gnh1201/deobfusate_ps.py

## deobfusate_ps.py
# Namhyeon Go <abuse@catswords.net>
# 2023-10-04

import re

# Text to search (Example text using PowerShell format strings)
text = """
&("{0}{1}{2}" -f 'Set','-Var','iable')
&("{0} {1} {2}" -f 'Set','-Var','iable')
&("This is a test {0}" -f 'arg1')
&('Another example: {0} {1} {2}' -f 'arg1', 'arg2', 'arg3')
&("{0}{1}{2}" -f 'Set','-Var','iable')
&("{0}{1}{2}" -F 'Set','-Var','iable')
&("{0}{1}{2}" -f 'Set', '-Var', 'iable')
&("{0} {1} {2}" -F 'Set', '-Var', 'iable')
&("{0} {1} {2}" -f 'Set','-Var','iable')

# Additional example without the '&' character
("{0}{1}{2}" -f 'No', 'Ampersand', 'Here')
"""
#text = open('example.ps1', 'r').read()

# Regular expression pattern to find PowerShell format strings
pattern = r'&?\("([^"]+)"\s*-f\s*([^)]+)\)'

# Find matches of the pattern in the text, case insensitive
matches = re.finditer(pattern, text, re.IGNORECASE)

# Regular expression pattern for transformation
transform_pattern = r'&?\("([^"]+)"\s*-f\s*([^)]+)\)'
#transform_pattern = r'&\("([^"]+)"[ ]*-f[ ]*([^)]+)\)'  # the same meaning

# Function to replace the matched format string with the formatted text
def replace_match(match):
    format_args = match.group(2).split(',')
    formatted_string = '"{}"'.format(match.group(1))
    formatted_string = formatted_string.format(*format_args)
    return formatted_string

# Iterate through matches and replace them with the formatted text
for match in matches:
    matched_text = match.group()
    try:
        transformed_text = re.sub(transform_pattern, replace_match, matched_text).replace('\'', '')
        text = text.replace(matched_text, transformed_text)
    except:
        print(f"Transformation failed: {matched_text}")
        pass

# Save the decoded text to a new file
with open('example_decoded.ps1', 'w') as file:
    file.write(text)

print("Saved as example_decoded.ps1.")
	# Namhyeon Go <abuse@catswords.net>
	# 2023-10-04

	import re

	# Text to search (Example text using PowerShell format strings)
	text = """
	&("{0}{1}{2}" -f 'Set','-Var','iable')
	&("{0} {1} {2}" -f 'Set','-Var','iable')
	&("This is a test {0}" -f 'arg1')
	&('Another example: {0} {1} {2}' -f 'arg1', 'arg2', 'arg3')
	&("{0}{1}{2}" -f 'Set','-Var','iable')
	&("{0}{1}{2}" -F 'Set','-Var','iable')
	&("{0}{1}{2}" -f 'Set', '-Var', 'iable')
	&("{0} {1} {2}" -F 'Set', '-Var', 'iable')
	&("{0} {1} {2}" -f 'Set','-Var','iable')

	# Additional example without the '&' character
	("{0}{1}{2}" -f 'No', 'Ampersand', 'Here')
	"""
	#text = open('example.ps1', 'r').read()

	# Regular expression pattern to find PowerShell format strings
	pattern = r'&?\("([^"]+)"\s-f\s([^)]+)\)'

	# Find matches of the pattern in the text, case insensitive
	matches = re.finditer(pattern, text, re.IGNORECASE)

	# Regular expression pattern for transformation
	transform_pattern = r'&?\("([^"]+)"\s-f\s([^)]+)\)'
	#transform_pattern = r'&\("([^"]+)"[ ]-f[ ]([^)]+)\)' # the same meaning

	# Function to replace the matched format string with the formatted text
	def replace_match(match):
	format_args = match.group(2).split(',')
	formatted_string = '"{}"'.format(match.group(1))
	formatted_string = formatted_string.format(*format_args)
	return formatted_string

	# Iterate through matches and replace them with the formatted text
	for match in matches:
	matched_text = match.group()
	try:
	transformed_text = re.sub(transform_pattern, replace_match, matched_text).replace('\'', '')
	text = text.replace(matched_text, transformed_text)
	except:
	print(f"Transformation failed: {matched_text}")
	pass

	# Save the decoded text to a new file
	with open('example_decoded.ps1', 'w') as file:
	file.write(text)

	print("Saved as example_decoded.ps1.")