This repository contains a batch script designed to deobfuscate other batch files that have been obfuscated using the certutil method. The script reverses the obfuscation process and reconstructs the original batch file.
The deobfuscation script works by:
- Checking if a command line argument (the path to the obfuscated batch file) is provided.
- Verifying that the file's extension is either
.bator.cmd. - Deleting any existing temporary deobfuscated file.
- Reading the obfuscated batch file line by line using the
CMD /U /C Typecommand, which properly interprets Unicode characters. - Echoing each line to the console and simultaneously appending it to a temporary file.
- Pausing at the end to allow the user to review the output.
-
Download Deobfuscator to local machine
-
Place the deobfuscator and obfuscated file into the same directory
-
Drag and drop the obfuscated file onto the deobfuscator.bat
-
The script will display the deobfuscated content on the console and create a temporary deobfuscated file in the same directory as the obfuscated file, named
obfuscatedname_deobfed.bat||.cmd. -
Review the deobfuscated content and make sure it matches the expected original batch file.
-
Note: Be cautious when dealing with batch files from untrusted sources, as they can potentially contain malicious code.
This project is licensed under the MIT License - see the LICENSE file for details.