Philip Rushik via plug on 12 May 2022 11:46:12 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Converting ascii into Cyrillic


On Thu, May 12, 2022 at 9:54 AM Michael Lazin via plug <plug@lists.phillylinux.org> wrote:
I have gotten my hands on what I believe is a base64 encoded script from the Revil ransomware group and only the variables are encrypted and when I decrypt them I get random ascii characters that if I am right should be convertible into Russian so I can see the variable names, but I don’t know how to convert them.  Can someone please give me a recommendation on how to do it with Linux?


I think I understand what you are asking, you have base64 encoded data which you believe is cyrillic identifier names in this ransomware script. If this is the case, you have some terminology wrong which may be a source of confusion. You do not want to actually "convert" anything from ASCII to Cyrillic, this is actually not possible to do since ASCII doesn't contain any cyrillic characters. Instead, you have characters encoded with some unknown encoding that _does_ support cyrillic being incorrectly displayed on your PC as if they were ASCII (probably as boxes with hexadecimal inside or question marks or just garbage). To display them correctly, you want to set the text encoding of your editor (or terminal) to an encoding that matches those identifiers, then you can work on converting them into something easier to deal with (like utf-8).
You will also need a font that has cyrillic characters, just knowing the correct encoding doesn't help if you don't have a font with cyrillic characters in it.

It could be helpful if you posted some of the base64 here, that way we could take a look at it and probably help you identify the encoding used. If you don't want to do that, there is a neat python script called chardet (https://pypi.org/project/chardet/) which tries to guess unknown character encodings. I have only used it with chinese text, but it should help with your cyrillic text as well. You would probably want to isolate just the unknown encoded text before running it through chardet to get the best result, but it might work anyway if you just give it the whole thing.
It might also help if we knew which application you were using to view these decoded identifiers, for instance, which text editor or terminal emulator if you are on the command line.

Regards,
Philip

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug