In diary entry "Formbook Delivered Through Multiple Scripts", Xavier mentions that the following line:

Nestlers= array(79+1,79,80+7,60+9,82,83,72,69,76,76)

decodes to the string POWERSHELL.

My tool numbers-to-hex.py is a tool that extracts numbers from text files, and converts them to hexadecimal.

Like this:

I can then use another tool, hex-to-bin.py to convert the hexadecimal numbers to binary, and then we see this string:

This string is not exactly the string POWERSHELL, but we can see parts of it.

The reason the decoding fails, is because of binary numeric expressions like this one: 79+1

My tool numbers-to-hex.py does not recognize binary numeric expressions like 79+1, it just recognizes two numbers: 79 and 1.

79 converted to hexadecimal is 4f, and 1 converted to hexadecimal is 01.

Those hex numbers converted to ASCII give O (4f) and a smiley (01).

So Xavier's example inspired me to update my tool, so that it can also handle binary numeric expressions (binary here means that the operator, + in our example, takes 2 operands).

You enable this mode with option -e:

So this time, 79+1 is converted to 50 hexadecimal.

And this properly decodes this obfuscated string:

Didier Stevens
Senior handler
blog.DidierStevens.com