Special Alphabet used in Base64 encoding

Discussion in 'malware problems & news' started by darksider9, Jun 19, 2011.

Thread Status:
Not open for further replies.
  1. darksider9

    darksider9 Registered Member

    Jun 19, 2011
    Hi All,

    I am just getting started in this wonderful world of Malware Analysis, and it has to be one of the most interesting and fun jobs I have ever had. Either or, I am working on an issue that i have currently, and I seem to be running into some issues on my research. So the first problem that I am seeing is special alphabets that are utilized in the Base64 encoding of emails. With that being said, I have not really been able to find much in the way of documentation on this situation. I am trying to figure out how Base64 works when it has a special alphabet attached. Anyone know what I am talking about on this issue?

    Next what I am trying to do is write a quick little script that will "brute force" to figure out what the special alphabet actually is. I dont know if anyone has already done this, but one of the guys has coded something in the shop, but it takes two weeks to complete. Anyone know of anything that will do this a little bit easier?

    It would be nice to be able to knock this out a little bit quicker, so any documentation, or a script that will do this pretty quickly would be nice. As a side not an in depth description of how Base64 is encoded would be nice, but with the special alphabets again would be nice to be attached to this.

    Please let me know if anyone can help,

  2. MessageBoxA

    MessageBoxA Registered Member

    Jun 20, 2011

    The base16/32/64 algorithms do not 'work differently' when an alternative alphabet table is used.

    What exactly are you trying to do? Your questions are very vague and its not clear if your analyzing a binary or something else. Anyway... All of the base16/32/64 algorithms generally push a pointer to an array onto the stack before calling the encode function. It should be trivial to step through a debugger and view the memory at the address passed.

    If your not analyzing a binary then I have no idea. Maybe playing a couple of games of scrabble will help.

    Best Wishes,
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.