 Hello, Didier here. I have a Manchester script and it is base 85 encoded. Xavier Mertes wrote a diary entry about this over at the Sense Internet Storm Center. And what I'm going to do here is update my base 64 program so that it can handle base 85. So if you go over to Wikipedia, we have definition of ASCII 85 or base 85. So it's like base 64, but instead of 64 characters to do the encoding, it uses 85 characters. And there are a couple of variants. And the one I have to implement here for this malicious script is the RFC 1924 version. There's a Python function in a Python starting Python 3.4. There's a function here to do that decoding and it is called B85 decode, which is in the base 64 module. And this one is specific for that RFC 1924. Although it doesn't mention that RFC, but I did some tests and that is for that RFC. There's also another one, a 85 decoding, which does other 85 decoding, so other characters than the one for RFC 1924. So I have the script here, base 64 dump. And I just finished a new bugfix version. And we are going to start from that bugfix version. So that's today. I don't have to change that, but we have a new version now, 16. And in version 16, I add a new decoding that I'm going to call B85. That's the history. Now in my imports, here I have been asking because that's where I use the base 64 methods from. But I do need also now base 64. And that one I don't have. So I'm going to add that import base 64. And now we can implement our B87 function. And we can just base the code that we want to change on the code for B64. Let's do a search for B64. Okay, so here in the mount page, we have a small explanation. So I'm also going to update that. So here at the bottom, I'm going to say B85 stands for base 85 RFC 1924. And it looks like this. So let's take the start here. As an example, it looks like this. Let's continue searching for base 64, B64. So these are examples. Okay, and here now I have a dictionary with the encodings, a description and the function to call. So this is for B64. I'm just going to copy that here over to the end. This is now B85. So this is base 85 RFC 1924. An example here. And the function that we are going to call is base 85 RFC 1924. And we are going to base this on this function for base 64. Let's find this. Okay, here is that function. So I copy this function here and I rename this to base 85 RFC 1924. Okay, so this is a quite small function. So with the regular expression, it does a find all in the data. So the file that we read and this is the base 60. Sorry, this is a regular expression for base 64 string. So these are all the valid characters for base 64 encoded between brackets. So it's a regular expression that is a list of all possible characters. And we need one or more of these characters and then equal and so on. So that's for base 64. For base 85, yeah, it's another character set. So we need to adapt that. Let's go over to the wiki. So we have 0 to 9, a to z uppercase, a to z lowercase. So that's what we already have here. See, so let's get rid of this because that's different. And here we have these 23 special characters that are used. So let's copy them over here. And so I need one or more of them. And this here equals one or zero or one or two times that's specific to base 64. I don't need that. So I'm going to remove this. Now here in these special characters, there are some characters that have a special meaning in regular expressions here like a dollar. But we don't actually have to escape them. And because if you want to represent a dollar and not the end of a string, you have to escape it with a backslash. Here I don't have to do that because I'm inside a list of characters between square brackets. The only character for which I have to do that is the dash, this one here, because that has meaning, a special meaning between square brackets. So I'm going to escape this like that. So that's my regular expression now to find base 85, RFC 1924 strings. So I'm going to call this here base 85. And then we have that line here that does some processing if the user decides to do some processing with option P. And then we just do the decoding if the length of the detected string and should be base 85. If that is a multiple of four. Now that is specific for base 64, but that's not specific for base 87. So I'm just going to remove that condition. So and here in a try accept, I try to do the decoding. So basic 85 string. So the decoding that I have to do is base 64. And so be 85 decode that's the name of the function. And here 85, the name of the string. And that should be all. So here I updated the version, document the history. Here I put in an extra line in the manual for base 87. At the end here in the dictionary of encodings, I add another encoding B 87. And I have done, I have defined the function, which is here the new function. So that should be it. Let's test this. So base 64 dump. Well, this already just do a help. Yeah, indeed. So here in the help, the new one appears be 85. The month page. So here, here too, that's okay. And now let's see if we do the coding. So encoding the 85 of the sample here. And indeed it was detected and decoded. So I can select that one, do one binary dump, because I know it's text. And here you have the script that is decoded. One last test. Let's do try all the encodings. And indeed here at the end, be 85.