 Hello everyone, my name is John Hammond. Welcome back to their YouTube video and in this video I want to do something a little different This was a technique that we recently saw at work and it was kind of a clever thing to potentially stage malware or Bad stuff or other programs that you want to run within Windows in DOS or batch within the Windows command prompt the cmd.exe scripting language and shell system language and all that So I thought it was kind of neat and kind of clever because they essentially just use variables to stage and leverage and put together Potentially just calling a payload or starting something new as another program to kick off and it would be all Mangled and put together in like just printable characters English that all looked like nonsense and jibberish So a little obfuscation to help potentially stage a payload And I thought it was kind of neat and clever and I thought like oh well You could actually automate like the creation of that and maybe you could get something random every time So it looks different and you could bundle it up and package it and whatever it's a thing I'm going to obviously neuter that and we're not going to use it to stage malware or bad stuff We'll use a proof of concept just like starting notepad or kick starting a specific program and Like calc.exe and make it really easy for us in a testing proof of concept And obviously not doing anything bad or malicious because we don't do that. That's not what we do. So Disclaimer I am going to be kind of going in cold on this. So I'll use Python to script it out Which yeah, isn't native to Windows, but I'm gonna have it installed and we're gonna work with it And we'll just use Python to decorate and create the actual launcher and thing itself Again, I'm going in cold on this so I might fumble around a good amount in Python This will be kind of a raw off the cuff Chill video. So anyway, let's get to it. I guess I'll show you kind of what I'm talking about and we'll hop on over to my screen here Let me fire up command prompt and I'll show you this trick, right? So you can set like any variable to be anything that you want and within batch and You can then use that variable even in the context that batch and the shell will automatically interpret It'll just take it kind of literally it'll understand interpret that value So you can use that to build out other commands or other things that you want to run and that's kind of interesting and weird So you can see I just got this set variable here or that that command of that Function whatever you really want to call it here and we'll use that to go ahead and create a variable That's just syntax and we'll call it like a a a just as a as an example And I'm going to set that equal to the word set And that's it now I have the variable a a a that I could access and it's simply the word set as I've defined there If we're to go ahead and define another variable I'll go ahead and use a a a to go ahead and set a variable It's kind of funky right because and we know that that word set is going to be interpreted and I'll use that to Create a new variable called bbb Looks weird right because I'm just using set in the place of that including the space and bbb will equal a Space character right you kind of see where I'm going this so now I could use a a a a with bbb and Now create a new variable called ccc and I'll set that equal to an Equal sign and that might look weird actually we should probably change that to DDD because now I'm going to end up creating variables with just this syntax That we've just created and manifested so the C will be the variable that we end up using in our D Will equal equal signs that we use in the actual assignment operation So it looks funny equals equals, but I'm literally creating a variable that is just going to be the equal sign Right that just ran and it works. So now I could use a a a to set bbb to have my actual Space character there and I'll use ccc as a new variable that I'm going to try and define and I'll use DDD to include that equal sign now I can set it to a value I can set it to Hacks Or whatever and that executed and now I have the variable ccc if you could keep track of that So let me go ahead and echo out the value of ccc Hacks and I've just set that in a weird-looking syntax just wrapping and Masking behind it all of the actual variables of the commands that will go ahead and create a variable So now you could use this and you could build out in this weird random syntax other Character set and create a potential payload that you could hide and mask with this funky thing And you it's obviously all going to be printable characters And it doesn't look like you're creating a long string to invoke me me cats or do anything that you might really want to That's the gist. That's the gimmick Now let's go ahead and I guess create a script for this. I'll make directory batch guess and I'll hop over in there and I'm going to use sublime text to create a obview skater Dot pi I guess and now that window is opened up. We can start to write our code Again, I'm not a thousand percent positive where I'm going to go with this So complete disclaimer if there's some weird fumbling and I don't do a incredible great job right off the cuff But I'm going to import the random module because I want to essentially create random letters being my variable name And then the Python code will just keep track of all that and know how to smartly create the payload String we'll give us all those random letters that we could use and our end goal, right? We'll be like kickstart a Program that will just start calc, right? so Calc is in C windows System 32 calc.exe. Is that right? It is okay cool So if I were to have the syntax for start See windows system 32 calc.exe. It'll just start it and that's really going to be our proof of concept. So Goal I guess can equal start C colon windows System 32 calc.exe, but obviously sure you could replace this with anything you particularly wanted to we saw it in the case of Some nefarious stuff and we're not going to do that. That's not what we're all about We're gonna have this proof of concept to kickstart a program in an obfuscated way within batch and windows. So let's go ahead and Create a variable that we can use as our set operator because we got to start with those right so Let's actually define. I guess a function before I do this so we can get random mess We get I guess supply a length as an optional variable. Let's just call it like five as The length of the randomness in that case and let's go ahead and return a list comprehension of string dot ASCII lowercase for underscore in range of length And I do want to jitter that a little bit so I guess we can say min length and max length equals like 10 so for range of Random has a ran range function doesn't it if I clear the screen here CLS Python again, I'm using it in windows. So import random random dot Rand range, I think zero to ten. Yeah Cool, okay, so that'll work just fine for us. Let's use Random dot ran range And I had to actually choose one of the random letters here so let's use choice around that string list and Random will be min Len. Well, I'm jumping around min Len and max Len Okay, so proof of concept, right? Let's just check out our get random mess and see if it actually works for us Please let me out. Okay. Let's Python obfuscator and I failed int object is not iterable. Oh That has to be wrapped in range. So I did want to keep that Gotcha Range will go ahead and create the number sequence But random not range is going to return the random number and that's going to be used as the length of our range So that's why we needed that cool Let's try that one more time And now we get some random mess Uggsy I like that one. We do need to be careful and that sure We could potentially have a collision with our randomness and we could keep track of that I don't know if I'll need to run into that in this I Can use like a randoms that I can keep track of so Rand I guess can equal what we've got and will global randoms really need to do anything because it's already a global variable We can do like if rand not or While I want to check if rand not in randoms Then we'll go ahead and add it to our set of random variables that we've seen So let's go ahead and append our rand and then we'll go ahead and return our rand um If I do a while well And then I guess let's do a while rand in How do I how do I want to get this logic right so that like it'll create that first and python? I don't think has a do while Does python have a do while uh The danger of me opening up my actual web browser python python do while I'm gonna do while loop I mean, I guess that would work right Because it'll just keep randomizing it and then once it Knows that it's not in randoms. It'll go ahead and return it. So I think that should work Yeah, it's still still going so whatever now. Let's get our set operator and our set operator will equal a get random mess so The code here that we're going to end up writing um should be I'm gonna use f strings we'll do set Our set operator to equal the word set And that's all that we'll need for that first one right So at the end I guess we will print out our code all joined together with new lines Right So now oh I need to actually set the operator. Oh, I need to stink and call the function. That's why Set all that nonsense into set which is good. Okay, and now we need to get our primitive for a space character so We will use this percent To set a space Character Get random mess set With the space now including our space character value like variable name will be equal to a space, right? Good And then we need to actually get our equals character So that's the first primitive right equals character equals a get random mess and with this prologue here We've sort of gone ahead and used the set operator with the space character value to Get a new variable our equals character equal to equals Oh That's so wonky right and then let's get a proof of concept dummy character So now we're using our set operator With our space character with the equals character actually being set After I get a dummy name. So let's just use variable dummy name and then I'll use our Value of our equals character to be Oh, my face is in the way. I'm so sorry. How long has that been doing that? Sorry Value of our equals character equals. Please subscribe Good enough right? So if I were to write all that out And I were to copy that if I were to clear the screen and paste all that Set is Getting in the way of something what's going wrong here Set that thing equal to set which it has and then I set this other thing equal to A space character. So I have set space character az tdm Why is the space character not working? let's um Let's do a little right here. So let's open a Payload dot bat right and we'll write it in in write mode So like with that as handle we'll do handle dot write and then let's say final code equals all of that So let's write that final code into that handle Now when I run this obfuscator I now have a subl.exe actually just open it here in our payload dot bat Which includes everything that we need and there is a space character there So if I were to try and run that payload dot bat it works Okay So, uh, what is the value of dummy name right now? Please subscribe excellent. Okay. The thing does the thing that it's supposed to do when it operates as a thing so Get random s is working just fine. We have kind of a prolog right now, right? So let's change that variable name to prolog and let's say code can equal our Uh, I guess an an empty thing and let's do code An empty thing plus a prolog. Does that work? You can add arrays like that. Can't you? Oh, I also realized that I typed obfuscator wrong. What? Okay, so Now that we have all that now we need to be able to start to build out the primitives for getting all the other Characters in here the thing that I'm worried about is some of these special characters like the equal sign Can I set those just as easily just fine? Let me get back to the command prompt and we'll do kind of a proof of concept here If I clear the screen and if I were to set a to equal a colon Can I echo a and it works just fine? I guess so How about a forward slash b can equal a forward slash? Yep echo b Perfect and a period I think that's all I need Set c to equal a period echo c yep period Fantastic, okay So now we need to start to build out a library of all the potential characters that we could end up using and generate their randomness for that So let's grab a Like and start to build I guess a dictionary of what we know Let's Just go ahead and create that dictionary of our own batch alphabet, right? so for character in string dot printable we could We should maybe define a function to be like set a variable now Let's do that after we've created the prolog Because now that we have the functionality to create variables at a whim all like on whim. Let's do a create variable var name and value So let's return Right and f string as we've done before With kind of the prolog like syntax just this very very last one where we have our proof of concept and we don't need that anymore Let's return the f string of setting a var name will replace that and then the value Right Let me zoom out so you can see that just a smidge because I know it's getting wonky when we're doing all this Obfuscation our set operator our space character our var name with the equal sign will be set to that value And then we'll return that so for character in string printable. We'll go ahead and Create a variable Now that we can use that function Of And we should add this to our dictionary So I'm trying to think about all that things that we need to do here Create a variable with the get random mess name. So I guess I should actually keep track of that as a variable So var name can equal that Value can equal character create a variable with the random variable name With that value and then we'll want to add that to our current code. So code dot append all that And actually we should make a specific var Settings list. I think create a variable name all of these variables Um That's right And now we need to add it to our alphabet. So alphabet dot I'm sorry. I'm like my brain is just being fried right now. It's still early in the morning alphabet Value is what I want to index because I want to be able to know something based off of the specific key Um Equal to that Var name Right Okay, good. So now let's go ahead and print out The joined rendition of all of the var settings that we've just created So if I were to python 3r obfuscator, I totally failed var settings as a tuple Why is that? Var settings out of pent var settings was made a list sequence item zero Expected string instance tuple found Why did we return? Oh, there's a stinking comma at the very very end of my create variable function Wtf. Why is that there? Okay, cool. Now we've gone ahead and created Variable names for all of the potential letters we could use All the characters and they're all created with randomness They also have a new line in there. Do I can I actually use that variable as a new line? I mean, I guess I have to execute this Uh, that would probably fail I feel like it would Whatever let's uh add our Var settings into our code Uh after we've defined them And then let's display that out. So now I have in my Payload here all of this all of this all of this and if I were to go ahead and Go ahead and run that payload Okay, so the semicolon will not work How about the new line? Which one of these was the new line that was TRPD VJ XG nice. I like that If I echo out that value does it work? Nope It's been set to nothing How about HU Y FID Nope also been set to nothing. How about this guy? This should have a value. Do any of these have a value? Let's get um my f Variable obviously the most important one F okay. I mean, so that works whatever. I'm cool with it. You know not a big deal So now we've had a lot of but now we have a lot of potential right because we have defined a randomness way To gain access to all of the potential characters that we might want to use So we could use all of the characters that we have Here in our goal and then go ahead and Run it so Let me Start to Build that out. Let's do a four Character in our goal Let's get the variable name that we need for one thing So we can use our alphabet index at that character because that's what we set in Really the alphabet and let's as a proof of concept just kind of print that out Just to see So let's play down three our obfuscator and there is all of our stuff seemingly cool, and then we want to get the actual wrapped implementation of that So an f string With the percent signs around it For our character in our goal now. Let's print out That so we're just getting the values and it'll be executed on the command line, right? So if I were to join all of that together Without a new line because it's going to just be one command Now this giant string based off our randomness will go ahead and execute the calculator Right, that's the idea. So Let's include that as a execute Variable right and now let's add it into our code that we run So I should be able to run the obfuscator and that failed Because that needs to be a list On its own. Sorry because all the others all the other types here are lists So now we're on that and our payload should have that at the very very very very end which you can see it does and theoretically This I'm crossing my fingers here because again this I haven't done this. I'm going in cold if I were to run this payload Something broke Is that the less than symbol? I feel like I should remove some of those it's probably breaking stuff Did it actually even get down there? No, I think it started to read in Yeah, lecpi broke it Okay, so we got to remove some of those then let's do Um, let's create a little bad characters list and remove those And let's change our string dot printable To a character set name that we want to use. So let's use character set At the very very top here can be equal to our string dot printable and then let's have a bad characters and let's say We I mean this can just be a string. It doesn't need to be a list. So uh that that that And let's see if that's good enough, uh character set for bad For bad in bad characters Let's go ahead and remove that from the character set. So character set can equal character set dot replace just to remove that badness with nothing And then rather than a string dot printable, let's just use character set Okay Now let's run the obfuscator And take a look at our payload No Seemingly weirdness yet, but we should run it and find it if we get anything bad clear the screen run the payload and a colon's being funky. What is that one doing? Is that like a null byte? What comes after this? The square brace. Oh, it's a backslash. Oh, it's escaping the new line. Huh That's wonky. Okay. So I realize that maybe it's smarter to be using backslashes because it's a windows file system But that's going to be a little bit of an exception to our rule here and we probably have to finagle that a little bit Let's gloss over that for the time being and an exercise left off left to the reader How about that curly brace? Can I nerf that? Um, now keep in mind I'm doing all this in a very, uh, whack-a-mole way But if you are doing this with a legitimate payload and you are trying to do a little bit more with this You could start to group some of the potential bad characters together with a known good character. So if I were to set Uh, clear the screen again set, um, a to equal that curly brace Why did that work that time? Was there another thing that was being weird? What is what is what is with the curly brace? Oh, it's the back tick maybe Set a to equal a back tick. No, that's totally fine. What the what? All right, can you run the obfuscator one more time, please python? Hello python 3 obfuscator and then payload dot bat what what Square braces being funky. Oh the backslash actually worked just fine Are you like combining things that you shouldn't? What is tgkzk? tgkzk That equals the underscore And this carrot is being wonky. I think that's it Let's remove the carrot. Let's remove any Any seemingly direction pointing arrows obfuscator payload, please Back tick is still being what is going on Let's remove the back tick Anyway, I guess I got distracted and I was trying to tell you that If you are seeing this issue and you aren't needing to care about all of the potential characters Like in this character set out of string printable that we're building You could just be taking the characters that you need out of your goal String out of what you're trying to execute and if there are weird bad characters Just morph them into another So when I say that I'll be like, oh sure if you were tripping up on the colon Just combine it with the c colon and that might make it behave a little bit better Python 3 obfuscator python 3 payload dot bat And our Curly brace is still being weird So Let's just remove the curly brace. We don't need it. Whatever. I'm fine with it. I don't care See a less payload dot bat. Here we go underscores Why why? All right, remove the underscores. Now. Let's run the obfuscator. Now. Let's run the payload go go go go go This is unreal. We should realistically only care about the stuff in the goal. So Maybe for the sake of our sanity and mine I guess my my my sanity Let's just change this to the character in the goal string create variable specific to those and that's an easy fix Like we don't really need to do that. So Uh, I didn't run the obfuscator is that's going to fail Clear python 3 obfuscator Run the payload And we ran count All right, so that added an extra seven minutes that we really really didn't need Um, anyway, I think that's kind of neat I have a one other idea that we could take advantage here and use Um, and I don't know if it'll work, but That's our obfuscator And we could actually add in a in our prologue, right? Let's just create a little at echo off So it doesn't spit that all out. I'll run the obfuscator run the payload and Add echo off is not going to behave Fine I don't think we need it We we we actually didn't even end up using it or it wasn't present in the artifact that we found this in so If anything, I think this just a good job and that this file alone might not trigger any Edr or antivirus thing because you are hiding this and masking this payload with a little bit of obfuscation And now we've randomized it so it can be a different thing every single time. That's a little neat Um, let's try and take this one step further. So here we go. We're at a checkpoint, right? Milestone one we've kind of completed what we wanted to for this video and that already took me a half hour Now we're going to once again Kind of explore an uncharted territory because I haven't done this yet. So bear with me with all of my mess ups But here's the thing that you can do. Let me show you this um batch can convert an An ascii number or an integer into the ascii character representation So if I were to use cmd Slash c and then exit with a number, right? Let's go 65 because that's in the ascii table the value representing a capital letter a there we go That will work and now I can echo out this percent sign equals exit code ascii And it's letter a Right. So if I could do this for 66 Now I've got b and I could do this for like 92 or 91 And now I've got that symbol. So maybe that will also help us get out of the issue of Maybe help that'll help us avoid the issue of running into those characters that were being problematic because we can convert it from a value We could set that as we need to in our code And that way we can mangle this a little bit more because we can do other weird things with numbers um And this was not present in the uh potential artifact that we found that was doing this This is just my mental abomination and diabolical disaster so Batch will let you do the modulus operator We can go ahead and set and if we are to set we need to use a slash a because set slash a is um A for doing arithmetic and that grants you the opportunity to use the modulus operator. So let's set mod equal to like Let's go two um mod Like four So that's two divided by four and the remainder well two can't divide by four. So it's going to get a remainder of two um Modulus operator is getting the remainder of a division operation So the way we could get a number that we want is to take one number that we're looking for like say We're looking to get the number eight and if I were to multiply this by any random number Two three four five six and if I were to take that number once again and multiply it by that same number two three four five five One down Now I've gotten The remainder of eight or excuse me your remainder is zero. Did I go too high or something? What was weird in that? Or do I have those values backwards? I think maybe I have those values backwards 22 23 I just did this does it need to be It probably needs to be parentheses This was something that I was testing ahead of time Okay, okay, okay, whatever. Let's go 230 that thing and then Yeah, okay, so it needs to be parentheses. Cool. I'm not crazy. Thank you um Add random numbers to that three four five six and let's take that down a step Now you have too much numbers. So two three two two three five. How about that two two Three six, please. There we go. I don't know what the threshold and batch is for these numbers Uh, but I guess we can figure that out and we'll put it in the range of like a thousand Or so if I were to go nine nine nine nine, how does that work? Versus nine nine nine eight Okay, cool. So what if I went for 255 times that value or I guess 126 is the highest ASCII value that we can represent, right? So let's do 126 times that 126. All right. Well, we'll use that as our threshold nine nine four nines Quad nine will be what we will work with that is enough tinkering and and play Let's experiment and this might be a totally failed initiative I don't know if I can get this right But now we've got some other primitives that we want to work with we want to Use our set operator to create variables and we will need the prologue to go ahead and create a slash and an a Because now we'll have a new way of defining variables if we were to use this method Before I do this. I guess let's call this obfuscator two or Yeah, I mean Second obfuscator So my tab complete works a little bit better. So now we're going to be defining a slash And let's do that for a slash character and an a character so our Equals character has been set and This create variable name. I should honestly use our I guess I create like a second prologue right, you know what I'm saying Let's do that Let's take this prologue here and then go ahead and create a second prolog Where now we can use the create variable syntax and kind of as we did in goal, but now we're going to end up doing it for Just the string forward slash a because we need that as part of our set slash a syntax So the var name will be you get random mess. The character is still be going to be a character and let's create a second prologue to append Creating it and we've defined that already so I think that's good. Yeah Yeah Let's create that second prolog List here Good. So now our code can equal our prologue plus our second prologue Do I have a second character anywhere? I don't know why it uh I created that for me now. We can redefine our create variable and do some weird stuff Here's what we can do Now that we've got the capability to create things with a slash a We can use our set operator with our space character With the value of the alphabet that we're working in with a slash With the value of the alphabet slash a With another space character following that with a variable name set to a value This will not work immediately because we need to go ahead and Get the value based off of our modulus So I'm going to define this as steps and this will probably end up being the last step But now what we need to do is determine the character that we want so We can test if that value is Or I guess if like length of value is one Otherwise we'll raise an assert error Or I guess a value error, right? I can only handle One character for Obusification sure totally fine um I hope my face wasn't in the way for like half of this video What we need to do now is Set a variable To Oh geez we're going to get super recursive here. Are we no We need to first know the value that we have so ASCII value Equals the ORD of that Value and ORD is right right or we'll return the ordinal Python 3 ORD of capital a 65 great. That's good exit please so with that We Get the ASCII value and we need to then get it as a Variable that we're going to define with The modulus so we're going to set. Oh boy Sorry, this is hurting my mind right now Set operator I got to zoom out. I got to zoom out because this is getting so lengthy Set slash a to equal the Let's set some parentheses. No no because I don't want the parentheses. I want python to figure it out for me So python needs to do the Get a random number so Multiplier right Can equal random dot rain random dot ran range of 1000 to 999 so The in the a Mod b equals c Modulus operation that we're doing our a is going to be C times our multiplier Modulus b times our multiplier Minus one right So I am not going to have any shame and I'm just going to define it that so ASCII value is really what the c that we want because that's what we know our modulus is going to end up as So a can equal the ASCII value Multiplied by the multiplier and then b can equal the ASCII value multiplied by the multiplier minus one great So now I'm going to have a Set operator space character alphabet Set Slash a so we can get into the math Sorry, I'm just thinking and this is bending my mind right now bar name equals character can equal the parentheses And we don't even need parentheses anymore because we've already done that math for us. Thanks to python So that will be a mod b Right So that has now given me a Random That has given me the number but now I need to convert it back Okay so Now I could just use that c and b slash b now. I can just exit with that value and we might Not end up using the var name to do that because we probably need a temporary var name for that so For that variable right unless you can you do that exit? with with The math in there or does it have to be through set like let's try that cmd slash c exits paste And then echo the equals exit code ascii No, that fails How about 65 Okay, so we just can't do math like that. So let's slash a mod with our 65 With our 65 and then let's try and cmd slash c exit with our mod value Which should work and we try and exit with that now we have a so we do need to use that temporary variable And that will be a get random mess name so now Rather than using var name for the first one We will need to use a temporary variable set to that and then we will need to go ahead and exit with the value of that temporary one so Ooh, I want to define the variables to be able to execute cmd slash c because that's going to get annoying We can do that right because we already have our create variable primitives and that's just less of them Or should be using should we be using these get Get our second layer of create variable after we've redefined it Should we be using that to go ahead and create cmd? I mean we can't we need we need that we need that after the fact so Slash a we're going to end up having and we're also going to have cmd. We already have the slash we already have the c we need exit and We need the space even though we've already defined the space up top We just haven't kept track of that in our alphabet range so steps Equals all of that We should call this mod create variable rather than create variable because we're going to need to create variable repeatedly I guess we should just kind of Create we already did create those We created all those variables. So now we just need to use all of those in a string So how should we do that? steps steps plus equals that This is probably an extremely confusing video and i'm sorry Steps equals that and Now we need to do for character in cmd slash c exit and then We need to include all of those we need to take pieces pieces dot append The format string of the value of the alphabet that we know with our character Because now we'll have cmd slash all the way up to exit And then we will do pieces dot append a f string with the value of our temporary variable So we'll eventually have cmd slash c slash exit slash And the the value of mod kind of just as we hit us just as we did before And then we need to go ahead and set Set With a create with a create variable Uh pieces actually should equal this A list with just all the pieces put together So that's on one line Because this will go ahead and create the temporary variable with the numeric value of the value that we want and then for character in cmd slash c exit to Stage that into an exit code and then we have to go ahead and set the variable name of the var name to really be The exit value so When I run create variable Will var name Take the spot just fine. I think it will So steps Will now equal a set operator with a space with the alphabet And we don't actually need this new alphabet slash a because we aren't doing any math in this we're just setting a variable to That and we could do that with a create variable Because that's just going to return it. Is it not? Yeah Steps create variable With the var name as we have done Good Oh man, this is still blowing my mind because now I scrolled down. I was like, wait, didn't we need to do that for the goal? Anyway um var name should be our equals exit code ascii theoretically Right, and this might fail this might completely fail. I realize I'm going on almost an hour and I This is still on a whim. So Let's create that variable as the last step and then we need to return all of these put together so return Oh, we need to add that into the add the pieces into the steps return all those pieces No return all those steps Because those are all of the lines that we're building and the steps that are necessary to create a variable with this modulus operator um So all of the code now We'll need to create all of these So for the character in the goal we are Going to pass in a random mess as the variable name and then set the value Wait, what did mod create value used to do? Okay, it would just run the function And it passed in the value and we already figured that out because we set value in a modulus ordinal thing so For character in goal, we still just need to do all this but now we're going to end up calling mod create variable with the var name and the variable and That's going to return a list So var settings needs to actually add on this Right And then all that alphabet works Oh Gosh, this is extremely confusing I don't know that worked honestly. I just I honestly don't know. Let's see. What's wrong with it python second obfuscator alphabet is not defined Excuse me Where are we trying to run alphabet line 42? Second prologue. Oh, I guess we really should move that up Alphabet should probably be defined like way way up here Here we go It ran Okay Z types. Wow. That's a very nice random word that you generated Oh boy so this should equal what set slash a to Mod can equal that right 115 What is What is the first one that we work with out of string dot printable python 3? Import string dot printable Excuse me. Oh import string duh String dot printable I can type Printable holy cow Zero now, let's take the order of that 48 that's not good Is that right? What did we do wrong? Whatever, uh, let's try and run all this And just see if it works no no not in python, please. Okay Paste all that in and that's failing. Um, totally fine. Let's just get up to the very very first Uh execution of Creating a variable. So let's run payload dot bat cmd slash exit equals. Oh, oh no What's going on it needs the Percent sign Why is it doing that? cmd slash 100 equals do I need a second percent sign and all that to like escape it? That's gonna look really weird, man Let's do it. Let's do it Python 3 second payload again Let's just get all the exit codes. Oh, I'm missing a percent sign in one of these percent percent that exit ascii is not exit Go ask Do I need the literals there? What's happening? Oh, wait a second. I did have it there. It's just Sorry The equal sign is was weirding me out Yeah, reload the thing Now let's payload dot bat. Oh It did it Oh, and it did it because it was s because it's for start Oh Did it do it did it work? Did it Let's go. Let's go. Let's see this a tea Oh Holy crap. All right. Let's just run the whole thing. Let's send it send it boys I hello Can I have the whole can I have the whole payload back? Please? Thank you. All right. We're no more time one more time Do the thing that is awesome Oh my gosh now. Okay, so I'm a little worried I'm I'm a little weirded out with this one because Obviously, we are running cmd slash the exit and that's invoking cmd. That's like starting a whole another process So I want to open up like prokman or something and just let that run and see what happens So Let's do that. We're at the hour mark. This has been a long long show, but um Do I have cis internals cis internals? Nope, probably not. All right. Let's get to chrome and let's download cis internals cis internals I want to watch and see like the serious amount of cmd.exe is just flare up my computer or if that even happens um But that's one way of obfuscating And that looks dirty right like That that's crazy We could amp up those numbers if we wanted to and I guess we could probably finagle this a little bit more, but But Let's let's downloads cis internals and see how we do I hope that was fun. Thanks for tolerating all of that guys. Holy crap. I hope that was a good time All right, we'll wait for cis internals to download and I guess we'll review really everything that we went over here So we went in a lot of different places and I'm sorry for that But eventually all we wanted to do was obfuscate the process of running a program We used calc as our proof of concept We wanted to define all of the potential characters that we might be using in that string to run the cmd start calculator And define them in like random variables And uh, maybe we could actually do that with string.printable now and we won't have the issue Can I try that? Are you guys cool with me trying that rather than just looping through goal now to create the character set? Let's use all the characters and let's not Remove them because I think this new method will actually allow us to Like using the modulus as a means to hide it even further That should let us build out the entire Principal character set and it's cruising it's going Oh, I broke it cnb slash c6. Oh, it's the stinking less than symbols I guess those are still getting in the way Because you need to use them as part of set. So that's why it dies All right, I did a bad job of doing a recap because I got distracted That takes a while to stage everything, but yep the pipes still going weird Which we don't exactly need do we need pipes? I mean it'd be cool to actually have pipes. So Let's try and keep the pipes in there and see if that was just the square braces that we're making an issue Nope What is it? Is it the pipes? Let's take the pipes out. How's cis internals doing? Oh, they're downloaded. Okay, cool What? Oh, did I not run the stinking obfuscator again? Second obfuscator payload Let's uh, let's get cis internals cruising while we're doing that Let's drag this down and like let's run prokman Just to see how absurd it is Oh It popped calc. Not that it didn't it didn't pulp. It didn't pop calc. It's not an exploit, but it's a cool obfuscation technique. Wow Uh, all right, so let's see what we got Can I filter? For um process name Is cmd.exe Yeah, add the item please Okay, so If I just start cmd cmd Let's show in prokman. Yeah, okay. It's doing its thing. Oh boy I don't need all that. Can I can I clear that actually? How do I clear? I do want a process start operation. So include only that cool So now If I try and use this filter technique using the modulus operator using that batch gimmick to convert ascii into An actual letter Do we get a crap ton of cmd.exe payloads? Yep There they go That's surprisingly is that like not enough or is it just like oh, I think is it is it refreshing or something? I mean the process ID stays the same. Here comes calc You know what however long that took That time is plenty That is plenty fast and the hackers don't need to worry about how much time it takes Oh, wow. Look at the tool tip. Can I have her over that again? I want to see that again I want you to show me the tool tip Show me the arguments exit code ask equals four What all the variables? Oh, that's super cool That's a mess That was super fun though. I hope uh, I hope that was I hope that was a good watch I know it took us a long long time But I think we got a lot of really neat stuff out of that and that's how you could potentially obfuscate just a little Kickstarter just a stager and uh, I don't know tinker with it again This is for the sake of education This is for the state the sake of learning and seeing how Crazy it is when you have this obfuscated thing and it's just batch, you know, it's just cmd I showcased in another video how how you could disable the command prompt and that's not a real security measure It's not encouraged or enforced as one, but it's a thing you could do The same way this is a thing you could do So we just got randomness to be able to define variables And then we were able to use those variables as part of the actual command that was ran And build them out to create any essential scripting that we want We just did it with one goal just running one command to pop a calculator, but that's it And this is messy dirty code, but this was all totally off the cuff And that was really really cool and kind of fun and that was fantastic when it worked So that's been a lot of me talking. This has been an hour long video And I'm sure you have stuff that you have to get back to you in your life. So let's wrap it up here Thank you so so much for watching. This has probably been one of the most fun videos I've done in a long while and it was good to get into python and it just mess around for a little bit So, uh, if you did like this video, please do press that like button Maybe leave a comment. Please subscribe do the whole youtube algorithm thing. I'm super duper grateful And maybe we can do more stuff like this in the future. I had a lot of fun I hope you did too and let's let's call it a day. Thanks so much everybody. I love you. I'll see you in the next video. Take care