corkami - Encodings.wiki

<< index Android/Java/x86/... opcodes tables PDF tricks Portable Executable x86 oddities (this project is done in my spare time. Support it!)

Encodings

This page (printable version wiki source) explains curious encodings or encoded files.

JavaScript

jjencode

JJEncode is a JavaScript encoding by Yosuke Hasegawa that turns standard javascript into symbol-only code, including the decoder.

commented source code

COM

Not the ActiveX thingy, but the old headerless binaries from DOS (and Windows XP or before)

aa86

Aa86 is a .COM file encoder by Yosuke Hasegawa that encodes binaries using only symbols characters, with a decoder.

so for example, a simple hello world binary is encoded as: %@"%"@,~,%,!`_^[^_^]-;>`_^[^_^]%"!,^,:`_^[^_^]-@{-`{-?:`_[^_^]_-``-``-@@`_^[^_^]-`~-``-@$`_^[^_^]-``-``-@@`_^[^_^]-`~-``-@#`_^[^_^]-+~-/~-?;`_^[^_^]%!~-;-,;`_^[^_^]-"$-@~-@``_^[^_^]-{[-);-@:`_^[^_^]-/*,%`_^[^_^]`_^[^_^]`_^[^_^]`_^[^_^]%@$-@;-?;`_^[^_^]-/~-`&,#`_^[^_^]-`~-`{,*`_^[^_^]-@@-$!`_^[^_^]-:$,[,<`_^[^_^]-!|-.),!`_^[^_^]-@{-@`-/(`_^[^_^]`_^[^_^]`_^[^_^]`_^[^_^]-{!-{.,.`_^[^_^]-~/-/``_^[^_^]%""-}@$"`_^[^_^]%@@-!/,!`_^[^_^]-:*-=%`[[[[[[[[`^^^^^-%+)@@^^^!;@@_!,((,.((-$+)@*+@!!@-,!"(+@@,$-,!"($%&,&,&_&@"'%_&"',&$&!"-@*@$"

aa86-based dropper

Using Aa86 and a simple .COM dropper, it's possible to make an embedded PE not only non-null, but even typeable.

Example of an Aa86-encoded dropper with embedded PE: %@"%"@,~,%,!`_^[^_^]-;>`_^[^_^]%"!,^,:`_^[^_^]-@{-`{-?:`_[^_^]_-``-``-@@`_^[^_^]-`~-``-@$`_^[^_^]-``-``-@@`_^[^_^]-`~-``-@#`_^[^_^]-+~-/~-?;`_^[^_^]%!~-;-,;`_^[^_^]-"$-@~-@``_^[^_^]-{[-);-@:`_^[^_^]-/*,%`_^[^_^]`_^[^_^]`_^[^_^]`_^[^_^]%@$-@;-?;`_^[^_^]-/~-`&,#`_^[^_^]-`~-`{,*`_^[^_^]-@@-$!`_^[^_^]-:$,[,<`_^[^_^]-!|-.),!`_^[^_^]-@{-@`-/(`_^[^_^]`_^[^_^]`_^[^_^]`_^[^_^]-{!-{.,.`_^[^_^]-~/-/``_^[^_^]%""-}@$"`_^[^_^]%@@-!/,!`_^[^_^]-:*-=%`[[[[[[[[`^^^^^-%+)@@^^^!;!@%+.@_!*+@(!@$+)@-,!"$+*$,+--"@)(#.!(#,@(@@!,+.$@-,!"$+,#)+@@@@*+&&!@-,!""'(##*"&!@+(.!"&!@.!$+@$*+)*!@)+,@!@-,!"_!"'#"$+.#+(.!"&!@-,!""')!.!'@++-&!@,(_%$@,(_%(@,(_%,@$++$@+@@*+&&!@-,!""'@@(+!@,$-,!"@@@@@@@@%$@%."%$(%%$@@@@@@@(@@@@@@,%@@@@@@,&@@@@@@@@@@@@@@@@@"#"@"$&"'_&@'@')&.&'&@"@%%$@"("&&"'_&-&@"!#&#"&)&$'@"."#$_$-$@"&&)&,&%&)"-@-@*@$"-$*%@@@@@%%$@@@@,$!@@@@@-&#'&'#&"'$'."$&,&,&@@@@@@@@"@!@+@!@(&$.@@@$@@__%!$$@@@$@@+.)@@@.!@@@@@@@@@@@@@@#($,$@#,@@@@@$@@$@@@@@@@$@@@@@@@!&@@@@@@@@@@@@@@$@@@@@@@@@@@@@@@,@!@@@@@+@!@@@@@@@@@@@@@#@@@@@@'"')&.&$'&&@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@-@@@@@@@@@@@@@@@@@@@@@@@((@@@@@@$$@@@@@@@@@@@@@@@@@@@@@@,@@@@@@@$$@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@$$@@@@@@(@@@@@@@@"#"@"$&"'_&@'@'%&$&@"@%%$@"("##"#"&@"@%%$@"&&)&,&%&)"*@@@@@@@@@@@@@@@@@@@@@@@@@

EICAR

the EICAR file is a tiny test file that is made of printable characters and prints the eicar test string.

commented assembly source

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

EICAR2

Peter Ferrie rewrote the EICAR file, smaller this time, as the test string itself is executed in this new version. 5T2)D4)D65Z3PZEICAR-STANDARD-ANTIVIRUS-TEST-FILE!$UX!T!S

commented assembly source

acknowledgements

Peter Ferrie
Yosuke Hasegawa