{"id":24014011,"url":"https://github.com/uchks/hone-deobf","last_synced_at":"2025-02-25T16:50:58.385Z","repository":{"id":159073222,"uuid":"392090758","full_name":"uchks/hone-deobf","owner":"uchks","description":"\"Obfuscated\" Batch files from https://discord.gg/Hone, but deobfuscated; if you can call it that.","archived":false,"fork":false,"pushed_at":"2023-10-14T18:28:16.000Z","size":7,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-01-08T06:58:09.885Z","etag":null,"topics":["deobf","deobfuscate","deobfuscated","deobfuscation","hone","obfuscate","obfuscated","obfuscation"],"latest_commit_sha":null,"homepage":"https://hone.gg","language":"Batchfile","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/uchks.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2021-08-02T20:51:19.000Z","updated_at":"2024-04-19T11:04:08.000Z","dependencies_parsed_at":"2023-07-25T06:35:38.130Z","dependency_job_id":null,"html_url":"https://github.com/uchks/hone-deobf","commit_stats":null,"previous_names":["uchks/hone-deobfuscated"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/uchks%2Fhone-deobf","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/uchks%2Fhone-deobf/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/uchks%2Fhone-deobf/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/uchks%2Fhone-deobf/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/uchks","download_url":"https://codeload.github.com/uchks/hone-deobf/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":240710049,"owners_count":19845039,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["deobf","deobfuscate","deobfuscated","deobfuscation","hone","obfuscate","obfuscated","obfuscation"],"created_at":"2025-01-08T06:58:21.127Z","updated_at":"2025-02-25T16:50:58.338Z","avatar_url":"https://github.com/uchks.png","language":"Batchfile","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Hone Deobfuscated\n\nThis repository contains batch files originally sourced from the [Hone Discord Server](https://discord.gg/Hone), which have been \"deobfuscated\". \u003cbr\u003e\nFor instance, the file named `Anti-Tracking.cmd` fetches another script through Powershell:\n\n```bash\npowershell Invoke-WebRequest \"https://cdn.discordapp.com/attachments/798652558351794196/870846920778735636/DEOBANTITRACK.cmd\" -OutFile \"%temp%\\DEOBANTITRACK.cmd\" \u003enul 2\u003e\u00261\n```\n\nThe fetched `DEOBANTITRACK.cmd` utilizes `certutil` to encode their final script, outputting it like so:\n\n```bash\nCERTUTIL -f -decode \"%~f0\" \"%Temp%\\Honerandomthingthatyoudontwanttoseeipromisepleasejustgetoutofhere.bat\" \u003enul 2\u003e\u00261\n```\n\nThis produces `Honerandomthingthatyoudontwanttoseeipromisepleasejustgetoutofhere.bat` in your temporary directory, which is essentially the `Anti-Tracking.cmd` file.\n\n## Dealing with \"Obfuscation\"\n\nThe script includes a layer of \"obfuscation\" consisting of a series of characters, notably in the format:\n\n```\nFF FE 26 63 6C 73 0D 0A FF FE 26 63 6C 73 0D 0A FF FE 26 63 6C 73 0D 0A FF FE 26 63 6C 73 0D 0A FF FE 26 63 6C 73 0D 0A FF FE 26 63 6C 73 0D 0A FF FE 26 63 6C 73 0D 0A FF FE 26 63 6C 73 0D 0A\n```\nOr when translated:\n```\nÿþ\u0026cls ÿþ\u0026cls ÿþ\u0026cls ÿþ\u0026cls ÿþ\u0026cls ÿþ\u0026cls ÿþ\u0026cls ÿþ\u0026cls\n```\n\nYou can remove this layer of \"obfuscation\" using a hex editor like HxD. Once removed, the actual script is revealed. \u003cbr\u003e\nThis deobfuscation method is applicable to the batch files as of August 2nd, 2021.\n\n## Credits\nThis \"challenge\" is presented by **323170806190440449 / jonathah#1221**.\n\n![jonathah Image](https://user-images.githubusercontent.com/38664452/127923379-ae67a1c6-e42c-4379-b675-fb3568225f16.png)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fuchks%2Fhone-deobf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fuchks%2Fhone-deobf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fuchks%2Fhone-deobf/lists"}