Reneo

Requirements

• Microsoft Windows 7 to 10, 32/64-bit

• Microsoft .NET Framework 2.0

Summary

Reneo is a Windows tool to help incident responders, forensics specialists, and security researchers
analyze and reverse engineer malicious and obfuscated scripts and other content. This tool can convert
from/to various formats, transform, deobfuscate, encode/decode, encrypt/decrypt, and hash strings.

The benefit of using this tool is that you can access many different utilities from a single, portable
executable without relying on online converters or disclosing your content.

Reneo means "to unravel or solve" in Latin.

Interface

The interface consists of two textboxes with a drop-down menu system. The button in the middle of the
interface moves the content from the Output textbox to the Input textbox so additional actions can be
performed on the content.
You can maximize the application to take advantage of the entire screen. Additionally, the dialog boxes
are non-modal so you can have different ones open at the same time.

Context menus are available when right-clicking inside the Input and Output textboxes.
From the CMD line, typing "reneo.exe /?" or "reneo.exe -?" brings up a help screen where you can learn
how to perform various conversions via the Windows CLI. Added Base64 (unicode) to Text,
CompressedRTF and FlateDecode in v0.2.
 File Menu

Open File as Text

Displays the Open File Dialog box so a text file can be loaded into the Input textbox.

Open File as Binary (1KB)

Displays the Open File Dialog box so the first 1 KB of a binary file can be loaded into the Input textbox as
hex.

Open File as Binary

Displays the Open File Dialog box so a binary file can be loaded into the Input textbox as hex.

Save Output as Text

Displays the Save File Dialog box so a text file can be created from the content in the Output textbox.

Save Output as Binary

Displays the Save File Dialog box so a binary file can be created from the hex content in the Output
textbox.
Convert File
Converts a file from/to various formats. This is the preferred method when trying to convert large
amounts of content. Mouse-over the action items to see more information. Added Base64 (Uni) to
Text, CompressedRTF and FlateDecode in v0.2.
Compressed RTF can often be found in MSG files (Outlook email). First, open the .msg file with 7-Zip or
similar and review the included files.

Open the extracted file with a hex editor. These compressed RTF files will have "LZF" in the header.
Choose the file and select the CompressedRTF option.

The result is the uncompressed RTF file.

If you wish to decode FlateDecode files from a PDF document. Look for the string "stream" then exclude
any CR/LF characters (0x0D, 0x0A) at the beginning and end of the stream. There will also be two bytes,
0x78 and 0x9C, that need to be removed from the file before performing this function in Reneo.
Convert Shellcode
Converts shellcode in hex format from the Input textbox into a PE file. A Save Dialog box will appear
asking you where to save the PE file.

As an example, here in another program I can see a binary blob stored in a Flash exploit which is likely
shellcode so I export this to a file.
In Reneo, I load the binary file then click on File > Convert Shellcode. I can now create an EXE program
with the shellcode in it so I can run it, use a debugger, etc.

Clear
Clears the Input and Output textboxes.

Exit
Quits the program.
 Edit Menu

Find Text
Searches for matching content in the Input textbox.

Replace Text
Replaces matching content found in the Input textbox. You can use ^t, ^p, and ^n for tab, paragraph,
and newline markers, respectively.

Parse Text
Parses the content in the Input textbox by splitting on a certain value. You can then extract the result
from a specific column.
Pre-Pad Hex Array (added dialog box in v0.2)
This function prepends a zero to a comma delimited string of hex characters. This is helpful when
analyzing shellcode generated by msfvenom, for example.

Here's a snippet of shellcode:

0xfc,0xe8,0x82,0x0,0x0,0x0,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x3
0,0x8b,0x52,0xc,0x8b,0x52,0x14,0x8b,0x72,0x28,0xf,0xb7,0x4a,0x26,0x31,
0xff,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0xc1,0xcf,0xd,0x1,0xc...

If you remove the "0x" and commas, you would probably expect a string of two-byte hex characters but
if you look closely, the values less than 0x10 only have one character instead of two.

To use this function, first remove the "0x" and keep the commas. Enter a comma as this is the delimiter
(you can also enter ^p or ^t for paragraph or tab delimiters). This function will pre-pad the single values
with a zero.
Text Transformer
The Text Transformation option gives you numerous ways to transform the content in the Input textbox.
Mouse-over the methods to see more information.
 Filter Menu

Remove Alpha
Removes the alpha characters (e.g. [A-Za-z]) from content in the Input textbox.

Remove Uppercase
Removes the uppercase characters (e.g. [A-Z]) from content in the Input textbox.

Remove Lowercase
Removes the lowercase characters (e.g. [a-z]) from content in the Input textbox.

Remove Symbols
Removes the symbols (e.g. [^A-Za-z0-9]) from content in the Input textbox.

Remove Numbers
Removes the numbers (e.g. [0-9]) from content in the Input textbox.

Remove Low ASCII (0-32) (Added in v0.2)

Removes all low ASCII characters (e.g. [\u0000-\u0020]) from content in the Input textbox.

Remove High ASCII (127+) (Added in v0.2)

Removes high ASCII characters (e.g. [\u007f-\uffff]) from content in the Input textbox.

Remove Non-Hex
Removes non-hex characters (e.g. [^A-Fa-f0-9]) from content in the Input textbox.

Remove Non-Base64
Removes non-base64 characters (e.g. [^A-Za-z0-9+=/]) from content in the Input textbox.

Remove Tags
Removes tags (e.g. <something>) from content in the Input textbox.

Remove RTF Code

Removes RTF values (e.g. {\rtf1\ansi} ) from content in the Input textbox.
Remove CRLF
Removes carriage returns and line feed symbols (e.g. \r\n|\n|\r) from content in the Input textbox.

Remove Whitespace
Removes all whitespace characters (e.g. [\u0000-\u0020]|[\u007f-\uffff]) from content in the Input
textbox.
 Hash Menu

CRC32 Text
Hashes the content in the Input textbox using CRC32.

CRC32 Hex
Hashes the hex content in the Input textbox using CRC32.

MD5 Text
Hashes the content in the Input textbox using MD5.

MD5 Hex
Hashes the hex content in the Input textbox using MD5.

SHA1 Text
Hashes the content in the Input textbox using SHA1.

SHA1 Hex
Hashes the hex content in the Input textbox using SHA1.

SHA256 Text
Hashes the content in the Input textbox using SHA256.

SHA256 Hex
Hashes the hex content in the Input textbox using SHA256.
 Convert Menu

In cases where the conversion from one format to another fails, please check the input carefully for any
unexpected characters such as nulls, the use of %3D instead of = (for base64), \xa instead of \x0a (for
hex), etc.

Note: The functions in the Convert Menu do not perform arithmetic conversions. Reneo will instead
split the input according the user's selection then convert each element to the desired output. For
example, if you chose to convert a hex string "abcdef" into decimal, the result would be "171,205,239"
(0xab=171, 0xcd=205, 0xef=239), and not 11259375.

Text to Hex
Converts the content in the Input textbox to a hex string.

Hex to Text
Converts the hex content in the Input textbox to a text string.

Text to Decimal
Converts the content in the Input textbox to comma-delimited decimal string.

Decimal to Text
Converts the comma-delimited decimal content in the Input textbox to a text string.

Hex to Decimal
Converts the hex content in the Input textbox to a comma-delimited decimal string.

Decimal to Hex
Converts the comma-delimited decimal content in the Input textbox to a hex string.

Octal to Decimal
Converts the comma-delimited octal content in the Input textbox to a comma-delimited decimal string.

Decimal to Octal
Converts the comma-delimited decimal content in the Input textbox to a comma-delimited octal string.

Text to Base64
Converts the content in the Input textbox to a base64 string.
Hex to Base64
Converts the hex content in the Input textbox to a base64 string.

Base64 to Text
Converts the base64 content in the Input textbox to a text string.

Base64 (Unicode) to Text (added in v0.2)

Converts Unicoded-base64 content in the Input textbox to a text string. This is useful when decoding
PowerShell content.

Base64 to Hex
Converts the base64 content in the Input textbox to a hex string.

Convert Base
Converts the content in the Input textbox from/to base2 to base36.
Convert Base64 by Delimiter

Converts the comma-delimited base64 content in the Input textbox to a text string.

For example, this excerpt is a comma-separated base64 string. Using this function with the default
options results in the following.
Convert Date
Converts a date from/to Julian or Epoch.

Convert IP
Converts an IP addresses from/to decimal.

Convert Math Symbols

Converts the content in the Input textbox from/to math symbols in HTML entities format.
Convert Mixed Format
Converts several different mixed format content in the Input textbox to hex or text.

Convert UTF
Converts from and to a variety of different formats including UTF-8, UTF-16, UTF-32, Unicode, and
Punycode. Added UTF-7 and QDecode in v0.2.
 Format Menu

Hex Format - %
Formats hex content in the Input textbox with a preceding percent sign (e.g. 00010203 >
%00%01%02%03).

Hex Format - %u (BE)

Formats hex content in the Input textbox with a preceding percent sign in Big Endian (e.g. 00010203
> %u0001%u0203).

Hex Format - %u (LE)

Formats hex content in the Input textbox with a preceding percent sign in Little Endian (e.g. 00010203
> %u0100%u0302).

Hex Format - %u00

Formats hex content in the Input textbox with a preceding percent sign and leading zeroes (e.g.
00010203 > %u0000%u0001%u0002%u0003).

Hex Format - \u (BE)

Formats hex content in the Input textbox with a preceding backslash in Big Endian (e.g. 00010203
> \u0001\u0203).

Hex Format - \u (LE)

Formats hex content in the Input textbox with a preceding backslash in Little Endian (e.g. 00010203
> \u0100\u0302).

Hex Format - \u00

Formats hex content in the Input textbox with a preceding backslash and leading zeroes (e.g. 00010203
> \u0000\u0001\u0002\u0003).

Hex Format - \x
Formats hex content in the Input textbox with a preceding backslash (e.g. 00010203
> \x00\x01\x02\x03).

Hex Format - 0x
Formats hex content in the Input textbox with a preceding backslash in comma-separated format (e.g.
00010203 > 0x00,0x01,0x02,0x03).
Hex Format - &#x
Formats hex content in the Input textbox to HTML entities format (e.g. 00010203 >
&#x00;&#x01;&#x02;&#x03;).

Hex Format - Unicode (BE)

Formats hex content in the Input textbox to Big Endian Unicode (e.g. 00010203 > 0000010002000300).

Hex Format - Unicode (LE)

Formats hex content in the Input textbox to Little Endian Unicode (e.g. 00010203 > 0000000100020003).

Hex Format - Colon

Formats hex content in the Input textbox to colon-separated format (e.g. 00010203 > 00:01:02:03).

Hex Format - Space

Formats hex content in the Input textbox to space-separated format (e.g. 00010203 > 00 01 02 03).

Hex Format - Comma

Formats hex content in the Input textbox to comma-separated format (e.g. 00010203 > 00,01,02,03).

Decimal Format - Chr(dec)

Formats comma-separated decimal content in the Input textbox to comma-separated "chr" format (e.g.
00,01,02,03> chr(0),chr(1),chr(2),chr(3)).

Hex to UCS2
Formats hex content in the Input textbox to UCS2 (e.g. 00010203 > %u0100%u0302).

UCS2 to Hex
Formats UCS2 content in the Input textbox to hex (e.g. %u0100%u0302 > 00010203).

Text to ASM Hex

Formats text in the Input textbox to ASM hex (e.g. code > 636F6465).

Text to Reverse Hex

Formats text in the Input textbox to reverse hex (e.g. code > 65646F63).

Unicode to Hex
Formats Unicode in the Input textbox to hex (e.g. 0000010002000300 > 00010203).
 Transform Menu

To Uppercase
Converts the content in the Input textbox to uppercase.

To Lowercase
Converts the content in the Input textbox to lowercase.

Sort Characters
Sorts the content in the Input textbox.

Sort Rows
Sorts the content in the Input textbox by rows.

Reverse Characters
Reverses the content in the Input textbox.

Reverse Hex
Reverses the hex content in the Input textbox.

Beautify JavaScript
Beautifies the JavaScript content in the Input textbox.

Beautify Script
Alternate method of beautifying mainly JavaScript and PHP content in the Input textbox.

Clean Script
Attempts to clean up the script content in the Input textbox using basic methods.
 Decode/Decrypt Menu

Unescape
Unescapes the content in the Input textbox.

HTML Decoder
HTML-decodes the content in the Input textbox.

MS Script Decoder
Decodes the content in the Input textbox using Microsoft's Script Decoder.

Custom Base Decoder

Converts the content in the Input textbox using a custom base32/64 decoder. Added Base58, Base62,
and UUEncode in v0.2.

PHP Decoder
Decodes the PHP content in the Input textbox.
You can perform up to five steps. Make sure to set the steps in order based on the PHP script, from the
inside-out. As an example, if the PHP script looks something like this:

eval(gzinflate(base64_decode('TVXXCuzIFfyX…')));

Paste the entire script into Reneo then choose "Base64 Decode" for Step 1 then "gzInflate" for Step 2.
Reneo will then base64 decode first then gzInflate next.
SecureString Decrypter
Decrypts the base64 content in the Input textbox using AES. SecureString is used in PowerShell.

Here's an example from an Emotet Word macro. At the bottom-left part of the following PowerShell
script you can see "ConvertTo-SecureString" followed by a comma-separated string which is the AES key.
Paste in the base64-encoded encrypted string into Reneo then select Decode/Decrypt > SecureString
Decrypter. Enter the key and choose the proper format.

130,70,35,235,133,123,215,60,233,111,0,239,128,171,13,105
Character Substitution
Performs basic character substitution on the content in the Input textbox. It can also perform position-
based substitution. You can also perform a position lookup for analysis purposes.

The Character Substitution option performs a lookup based on a plain text and key table. For example,
the key and plain text might look something like this:

TBVs$9.=+Zdq@…
ABCDEFGHIJKLM…

A value of 9, T, V, $ would be decoded to FACE.

If you are using the Position Lookup Substitution method with the alpha option, an example of its use
can be seen below:

0123456789012…
ABCDEFGHIJKLM…

A value of 5,0,2,4 would be decoded to FACE.

The difference between Position Lookup Substitution and Position Lookup Only (added in v0.2) is that
the Substitution method requires the input to be a delimited string that does the position lookup with
the output being the substituted values.

With the Lookup Only method, the input is the lookup table and the output is the delimited position
numbers. The following example shows how to use this in an actual analysis.
Here's a live example from Trickbot's malicious Word document. The VBA macro contained weird-
looking strings. First, I paste in the lookup table into Reneo's Character Substitution key and choose the
"Position Lookup Only" option:

qwertyuiopasdfghjklzxcvbnm/"'()[]${}.,\;-%_|: 1234567890

Next, I paste in the encoded string and click on "Lookup". I get the following comma-separated values of
the lookup table's position number.
The VBA script from the malicious Word document takes this string and passes it to a decoder which
does a position lookup, subtracts 9 from the value then uses this new value to lookup the new
character's position using the same lookup table. I can see what the final values look like in Reneo.

Now I can examine and compare the two values. The left value is the obfuscated string and the right
value is the deobfuscated string. I can use Reneo's Difference Calculator and perform subtraction to
double-check.
I can use Simple Decrypter to subtract 9 from the decimal array.

Here's a new scrambled string from another part of the VBA macro.
I can subtract 9 from the result and feed it back into Reneo but this time using the "Position Lookup
Substitution" option with the CSV format checked to get the result.
Script Decoder
Decodes a script in the Input textbox using a variety of search/replace methods. "Array 3" and hex input
options have been added in v0.2.

Here's an obfuscated PHP script. There's three sections with the top two containing arrays and the third
section referencing elements from the arrays based on the variable names: _1029070248_ and
_1050106224.
Start by running Reneo and choosing Decode/Decrypt > Script Decoder. Looking at the methods
(mouse-over to see the tooltips), "Array 1" matches the content. Cut the second section (you can start
with the first second then do the second but both should be done) and paste it into the popup box and
clean it up so only the comma-separated array remains. Copy the third section into Reneo's Input
textbox. Since the second section uses the variable, "_1050106224", enter that along with "(#)" into the
Search String box.

When you click on "Start" then Reneo does a search/replace based on the delimiter and search string.
The replacement will be the base64-encoded strings. In the Output Options section, you can click on the
"B64 Decode" option and Reneo will do the base64-decoding for you.

Basically what Reneo is doing is putting the comma-delimited string into an array. Starting at 0, Reneo
will search for the Search String with a 0 in the # field (e.g. _1050106224(0) ) and then search for
anything matches in the script and replacing it with the string from array[0]. If you choose the hex input
option then it will convert the 0 into 0x00 or 0x0 (accordingly) and perform the search.

The final output will allow you to see what the script is doing but it probably won't execute properly.
Here's the result:
In this next example, the obfuscated PHP script has a hex array at the top. The bottom part is a large
concatenation section. The variables get the elements based on its position in the array.

First, unescape the script but you will get an error because some hex values are single characters (e.g.
\xA instead of \x0A). You need to either fix it manually or you can use Edit > Pre-Pad Hex Array (the hex
must be comma-separated for this feature to work though). Since it's a short array, it can be fixed
manually.
Copy the result then click on Decode/Decrypt > Script Decoder. Mouse-over the methods to see a short
explanation. The method that matches the obfuscated script is "Key Lookup" so choose that and paste
in the lookup key in the popup box and leave the concatenation part in the Input textbox. Be sure you
escape the \ and " characters in the lookup key first. Finally, copy the name of the variable to search for.
In this case it's "$f850['rfd53a'][#]" so paste it in and click on "Start".
Simple Decrypter
Decrypts the content in the Input textbox using shift, rotate, XOR, and math methods.

If you select the "Decimal Key" action then you can click on the -/+ buttons to decrement/increment the
decimal value (key), respectively. Other actions require you to enter the key value in text, hex, or
decimal (comma-separated).

The Math method allows you to perform simple decryption steps using algebraic equations. For
example, you can have Reneo ADD 1 to the input followed by an XOR 5 and an AND 255 like so. The
keyword "val" (the value of the input) is required.

To see an example, go to the Text Analyzer section below.

Modern Decrypter
Decrypts the content in the Input textbox using modern algorithms including AES, ARCFOUR, Blowfish,
etc. AES-CFB, AES-CTS, AES-OFB, Rijndael-CBC, and 3DES-CBC has been added in v0.2.

In this example, JavaScript contains an encrypted blob. The function uses AES ECB mode as indicated
near the top, along with the password string.
Copy the base64-encoded string to Reneo then click on Decode/Decrypt > Modern Decrypter. Choose
the appropriate options and paste in the key.

AHCI76M5ZMP77QJZZA3FP34RJZ2DVET8
JavaScript Eval (private version)
Assumes the content in the Input textbox is JavaScript and evaluates it. There are no safeguards so this
can potentially be dangerous!

Here's a live example. The script below passes the arrays from the top down to the first function below.
The first function evaluates the concatenated arrays which calls the second function. The second
function converts the fourth decimal value to ASCII and returns the result.

Reneo allows you to evaluate the script so you can see what this does. You can paste the following at
the top of the script, "function eval(x){return x}" or replace "eval" with "return" so it passes the result to
Reneo and displays it. If not, Reneo will evaluate the malicious script and your PC will probably get
infected with malware.
VBScript Eval (private version)
Assumes the content in the Input textbox is VBScript and evaluates it. There are no safeguards so this
can potentially be dangerous!

Here's an example of this. This excerpt comes from a malicious Word macro. The variable at the top
contains a bunch of decimal values which gets executed at the bottom.

In this particular case, you won't be able to return the value of the variable. You can however evaluate
the decimal values and see what this evaluates to. All I did here is paste the value of "ey" and did not
include the last line (CreateObject("WScript.Shell").Run…) otherwise the script will actually execute!
PowerShell Invoke (private version)
Assumes the content in the Input textbox is PowerShell and invokes it. There are no safeguards so this
can potentially be dangerous!

Here's a malicious PowerShell script that contains compressed data:

Copy and paste the script into Reneo and replace all instances of "Invoke Expression" (e.g. IEx) with
"echo" or "write-output".
 Analyze Menu

Count Characters
Counts the characters in both the Input and Output textboxes and displays the result in a popup box.

Count Chars by Row

Counts the characters in both the Input and Output textboxes by row and displays the result in a popup
box.

Count Hex Characters (added in v0.2)

Counts the hex characters (pairs) in both the Input and Output textboxes and displays the result in a
popup box.

Count CSV
Splits the content in both the Input and Output textboxes by commas, counts each element, and
displays the result in a popup box.

Count Rows
Splits the content in both the Input and Output textboxes by CRLF, counts the characters of each row,
and displays the result in a popup box.

Sum Numbers
Sums the numbers in both the Input and Output textboxes and displays the result in a popup box.

Character Frequency
Counts the frequency of characters in the Input textbox and displays the result, sorted by highest
frequency.

Hex Frequency
Counts the frequency of hex characters in the Input textbox and displays the result, sorted by highest
frequency.

Number Rows (0 start)

Numbers each row in the Input textbox starting with 0.

Number Rows (1 start)

Numbers each row in the Input textbox starting with 1.
Number Rows (0x0 start)
Numbers each row in the Input textbox starting with 0x0 (hex).

Number Rows (0x1 start)

Numbers each row in the Input textbox starting with 0x1 (hex).

Text Analyzer
Analyzes the content in the Input textbox. You can check the frequency of characters, calculate the
difference between characters, calculate the distance between characters, and enumerate possible XOR
and Shift values to a text file.

Here's an obfuscated binary file that is suspected to be a PE file.

Load the binary in Reneo by using the context menu from the Input textbox. Loading a large file can
take a while to load and process so you might want to use smaller portion to analyze with. Reneo can
load the first 1 KB of a binary file.

Click on Analyze > Text Analyzer. First, let's try the Enumerate function. Change the input to hex and
leave the output format and method alone. Click on Enumerate to File. The output file will be saved to
the same location where Reneo resides.
In the output file, you can look for or search for clues such as "This program cannot be run in DOS
mode" which I find at the very bottom next to the decimal value of 255 (0xFF).

Let's try it with Distance Calculator. Set the input format to hex and leave the matched text alone since
that is what I'm trying to search for. Make sure XOR is set then click on Search. The results show that
the first match occurs at position 157 with the XOR value of 255 (in decimal) which is equivalent to 0xFF.
To find the next match you can change the Start At value from 0 to something higher (if you're working
with hex then be sure to enter a value times two).
With this information, I can convert this binary file into a PE by clicking on Decode/Decrypt > Simple
Decryption and setting the necessary values. In this case the key format is set to hex and the value "FF"
is entered. I could have easily set it to Dec (CSV) and entered just "255" as well.

By the way, if the key is more than one byte then set the Action to "Multi Key" then enter the key as
"abcd" (as text), "61626364" (as hex) or "97,98,99,100" (as decimal) and set the Key Format accordingly.
The output shows a lot of black text because these are null values (0x00). Null values cannot be
displayed properly; so if I were to choose "Raw Text" as the output format, it would only display the first
couple of bytes, "MZ" in this case.

This time I set the output to hex and can now export this to a binary file by right-clicking in the Output
textbox.

Difference Calculator
Calculates the difference between the content in the Input and Output textboxes using subtraction,
addition, etc. The content in the Input and Output textboxes must be in the same format and have the
same length.

This can be useful for finding relationship between two sets of content, identifying a pattern, and
determining its XOR encryption key (for example).
Using the previous example, I can load the original file into the Input textbox as hex and the converted
binary file into the Output textbox also as hex.
What Reneo will do is perform the arithmetic method that's selected (e.g. add, subtract, multiply, etc)
with each value in the Input and Output textbox then display the results in the popup. Based on the
result, I know the difference between the input and output is XOR 0xFF.
 Extras Menu

Calculator
Opens the Windows calculator program.

ASCII Chart
Displays an ASCII chart.
 License

• Free for business or personal use.

• Do not modify this application for malicious, illegal, or unethical purposes.
• No warranties expressed or implied; use at your own risk!

Credits

• 7-Zip (LZMA)
• David Zimmer (JSEval)
• DotNetZip (Zlib)
• Einar Lielmanis (JSBeautify)
• Eric Domke (Compressed RTF, UTF-7, Qdecode)
• ghundal (Ionic.Zlib)
• jimplode (SplitCSV)
• Jorgen Ibsen (aPLib)
• kadzus (CRC32)
• Legion of the Bouncy Castle Inc. (BouncyCastle)
• luanpeng825485697 (LZNT1)
• Marc Climent (Base58)
• Microsoft TechNet (LZNT1, MSScriptEncoder)
• Mark Kruger (SharpZipLib)
• Oleg Ingat (Base32)
• Ramon Smits (Base62)
• Rekna Anker (Beautify Script)
• Sam Allen (AlphanumComparatorFast)
• Szymon Kobalczyk (uuencode)
• user2748365 (SecureString)

Notes

Developed by KahuSecurity (www.kahusecurity.com).

This program is compressed with a commercial packer to merge required DLLs and reduce the file size.
The packer may cause anti-virus software to incorrectly identify this program as infected or suspicious.
Change Log

• Version 0.2 was released in November 2018

□ Added CompressedRTF, FlateDecode, and Base64 (Unicode) to Text options to CLI and
Convert File
□ Added options to Character Substitution to skip or remove missing characters
□ Added low and high ASCII characters option to Filter menu
□ Added Base64 (Unicode) to Text option to Convert Menu
□ Added position lookup function to Character Substitution
□ Added AES-CFB, AES-CTS, AES-OFB, Rijndael-CBC, and 3DES algorithms to Modern
Decrypter
□ Added Base58, Base62, and UUEncode to Custom Base64 Decoder
□ Added QDecode and UTF-7 encode/decode to Convert UTF
□ Added hex input options and Array 3 option to Script Decoder
□ Added Count Hex Characters to Analyze menu
□ Added tooltips to various forms
□ Moved Custom Base64 Decoder function to Decode/Decrypt menu
□ Replaced Convert IDN with Convert UTF
□ Replaced Pre-pad Hex function with form
□ Improved Beautify Script function
□ Fixed bugs

• Version 0.1 was released in June 2018

APPENDIX
 Appendix

Example #1

This excerpt will be used to highlight Reneo's text transformation ability.

I paste this PHP script into Reneo and click on Decode/Decrypt > PHP Decoder. Based on the script, I'll
choose Base64_Decode as the first step followed by gzUncompress.
And this is the result.

The script contains an array of base64-encoded strings. It's also separated by commas so let me split on
that character. I click on Edit > Text Transformer, choose "Split On" and enter a comma.
The result looks better than this when in full-screen mode since everything is on its own row.

I want to keep everything between the parentheses so I chose "Keep Everything Between Char…", enter
the opening and closing parentheses, and I check the box to keep the parentheses characters.
Here's the result.

Now I remove the concatenation characters, apostrophe, space, and period. I want to keep the
parentheses because I need some way of identifying each portion of the base64-encoded strings.
Here's the result of that.

I can now replace the closing parentheses with a comma to make a comma-separated string. I also
remove the opening parentheses.
Finally I can do the base64 decode so I click on Convert > Base64 By Delimiter

And I now have the decoded text.

Example #2

This PowerShell script came from a malicious Word macro dropping Emotet. In the middle is a string of
decimal values separated by garbage characters which is removed at the ending part of the script. The
result is then XOR'd with 0x31.

I copy the decimal string into Reneo then click on Edit > Text Transformer. Since I want to end up with
decimal values separated by commas, I enter this into the method called "Replace All Chars…".
Here's the result.

I try converting from Decimal to Text to see what this looks like.
As expected, I get nothing useful because it's "encrypted". I then click on Decode/Decrypt > Simple
Decrypter and make the following choices -- decimal input, hex key, XOR method, single key action, and
enter 31.

And I get the decrypted script.

Example 3

This JavaScript attachment runs a PowerShell script that installs malware. This script can be easily
identified by a large array at the beginning.

I copy just this part into Reneo then click on Decode/Decrypt > Unescape.
The result is an array of Base64-encoded strings. I click on Convert > Base64 by Delimiter. I leave the
settings to default then click on Decode.
Right away I can see a URL at the bottom. To pretty this up so it's more readable, I click on Edit >
Replace Text and have it replace comma with a paragraph (^p).

The result is a little off because the regex includes two commas so you may have to double-check and fix
things up if the output is not right.
I can take it one step further by numbering each row so I can match this up in the rest of the script. To
do this I click on Analyze > Number Rows (0x0 Start).
Example 4

Here's a malicious PowerShell script. I copy the base64-encoded portion to Reneo.

If I convert the above using Base64 to Text, the result will have a bunch of null characters because of
Unicode so the better way is to Convert > Base64 to Hex then Format > Unicode to Hex and finally
Convert > Hex to Text.
The top part of the script references the element position in the array below. I click on Decode/Decrypt
> Script Decoder and copy the comma-separated array from the script into the popup box, leaving just
the array position in the Input textbox. I removed the "-f" at the beginning of the array, chose the
PowerShell method then click on "Start". The result still requires some cleanup because the PowerShell
script does some search/replacements at the end to make the result functional but I can already see
what this script does.
Example 5

This script comes from an exploit kit. There's several parts before this one so this portion isn't
executable by itself. However, I can try to determine what the string of decimal values are without
looking at the rest of the script.

I copy the decimal values into Reneo and click on Edit > Replace Text. I want to replace "@" with a
comma.
And I get a comma-separated string of decimals.

I can then click on Convert > Decimal to Hex.

Now I want to see what this could be so I click on Analyze > Text Analyzer.

I could try the Distance Calculator but I don't know what to search for so I use the Enumerate feature.
Here, I change the input to Hex and try the Shift method. When I click on Enumerate to File, a text file
gets written into the same folder where Reneo is at.

Here's what the resulting file looks like. I can scroll down to see if I recognize anything. Shift -67 looks
about right.
Now I can click on Decode/Decrypt > Simple Decrypter and make the following settings.

And I can now see what that script was hiding.

Example 6

Here is a malicious ASP script. The variables "oqz" and "xeh" contains the character substitution
alphabet which is used to decode the large blob held in variable "pvr". The result is then reversed and
executed.

Using Reneo, I can perform static analysis on the obfuscated script. First I click on Decode/Decrypt >
Character Substitution and paste in the alphabets from the first two variables (I did have to remove
extraneous characters from the first alphabet). Also, I kept the symbols from the default and duplicated
it to both alphabets.
Then I copied the obfuscated script into the Input Textbox and clicked on "Decode".

Then I reversed the characters by clicking on Transform > Reverse Characters.

Example 7

Here is a malicious JS script from Goldfin. The top portion looks like Chinese characters that's been
commented out. The script reads this in, converts these characters to Unicode and slicing off the last
two characters, then finally converts this from hex to text..

The new feature in Reneo allows me to perform this statically. First, I copy the characters into Reneo
then I use the Convert > Convert UTF feature. I set the format to "Char to Hex" feature.
Next I click on Edit > Text Transformer and extract every 6th character starting at the 2nd position with a
length of 2 because I only want the last two characters from each set.
Now I just convert this from Hex to Text to get the deobfuscated content.