decoded version just looks like noise.
The original post starts with
POWERSHELL -Enc
So you start by decoding, which give you
( .(‘nEw’+’-OB’+‘j’+‘ect’) SYST
em.io.COMPREsSiON.deflATeSTREAm([syStem.IO.MEMOrYstreAm]
Correct the capitalization and string concatination, you get
newObject
System.io.Compression.DeflateStream(
[System.IO.MemoryStream[System.Convert]::[system.convert]::FromBase64string(
“random stream of characters”
Now take the inner character string, and decode AGAIN, FromBase64string
After decoding the base64 again, you still need to do
System.io.Compression.DeflateStream(
That is the step I was stuck on. Do I do that in PowerShell? It looks like an API call that you could also do from other languages.
PowerShell has access to .Net classes like that.
These ain’t your grandpa’s .bat files.
Almost any compression/decompression program.
Windows API:
BOOL Compress(
COMPRESSOR_HANDLE CompressorHandle,
LPCVOID UncompressedData,
SIZE_T UncompressedDataSize,
PVOID CompressedBuffer,
SIZE_T CompressedBufferSize,
PSIZE_T CompressedDataSize
);
I think that ‘extract.exe’ had the ability to extract deflated files, but I’m not sure that ‘compact.exe’ ever supported ‘deflate/zip’ as an option.