0

Below you can find the content of the two example text files I will use, example1.txt and obf_example1.txt. The latter one contains the string of example1.txt at the end of the file but has some obfuscated strings before.

example1.txt:

adasdkasdaksdasdkjlasdjasndjasd.

obf_example1.txt:

ŠxpÃÒ²Ø-Gêÿ ój"f>ïí   H€À(ø4$/+#6Ni9Pvü¶ |CF CÀ¾ý~ª-°à9ÉOÿ V[o¦.E…-Š  ƒ9Ú\žê*D´ß()^“£¹ìÅjXÑÍ¥â(¨µ×d'«P|I*èSººº&)Ø|̉ òÔ®¥Ô$LÁ:9ŠLá{¶nZÒبNÙÀØŒ‹0õ´Sék›áÇÉîÆbËF§BЄƒöZKaÒR ²°ÅšDn?+¶()IªP›$ÇEv©¡k€[ßè¨×q-Ëk!µTóPA²—: A ?ÉEEEGÐJúÌ©ÒWµHB¡aäXû|ÓË BPÁwr„Ûi¥åܺÈQ÷ORàSb,Šv¢D ,Žb’(2 öb¢wtKzíĦ#ï¯u©²Ù  aîR隬ëÌTbà÷¥3ÄtSGì´R$)X   Šù
'¹¨D³ÞeOK3!{·‹¦cäиNÅô:Na1žAÇ1ø8 &Fuôë %¸T¯_òMå†C"ý¤F   ™º„Iµºí4Ü¡ˆc!ì•+3 ‰‹M K@JÁ«8¢bsL†!Ù“à­šn·öMå•Œ&ýèvÀ}¨?¦hùÊò(É@Žf~5‰‘qØçþƒ‰Å²ÓÖÊJU•âNWÁ«L¼Y”$G¢ßè&§ÖÉØŒS‘WàË„°SØW Ð¨´_è%‚Å¢ø.ãÃð”#X^þ*1þ‚q85¡lÒ‚Ò>‘¸ÿ £ôQôz#ø¤ÎõÚªï|Xö%;åÍËûGú+îUƒö³‰›p    U±Ò ðtÜGÜÿ  ð,åXÿ k8È I”ÿ “½¿Ð`¨u5=SÓqyFÈ É8ôã¨ð£è6’H@lÄI10‚Ö§ÑdµÖ?t¡]D†9Zj,¥EɺÜEq¤@,ìn—¢º‚´€bc·ú¨Lû£ÿ Ó×ÿÙ||adasdkasdaksdasdkjlasdjasndjasd.

When I ran the following powershell command for example.txt in a batch file, it works and I get the output of example.txt:

@echo off
for /f "delims=" %%a in ('powershell Get-Content .\example.txt') do set _output=%%a
echo %_output%

adasdkasdaksdasdkjlasdjasndjasd

Good so far.

However, when I ran the above powershell command for obf_example1.txt, it does not work and I get the following error message:

'¹¨D³ÃzeOK3!{·â?¹Â¦cäÃ?Â?¸Â?NÃ.ô:Na1žAÃ╬1ø8 
The command "FuôëÂ" is either misspelled or could not be found.
The command "ýèvÃ?}¨?¦hùÃSÂ?ò" is either misspelled or could not be found.

Why? Never mind I thought: As I am only interested in the last n characters both in example1.txt and obf_example1.txt accordingly, my idea was to extract the last n characters and check if I can see the output of obf_example1.txt then. To check if my idea works, I run the following command for example1.txt to get the last 4 characters as an example:

@echo off
for /f "delims=" %%a in ('powershell $a=Get-Content .\example.txt; $a.substring^(0,$a.length-4^)') do set _output=%%a
echo.%_output%

It doesn't show me anything though. %_output% seems to be empty. How to fix that? And will the fixed version work for obf_example1.txt as well so that I get an output there instead of the above error message?

Improve this question
4
  • There are Ampersands and Pipes in your data. When you echo the output, the variable value is expanded first and then the command is executed. It sees the & and | as command arguments. Commented Apr 29, 2020 at 17:21
  • echo "%_output%" should cure that - except there are quotes in the text file (then it depends on where exactly they are in relation to those poison chars whether it works or not) Commented Apr 29, 2020 at 17:30
  • @Thomas : I wasn't able to get the last n characters for obf_example1.txt in pure batch, I always got an error with the type command or echo when trying to echo the obfuscated file. That's why I mix with powershell and use Get-Content and stuff. If you can help me out doing that in pure batch, I'd highly appreciate it. Commented Apr 29, 2020 at 18:02
  • @Stephan: No, echo "%_output%" did not work. Commented Apr 29, 2020 at 18:06

3 Answers 3

Reset to default
3

Apparently, the piece of text you are after is behind the ||.

With PowerShell you can easily get that by using

((Get-Content 'D:\Test\obf_example1.txt' -Raw) -split '\|\|')[-1]

Returns

adasdkasdaksdasdkjlasdjasndjasd

Isn't htis what you want?

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Most likely yes but I need this command to be included in a batch file. Having tried for /f "delims=" %%a in ('powershell (Get-Content .\obf_example.txt -Raw) -split '\|\|')[1]') do set _output=%%a and then output it with echo "%_output%" it shows me the error message "-split" cannot be processed syntactically at this point. Could you please help me including your command in a batch file format?
Try with giving it an absolute file path to read from. The current directory for PowerShell may not be the same as for cmd. However, why use cmd to run PowerShell and not PS directly for this? If you must, enter this in the cmd: powershell ((Get-Content 'D:\Test\obf_example1.txt' -Raw) -split '^\^|^\^|')[-1]. It will return adasdkasdaksdasdkjlasdjasndjasd. P.S. you need to escape the pipe characters with ^ aswell as the backslashes in the split string.
I tried it with that but it still says -split" cannot be processed syntactically at this point. This is what I do: @echo off <new line> for /f "delims=" %%a in (powershell ((Get-Content '.\obf_example1.txt' -Raw) -split '^\^|^\^|')[-1]) do set _output=%%a <new line> echo.%_output%. How to fix this?
2

You could try reading the last 4 bytes, if you really are taking text characters from what is clearly not a text file. (My guess is that it is text hidden inside a binary file, probably a graphic file).

@For /F Delims^=^ EOL^= %%G In (
 '%__AppDir__%WindowsPowerShell\v1.0\powershell.exe  -NoP^
 "$f=[IO.File]::OpenRead('C:\Users\Ferit\Desktop\obf_example1.txt');"^
 "$f.Seek(-4,[System.IO.SeekOrigin]::End)|Out-Null;$buffer=new-object Byte[] 4;"^
 "$f.Read($buffer,0,4)|Out-Null;$f.Close();"^
 "[System.Text.Encoding]::UTF8.GetString($buffer)"')Do @Set "_output=%%G"
@Set _output 2>NUL&&Pause

Don't forget to modify the text file path, (on line 3), and the three instances of 4 if you want more or less bytes. The last line is included just to show you the output, (you would obviously replace that with your own code).

Improve this answer

2 Comments

That helped - thank you so much! One last thing where I need your help: How can I put the last n bytes to a batch variable (without the string _output) in order to further operate in my batch?
I've already explained that the last line was included just to show you the output, you'd use, %_output% in your own code, wherever you like. For now, if you want, you can use @If Defined _output Echo %_output%&Pause as your replacement last line.
1

The following works for me to get the "clear-text" part after || (from your example):

for /f "delims=" %%a in (.\obf_example1.txt) do set "_output=%%a"
set _output
echo testing last 10: %_output:~-10%
set "_output=%_output:*||=%"
set _output
echo %_output%

(it might not work with different encodings of the text file)

(Consider Powershell - cmd has a limit on line length and can easily be overwhelmed)

Improve this answer

4 Comments

Thanks for your help, it worked. Yes you are right, the obf_example1.txt was only an example though, it did not work for a larger example. Is there any chance to deal with a larger example? Background of my question is that I want to extract a hidden text in a jpg file with batch. The hidden text is usually at the end of the jpg file which is much larger than what I provided in my example obf_example1.txt.
You cannot overcome the line limit, but if you are able to insert a CRLF (instead of the ||), it's a new line. Then my first line alone should be able to extract the wanted string ("last line"), no matter how big the file is.
Thank you Stephan for your support. I changed the || to CRLF instead. My batch file looks right now like this: @echo off, <new line> for /f "delims=" %%a in (.\image.jpg) do set "_output=%%a" <new line> echo %_output:~-3% --> It prints out ~-3. Any idea why it does not show the last 3 lines instead?
That usually happens, when the variable is empty. Does it happen with my code above (without modifying or inserting it into other code) too? What does set _output say?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.