encoding::obfuscation

encoding base64 · XOR bytes · bash
Recognition Conversions XOR / ROT Pitfalls
01Recognition & Triage
Spot the format
Looks likeHint
hexonly 0-9a-f, even length often matters
base64A-Z a-z 0-9 + / with optional = padding
base32A-Z 2-7 and often lots of =
url encoding%2f %3d style escapes
binary string01001000...
escaped bytes\x41\x42 or %41%42
compressedfile/binwalk show gzip, zlib, zip
Quick probes
file sample
xxd sample | head
python3 - <<'PY'
import base64
s='...'.encode()
for fn in (base64.b16decode, base64.b32decode, base64.b64decode, base64.urlsafe_b64decode):
    try: print(fn.__name__, fn(s))
    except Exception: pass
PY
02Common Conversions
bashHex / base64 / url
echo 7069636f | xxd -r -p
echo cGljbw== | base64 -d
python3 -c "import urllib.parse;print(urllib.parse.unquote('%70%69%63%6f'))"

# to hex
echo -n pico | xxd -p
pythonBytes first
import base64, binascii, urllib.parse
data = b'cGljbw=='
base64.b64decode(data)
binascii.unhexlify(b'7069636f')
urllib.parse.unquote_to_bytes('%70%69%63%6f')

# keep bytes until final display
Binary / integers / endianness
python3 -c "print(int('01110000',2))"
python3 -c "print((0xdeadbeef).to_bytes(4,'little'))"
python3 -c "print(int.from_bytes(bytes.fromhex('efbeadde'),'little'))"
Compression layers
file blob
binwalk -e blob
python3 - <<'PY'
import zlib,sys
raw=open('blob','rb').read()
for w in (zlib.MAX_WBITS, -zlib.MAX_WBITS, 15|32):
    try: print(w, zlib.decompress(raw, w)[:80])
    except Exception: pass
PY
03XOR / ROT / Layered Data
Single-byte XOR
python3 - <<'PY'
data = bytes.fromhex('3a2b2c')
for k in range(256):
    p = bytes(b ^ k for b in data)
    if b'flag' in p.lower() or all(9 <= c < 127 for c in p):
        print(k, p)
PY
Known-plaintext XOR
# ciphertext = plaintext XOR key
# key = plaintext XOR ciphertext
python3 - <<'PY'
pt = b'picoCTF{'
ct = bytes.fromhex('0011223344556677')
key = bytes(a ^ b for a,b in zip(pt, ct))
print(key)
PY
ROT / Caesar
tr 'A-Za-z' 'N-ZA-Mn-za-m'
python3 - <<'PY'
import string
s='uryyb'
a=string.ascii_lowercase
for k in range(26):
    t=''.join(a[(a.index(c)+k)%26] if c in a else c for c in s)
    print(k,t)
PY
04Patterns & Pitfalls
Things to check
PatternMeaning
base64 decodes but looks binarymaybe compressed or encrypted next
hex to text still unreadabletry xor / endianness / integer packing
repeated blocksmaybe ECB or repeated-key XOR
odd-length hexmissing nibble or formatting issue
UTF-8 errorstreat as bytes, not str
Useful one-liner loop
python3 - <<'PY'
import base64,binascii
data=b'...'
changed=True
while changed:
    changed=False
    for fn in (base64.b64decode, base64.b32decode, binascii.unhexlify):
        try:
            new = fn(data)
            if new != data:
                print(fn.__name__, new[:80])
                data = new
                changed=True
                break
        except Exception:
            pass
print(data)
PY