 Hello, I'm Didier Stevens and in this video, I'm going to show you how I analyzed J script that was generated with James Forschau.net to J script tool. So that's a tool that takes a dotnet assembly and turns into a J script, a JavaScript on Windows. So I have the script here and as you can see here it contains a variable serialized object that is assigned a string concatenation here that looks like base64 and this goes until the end and then you have some more code. So what we want to do is extract and analyze this base64 code and and for that I'm going to use my base64 them tool, but I first need to extract the base64 strings and and only the base64 strings and nothing more. So I'm going to use my research tool to search for strings in this script like this So here you can see I have all the base64 strings here and then also a couple of other strings. We will need to get rid of these. I also don't need the double quotes and for that I can use another regular expression that is stru looks for quoted strings, but doesn't include the quote itself. So it's without a note unquoted like this and you can see now the double quotes are gone. Here I have still three strings in the beginning that are not base64. So I'm going to get rid of these and I can do that with a tail command. Add a tail command to get the tail of a file of a text file and here I'm using plus four plus four means that you want to select all the lines starting from the fourth line like this. See and now I only have the base64 and nothing more. So now I can dump this into base64 dump and also tell base64 dump to in your white space and the garbage return new lines to get rid of these like that and then indeed there is one base64 string that has been decoded. Now what I expect is to find the assembly the .NET DLL inside that base64 string and we can see it's already not at the beginning because it doesn't say mz. But with my jaha-hole contains pe file we can check if it contains a pe file and indeed the rule has triggered. So somewhere in here there's the pe file executable that we are looking for and if we take option jara strings then we will get all the strings found by jara and it's only one mz and this is the position 4c7 actually small that's where the pe file starts inside this decoded base64 string. So let's take a look there. So I'm going to select the first stream and do an ascii dump like this and go to 4c7 4c7 yeah and here indeed you can see mz and then here this program cannot be run in DOS mode so and the pe header so this is indeed a pe file. So the thing I can do now is first of all do a binary dump and not an ascii dump and cut out the part that we want we can do that with a cut expression and the cut expressions in my tools they tell where you want to cut and start cutting and where you want to end start cutting so where we want to start cutting is at position 4c7 like this and then the column separates beginning and end and the end we are not going to specify an end so that means that we will not cut at the end we will include all everything until the end and this I'm going to pipe into pe check my tool to analyze pe files and indeed we get output here so it is indeed a pe file and as you can see here at the end it says that there is an overlay an overlay that is data appended to the end of the pe file and the reason why there is an overlay here is because we are still dealing with the data of the serialization so serialization data that is at the end of the file and it is not part of the pe file if we go back here and we go all the way to the end here you can see this here this is actually still part of the serialization and not of the pe file so it's best to get rid of it although for analysis you don't necessarily need to get rid of it but here I want to show you how you can get rid of it and so pe check here tells us there is an overlay and that overlay starts at this position 1400 so this is actually the length of our pe file and because at that position there's the extra data that starts so we can use that in our cut expression like this 0x and then l to indicate that this is the length so with this we can cut out the pe file here you can now see no overlay and then of course if you want to analyze it you can in a sandbox or either pro or whatever you can read the right directed into a file and say for example pe file dot vir something like that now there's one more thing that I want to show you here let's go back to the ASCII dump now I don't know anything about the serialization format but what I noticed is the following so here you have the start of the pe file mz here you have 4d5a that's mz and before that you have a two and then here four bytes in little engine that are actually thousand four one four zero zero you see here so and this is often the case in binary formats when you have data inside it like a string or an included file and that in front of that data you have a field that gives you the length of the data and this is probably the case here so you have the data before that you have a two and then here you have four bytes little engine that give you the the size so that's something else you can use probably use to extract it