Reneo Updated
Reneo has been updated to version 0.2 and includes many new features.
Here's the highlights of what's been added. You can look at the included documentation for more details.
Convert File
Under the File menu, Convert File now includes the ability decompress RTF and decode FlateDecode streams.
Compressed RTF can often be found in Outlook MSG files. You can verify this by looking for "LZF" in the header. You can run this file through Reneo.
For FlateDecode streams, open the PDF file with a hex editor and look right after the string "stream". There should be a 0x0D0A or sometimes just 0x0A at the beginning and end of the stream section. Ignore those. Also ignore the 0x789C bytes. Copy out the remaining bytes to a separate file and run that through Reneo.
Both of these options have also been added to the command line function as well. Just type reneo.exe -? from the command line to access the help.
Edit Menu
The original Pre-Pad Hex Array is now a dialog box so that more delimiter options can be given. You can enter a delimiter like a comma or enter ^p(aragraph) or ^t(ab).
What this does is turn hex arrays (usually msfvenom-encoded shellcode) with single character hex like 0x1 and 0xa into 0x01 and 0x0a.
Filter Menu
Under the Filter menu, there's now the ability to remove Low ASCII (0-32) and High ASCII (127+) characters.
Convert Menu
You'll usually encounter this with PowerShell Base64 content. If you do a Base64 to Text, you will probably see this.
But with the Base64 (Unicode) to Text option, you now get this:
In the Convert UTF feature, you can now convert to/from UTF-7 and QDecode. QDecode can be seen in email source code (e.g. =3D).
Decode/Decrypt
The Custom Base64 Decoder has been moved here. I've also included Base58, Base62, and UUEncode.
Character Substitution now has the ability to perform reverse lookups. The Position Lookup Only will take the string and make the position values into a comma-delimited string.
Here's an example of its usage courtesy of TrickBot. In the malicious Word VBA, there's a bunch of cases followed by random-looking strings. Note: I won't be unescaping the strings so the output will be off a bit.
Hidden away on a form is a lookup string.
What the macro does is get the position of the character in the lookup string and subtract 9 to get the final value. So first I paste in the lookup string and choose Position Lookup Only to get the position values.
I can then subtract 9 from these values using Simple Decrypter as shown.
Then I can use Position Lookup Substitution method to convert the lookup position numbers into characters.
Also under the Decode/Decrypt menu is Script Decoder which has been updated a bit.
You've seen this JavaScript obfuscation method used a lot nowadays. I think this site made this technique popular. However, instead of using decimal values for the array element, it's using hex.
To deobfuscate this, paste the bottom part of the script in Reneo. And paste the top part (the array part only) in Script Decoder and choose method "Array 1". If you mouse-over the options, it will show you what method to use.
In the Search String field, paste the name of the array and the pound sign between square brackets. Choose Hex (0x0) input option and unescape the output.
Everything should look like this when it's done.
Analyze Menu
Count Hex Characters is now available so you can count these characters that reside in both the input and output boxes.
There's some additional improvements and bug fixes but that's pretty much it for the significant changes. You can find Reneo on the Tools page.