 Hello, Didier Stevens here, senior handler at the InternetStorm Center. In his last diary entry Xavier writes about multiple base XX obfuscations. So he found a script, you can see here part of that script, that has a payload that is encoded using different bases like base 16 and base 85. Now I'm going to do the analysis of that script with Cybershift. I'm going to show you how to do that with Cybershift. For your info on my YouTube channel, if you go to playlists, I have a playlist with other Cybershift videos, so if you're interested in that, you can find them here. And I also made an update because of Xavier's diary entry, I made an update to my base 64 dump tool, so that it can also handle base 85, and that's what I described in my diary entry of yesterday, but here we are going to focus on Cybershift. So I have the sample here, and let's scroll down, okay, here you have the encoded payload and that's what we want to decode. So I'm going to copy this to the clipboard. I need a type command, now it's on the clipboard and I can paste it here in Cybershift. Now what I want first is to select this here. And if you look closely, you might think this is hexadecimal, and it actually is hexadecimal, but it doesn't contain any letters, it's only numbers. What I'm going to do is use a regular expression, and I'm going to say I want to select everything that is a sequence of digits, and they have to be between quotes, single quotes. And if we go down here in the output, okay, you see they are selected, but I only want that, I don't want the rest of the script. So the output is not highlight matches, but list matches, and here I have that output. Now the single quotes here, they will not bother us, the decoding of hexadecimal can be done like this, so hex from hex, and now we have decoding, and as you can see if you take a closer look, this is again hexadecimal. So this hexadecimal was only digits, because it encoded another hexadecimal. And the digits here from 0 to 9, they can be encoded with an hexadecimal value from 30 to 39. And then here the letters here from A to F, they are encoded here in the 40 range. So 41 to 46, 41 to 46 hexadecimal. So this is hexadecimal, so we can again decode this. And now you see this encoding, and this is base 85. If you don't recognize it, you can also look into the source code, because there you see as Xavier explained in his diary, and there you can see some base 85 script. So let's look at base 85 here from base 85 like this. And when we do that, we get an error, invalid character w at index 4. There are different base 85 encodings, they use a different alphabet, a character set. And here you can see that one by default in Cybershift uses the alphabet starting from the exclamation mark to the lowercase u. So the lowercase w is not a part of that alphabet, and that's why we get that error. So because of that error, you know it's not that alphabet. The one it actually is is RFC1924, and this is also known as IPv6 encoding. And then here you can see that you can see the script as it the payload as it will be used in the malicious script.