Home > Writeups > WHAMazon! Rev 1 - Stage ?

WHAMazon! Rev 1 - Stage ?

Peeling back two layers of PowerShell obfuscation, a base64-encoded outer script and a string-split encoded flag inside, to recover the plaintext flag.

Date: February 28, 2026 Category: Reverse Engineering Difficulty: Easy Views: 17
Tags:
powershell obfuscation base64 deobfuscation windows static-analysis WHAMazon!

Stage ?

Challenge Description

Yes they ran windows machines in WHAMazon ⚠️

Flag: Raptor{WinD0wSS_Sm4shiNg_PS_Cr4shIng}

Provided: stage1.zipstage1.ps1

Layer 1: The Outer Script

The .ps1 contains a single line:

Invoke-Command -ScriptBlock (
  [scriptblock]::Create(
    [System.Text.Encoding]::Unicode.GetString(
      [System.Convert]::FromBase64String('YwBsAEUAYQByAC0AaABPAFMAdAANAAoADQAKAGYAdQBuAGMAdABpAG8AbgAgAFMASABPAFcALQBCAEEAbgBuAEUAUgAgAHsADQAKACAAIAAgACAAdwByAGkAdABlACAAJwAnAA0ACgAgACAAIAAgAHcAcgBpAHQAZQAgACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAUABUADAAOQBQAFQAMAA5AFAAVAAwADkAUABUADAAOQBQAFQAMAA5AFAAVAAwADkAUABUADAAOQBQAFQAMAA5AFAAVAAwADkAUABUADAAOQBQAFQAMAA5AFAAVAAwADkAUABUADAAOQAnACkAKQApAA0ACgAgACAAIAAgAHcAcgBpAHQAZQAgACgALQBqAG8AaQBuACgAWwBjAGgAYQByAF0AMAB4ADIAMAAsACAAWwBjAGgAYQByAF0AMAB4ADIAMAAsACAAWwBjAGgAYQByAF0AMAB4ADIAMAAsACAAWwBjAGgAYQByAF0AMAB4ADIAMAAsACAAWwBjAGgAYQByAF0AMAB4ADIAMAAsACAAWwBjAGgAYQByAF0AMAB4ADUAMgAsACAAWwBjAGgAYQByAF0AMAB4ADQAMQAsACAAWwBjAGgAYQByAF0AMAB4ADUAMAAsACAAWwBjAGgAYQByAF0AMAB4ADUANAAsACAAWwBjAGgAYQByAF0AMAB4ADQARgAsACAAWwBjAGgAYQByAF0AMAB4ADUAMgAsACAAWwBjAGgAYQByAF0AMAB4ADIAMAAsACAAWwBjAGgAYQByAF0AMAB4ADUANwAsACAAWwBjAGgAYQByAF0AMAB4ADQAOQAsACAAWwBjAGgAYQByAF0AMAB4ADQARQAsACAAWwBjAGgAYQByAF0AMAB4ADQANAAsACAAWwBjAGgAYQByAF0AMAB4ADQARgAsACAAWwBjAGgAYQByAF0AMAB4ADUANwAsACAAWwBjAGgAYQByAF0AMAB4ADUAMwAsACAAWwBjAGgAYQByAF0AMAB4ADIAMAAsACAAWwBjAGgAYQByAF0AMAB4ADUAMAAsACAAWwBjAGgAYQByAF0AMAB4ADQARgAsACAAWwBjAGgAYQByAF0AMAB4ADUANwAsACAAWwBjAGgAYQByAF0AMAB4ADQANQAsACAAWwBjAGgAYQByAF0AMAB4ADUAMgAsACAAWwBjAGgAYQByAF0AMAB4ADUAMwAsACAAWwBjAGgAYQByAF0AMAB4ADQAOAAsACAAWwBjAGgAYQByAF0AMAB4ADQANQAsACAAWwBjAGgAYQByAF0AMAB4ADQAQwAsACAAWwBjAGgAYQByAF0AMAB4ADQAQwAsACAAWwBjAGgAYQByAF0AMAB4ADIAMAAsACAAWwBjAGgAYQByAF0AMAB4ADUANAAsACAAWwBjAGgAYQByAF0AMAB4ADQARgAsACAAWwBjAGgAYQByAF0AMAB4ADQARgAsACAAWwBjAGgAYQByAF0AMAB4ADQAQwAsACAAWwBjAGgAYQByAF0AMAB4ADIAMAAsACAAWwBjAGgAYQByAF0AMAB4ADIAMAAsACAAWwBjAGgAYQByAF0AMAB4ADIAMAAsACAAWwBjAGgAYQByAF0AMAB4ADIAMAAsACAAWwBjAGgAYQByAF0AMAB4ADIAMAApACkADQAKACAAIAAgACAAdwByAGkAdABlACAAJwA9AAwgPQANID0ACyA9AAsgPQALID0ADCA9AAsgPQAMID0ACyA9AAsgPQANID0ADCA9AA0gPQALID0ADCA9AA0gPQAMID0ACyA9AAsgPQANID0ADSA9AAwgPQANID0ACyA9AAsgPQANID0ACyA9AAwgPQANID0ACyA9AAwgPQANID0ADCA9AAsgPQALID0ADCA9AAwgPQANID0ADCAnAA0ACgAgACAAIAAgAHcAcgBpAHQAZQAgACcAJwANAAoAfQANAAoADQAKAGYAdQBuAGMAdABpAG8AbgAgAHMAaABPAFcALQBtAEUAbgBVACAAewANAAoAIAAgACAAIAB3AHIAaQB0AGUAIAAoACQAKAA5ADIAIAAtAGIAeABvAHIAIAA5ADMAKQAgACsAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnAEsAUwBCAFQAZQBYAE4AMABaAFcAMABnAFMAVwA1AG0AYgB3AD0APQAnACkAKQApACkADQAKACAAIAAgACAAdwByAGkAdABlACAAKAAkACgAOQA1ACAALQBiAHgAbwByACAAOQAzACkAIAArACAAKAAtAGoAbwBpAG4AKABbAGMAaABhAHIAXQAwAHgAMgA5ACwAIABbAGMAaABhAHIAXQAwAHgAMgAwACwAIABbAGMAaABhAHIAXQAwAHgANAA2ACwAIABbAGMAaABhAHIAXQAwAHgANgAxACwAIABbAGMAaABhAHIAXQAwAHgANgBCACwAIABbAGMAaABhAHIAXQAwAHgANgA1ACwAIABbAGMAaABhAHIAXQAwAHgAMgAwACwAIABbAGMAaABhAHIAXQAwAHgANAA0ACwAIABbAGMAaABhAHIAXQAwAHgANgA5ACwAIABbAGMAaABhAHIAXQAwAHgANgAxACwAIABbAGMAaABhAHIAXQAwAHgANgA3ACwAIABbAGMAaABhAHIAXQAwAHgANgBFACwAIABbAGMAaABhAHIAXQAwAHgANgBGACwAIABbAGMAaABhAHIAXQAwAHgANwAzACwAIABbAGMAaABhAHIAXQAwAHgANwA0ACwAIABbAGMAaABhAHIAXQAwAHgANgA5ACwAIABbAGMAaABhAHIAXQAwAHgANgAzACwAIABbAGMAaABhAHIAXQAwAHgANwAzACkAKQApAA0ACgAgACAAIAAgAHcAcgBpAHQAZQAgACgAJAAoADYAOAAgAC0AYgB4AG8AcgAgADcAMQApACAAKwAgACQAKAAkAGsAMQA0ADkANwA9ACcARgB5AHkAagBDAG8AQwA8AE4ANwAjAGcAPgBOACcAOwAkAGIAPQBbAGIAeQB0AGUAWwBdAF0AKAAwAHgANgBGACwAMAB4ADUAOQAsADAAeAAyAEIALAAwAHgAMABGACwAMAB4ADMANQAsADAAeAAwAEEALAAwAHgAMgAyACwAMAB4ADUAMAAsADAAeAA2AEUALAAwAHgANwAxACwAMAB4ADQARgAsADAAeAAwADYALAAwAHgANQA5ACkAOwAkAGsAYgA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAkAGsAMQA0ADkANwApADsALQBqAG8AaQBuACgAMAAuAC4AKAAkAGIALgBMAGUAbgBnAHQAaAAtADEAKQB8ACUAewBbAGMAaABhAHIAXQAoACQAYgBbACQAXwBdAC0AYgB4AG8AcgAkAGsAYgBbACQAXwAlACQAawBiAC4ATABlAG4AZwB0AGgAXQApAH0AKQApACkADQAKACAAIAAgACAAdwByAGkAdABlACAAKAAkACgAMQA0ADAAIAAvACAAMwA1ACkAIAArACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJwBLAFMAQgBGAGUARwBsADAAJwApACkAKQApAA0ACgAgACAAIAAgAHcAcgBpAHQAZQAgACcAJwANAAoAfQANAAoADQAKAGYAdQBuAGMAdABpAG8AbgAgAEcAZQB0AC0AcwB5AFMAdABFAE0ASQBOAEYAbwAgAHsADQAKACAAIAAgACAAdwByAGkAdABlACAAKAAtAGoAbwBpAG4AKAAnAGAAYABuAFsAKwBdACAAJwAsACcARwBhAHQAJwAsACcAaAAnACwAJwBlAHIAaQBuAGcAIABzACcALAAnAHkAcwB0ACcALAAnAGUAbQAgAGkAbgBmACcALAAnAG8ALgAuAC4AYABgAG4AJwApACkADQAKACAAIAAgACAAZwBFAHQALQBDAG8AbQBQAFUAVABlAHIAaQBOAGYAbwAgAHwAIABzAGUAbABlAGMAdAAgAE8AcwBuAGEATQBFACwAIABvAHMAdgBFAHIAUwBpAE8AbgAsACAAYwBzAG4AQQBNAEUADQAKAH0ADQAKAA0ACgBpAGYAIAAoADIAOAAgAC0AZwB0ACAANgApACAAewAgAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAiAC4AIgAgAC0ATgBvAE4AZQB3AGwAaQBuAGUAIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAIgAsACIAIAAtAE4AbwBOAGUAdwBsAGkAbgBlACAAfQA7ACAAVwByAGkAdABlAC0ASABvAHMAdAAgACIAIgAKAGYAdQBuAGMAdABpAG8AbgAgAHIAdQBuAC0AZABJAGEAZwBuAE8AUwBUAEkAYwBzACAAewANAAoAIAAgACAAIAB3AHIAaQB0AGUAIAAoAC0AagBvAGkAbgAoACcAYABgAG4AWwArAF0AIAAnACwAJwBSAHUAbgBuAGkAbgBnACcALAAnACAAZABpAGEAZwAnACwAJwBuAG8AcwB0AGkAYwBzAC4AJwAsACcALgAnACwAJwAuACcAKQApAA0ACgAgACAAIAAgAHMAdABhAHIAdAAtAHMATABlAGUAcAAgACgAMwA0ACAALwAgADMANAApAA0ACgAgACAAIAAgAHcAcgBpAHQAZQAgACgALQBqAG8AaQBuACgAWwBjAGgAYQByAF0AMAB4ADUAQgAsACAAWwBjAGgAYQByAF0AMAB4ADIAQgAsACAAWwBjAGgAYQByAF0AMAB4ADUARAAsACAAWwBjAGgAYQByAF0AMAB4ADIAMAAsACAAWwBjAGgAYQByAF0AMAB4ADQAMwAsACAAWwBjAGgAYQByAF0AMAB4ADYAOAAsACAAWwBjAGgAYQByAF0AMAB4ADYANQAsACAAWwBjAGgAYQByAF0AMAB4ADYAMwAsACAAWwBjAGgAYQByAF0AMAB4ADYAQgAsACAAWwBjAGgAYQByAF0AMAB4ADYAOQAsACAAWwBjAGgAYQByAF0AMAB4ADYARQAsACAAWwBjAGgAYQByAF0AMAB4ADYANwAsACAAWwBjAGgAYQByAF0AMAB4ADIAMAAsACAAWwBjAGgAYQByAF0AMAB4ADYARAAsACAAWwBjAGgAYQByAF0AMAB4ADYANQAsACAAWwBjAGgAYQByAF0AMAB4ADYARAAsACAAWwBjAGgAYQByAF0AMAB4ADYARgAsACAAWwBjAGgAYQByAF0AMAB4ADcAMgAsACAAWwBjAGgAYQByAF0AMAB4ADcAOQAsACAAWwBjAGgAYQByAF0AMAB4ADIARQAsACAAWwBjAGgAYQByAF0AMAB4ADIARQAsACAAWwBjAGgAYQByAF0AMAB4ADIARQAsACAAWwBjAGgAYQByAF0AMAB4ADIAMAAsACAAWwBjAGgAYQByAF0AMAB4ADQARgAsACAAWwBjAGgAYQByAF0AMAB4ADQAQgApACkADQAKACAAIAAgACAAcwBUAEEAcgBUAC0AcwBsAGUAZQBQACAAKAA2ADIAIAArACAALQA2ADEAKQANAAoAIAAgACAAIAB3AHIAaQB0AGUAIAAoACcAWwArAF0AIABDAGgAZQAnACsAJwBjAGsAaQBuACcAKwAnAGcAIABkAGkAcwAnACsAJwBrAC4ALgAuACAAJwArACcATwBLACcAKQANAAoAIAAgACAAIABzAHQAYQByAFQALQBzAEwAZQBFAFAAIAAoAC0AMQA1ACAALQBiAHgAbwByACAALQAxADYAKQANAAoAIAAgACAAIAB3AHIAaQB0AGUAIAAoACcAWwAnACsAJwArAF0AJwArACcAIABDACcAKwAnAGgAZQBjACcAKwAnAGsAaQBuACcAKwAnAGcAIABzAGUAcgAnACsAJwB2AGkAYwBlACcAKwAnAHMALgAuAC4AIABPACcAKwAnAEsAJwApAA0ACgAgACAAIAAgAHcAcgBpAHQAZQAgACQAKAAtAGoAbwBpAG4AKAAnAGAAYAB4AEsAdgB2ACAAYwBpAGMAZABvAHcAYwAgAHgAeQB3AHMAeABrAHYALgBgAGAAeAAnAC4AVABvAEMAaABhAHIAQQByAHIAYQB5ACgAKQB8ACUAewBbAGkAbgB0AF0AJABjAD0AJABfADsAaQBmACgAJABjAC0AZwBlADYANQAtAGEAbgBkACQAYwAtAGwAZQA5ADAAKQB7AFsAYwBoAGEAcgBdACgANgA1ACsAKAAoACQAYwAtADYANQArADEANgApACUAMgA2ACkAKQB9AGUAbABzAGUAaQBmACgAJABjAC0AZwBlADkANwAtAGEAbgBkACQAYwAtAGwAZQAxADIAMgApAHsAWwBjAGgAYQByAF0AKAA5ADcAKwAoACgAJABjAC0AOQA3ACsAMQA2ACkAJQAyADYAKQApAH0AZQBsAHMAZQB7AFsAYwBoAGEAcgBdACQAYwB9AH0AKQApAA0ACgB9AA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAcgBlAFYARQBhAEwALQBGAGwAQQBHACAAewANAAoAIAAgACAAIAAkAEUAbgBjAE8AZABFAEQAIAA9ACAAKAAnAFUAbQBGACcAKwAnAHcAZABHADkAeQBlADEAZAAnACsAJwBwAGIAJwArACcAawBRAHcAZAAxAE4AVAAnACsAJwBYADEATgB0AE4ASABOACcAKwAnAG8AYQBVADUAbgBYADEAQgAnACsAJwBUAFgAMABOAHkATgBIAE4AJwArACcAbwBTAFcANQAnACsAJwBuAGYAJwArACcAUQAnACsAJwA9AD0AJwApAA0ACgAgACAAIAAgACQAYgB5AHQARQBzACAAPQAgAFsAcwB5AHMAVABlAG0ALgBjAE8ATgBWAGUAUgB0AF0AOgA6AEYAcgBvAE0AQgBBAFMAZQA2ADQAcwB0AHIASQBOAEcAKAAkAEUATgBDAG8ARABlAGQAKQANAAoAIAAgACAAIAAkAGYAbABhAGcAIAA9ACAAWwBTAFkAUwBUAGUAbQAuAHQAZQBYAFQALgBlAG4AQwBvAGQAaQBuAGcAXQA6ADoAdQB0AGYAOAAuAEcARQBUAFMAVAByAEkAbgBHACgAJABCAHkAdABlAFMAKQANAAoADQAKACAAIAAgACAAdwByAGkAdABlACAAJwAnAA0ACgAgACAAIAAgAHcAcgBpAHQAZQAgACgAJwB7ADAAfQB7ADEAfQB7ADIAfQB7ADMAfQB7ADQAfQB7ADUAfQB7ADYAfQB7ADcAfQB7ADgAfQB7ADkAfQB7ADEAMAB9AHsAMQAxAH0AewAxADIAfQAnACAALQBmACAAJwA9AD0APQAnACwAJwA9AD0AJwAsACcAPQA9AD0AJwAsACcAPQA9AD0APQAnACwAJwA9AD0AJwAsACcAPQA9ACAARgAnACwAJwBMAEEARwAnACwAJwAgACcALAAnAD0APQA9AD0AJwAsACcAPQA9AD0AJwAsACcAPQA9AD0APQAnACwAJwA9AD0APQAnACwAJwA9AD0APQAnACkADQAKACAAIAAgACAAdwByAGkAdABlACAAJABmAGwAQQBHAA0ACgAgACAAIAAgAHcAcgBpAHQAZQAgACgAWwBzAHQAcgBpAG4AZwBdADoAOgBGAG8AcgBtAGEAdAAoACcAewAwAH0AewAxAH0AewAyAH0AewAzAH0AewA0AH0AewA1AH0AewA2AH0AewA3AH0AewA4AH0AewA5AH0AewAxADAAfQB7ADEAMQB9AHsAMQAyAH0AewAxADMAfQB7ADEANAB9ACcALAAnAD0APQA9ACcALAAnAD0APQA9ACcALAAnAD0AJwAsACcAPQAnACwAJwA9AD0APQAnACwAJwA9AD0APQA9ACcALAAnAD0APQA9AD0APQAnACwAJwA9AD0AJwAsACcAPQA9AD0APQA9ACcALAAnAD0APQA9AD0APQAnACwAJwA9ACcALAAnAD0AJwAsACcAPQA9ACcALAAnAD0AJwAsACcAPQAnACkAKQANAAoAIAAgACAAIAB3AHIAaQB0AGUAIAAnACcADQAKAH0ADQAKAGkAZgAgACgAJABmAGEAbABzAGUAKQAgAHsACgAgACAAIAAgACQAYwBvAG4AZgBpAGcAVABhAGIAbABlACAAPQAgAEAAewAgAFMAZQB0AHQAaQBuAGcAMQAgAD0AIAAnAFYAYQBsAHUAZQBBACcAOwAgAFMAZQB0AHQAaQBuAGcAMgAgAD0AIAAoAEcAZQB0AC0AUgBhAG4AZABvAG0AKQA7ACAAVABpAG0AZQBvAHUAdAAgAD0AIAA4ADEAIAB9ADsAIAAkAGMAbwBuAGYAaQBnAFQAYQBiAGwAZQAuAEsAZQB5AHMAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgAFcAcgBpAHQAZQAtAFYAZQByAGIAbwBzAGUAIAAiAEMAbwBuAGYAaQBnACAASwBlAHkAOgAgACQAXwAsACAAVgBhAGwAdQBlADoAIAAkACgAJABjAG8AbgBmAGkAZwBUAGEAYgBsAGUAWwAkAF8AXQApACIAIAB9AAoAfQAKAA0ACgBzAEgATwB3AC0AYgBhAE4AbgBFAHIADQAKAA0ACgB3AGgAaQBsAGUAIAAoACgAJwBFBCcAIAAtAGUAcQAgACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBiAHkAdABlAFsAXQBdACgAMAB4ADcAOAApACkAKQApACkAIAB7AA0ACgAgACAAIAAgAFMASABvAFcALQBNAGUATgBVAA0ACgAgACAAIAAgACQAQwBIAE8AaQBDAEUAIAA9ACAAcgBlAEEARAAtAEgATwBzAFQAIAAnAFMANQRsADUEQQR0ACAAPgRABHQAVgQ+BG4AJwANAAoADQAKACAAIAAgACAAcwB3AGkAdABjAGgAIAAoACQAYwBoAG8ASQBDAEUAKQAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkACgANwA3ACAALQBiAHgAbwByACAANwA2ACkAIAB7ACAARwBlAHQALQBzAHkAcwBUAGUAbQBJAE4ARgBvACAAfQANAAoAIAAgACAAIAAgACAAIAAgACQAKAAzADAAIAAvACAAMQA1ACkAIAB7ACAAUgBVAG4ALQBEAEkAYQBHAG4AbwBzAHQAaQBjAHMAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAJAAoAC0ANgAzACAALQBiAHgAbwByACAALQA2ADIAKQAgAHsAIAByAGUAdgBlAGEATAAtAEYATABBAEcAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAJAAoADEANAAgAC0AYgB4AG8AcgAgADEAMAApACAAewAgAGIAcgBlAGEAawAgAH0ADQAKACAAIAAgACAAIAAgACAAIABkAEUAZgBBAFUAbABUACAAewAgAHcAcgBpAHQAZQAgACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAUwBXADUAMgBZAFcAeABwAFoAQwBCAHYAYwBIAFIAcABiADIANAB1ACcAKQApACkAIAB9AA0ACgAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgAHcAcgBpAHQAZQAgACcAJwANAAoAIAAgACAAIAByAEUAYQBkAC0AaABPAFMAVAAgACIAJAAoAFsAYwBoAGEAcgBdADAAeAA1ADAAKQAkACgAWwBjAGgAYQByAF0AMAB4ADcAMgApACQAKABbAGMAaABhAHIAXQAwAHgANgA1ACkAJAAoAFsAYwBoAGEAcgBdADAAeAA3ADMAKQAkACgAWwBjAGgAYQByAF0AMAB4ADcAMwApACQAKABbAGMAaABhAHIAXQAwAHgAMgAwACkAJAAoAFsAYwBoAGEAcgBdADAAeAA0ADUAKQAkACgAWwBjAGgAYQByAF0AMAB4ADYARQApACQAKABbAGMAaABhAHIAXQAwAHgANwA0ACkAJAAoAFsAYwBoAGEAcgBdADAAeAA2ADUAKQAkACgAWwBjAGgAYQByAF0AMAB4ADcAMgApACQAKABbAGMAaABhAHIAXQAwAHgAMgAwACkAJAAoAFsAYwBoAGEAcgBdADAAeAA3ADQAKQAkACgAWwBjAGgAYQByAF0AMAB4ADYARgApACQAKABbAGMAaABhAHIAXQAwAHgAMgAwACkAJAAoAFsAYwBoAGEAcgBdADAAeAA2ADMAKQAkACgAWwBjAGgAYQByAF0AMAB4ADYARgApACQAKABbAGMAaABhAHIAXQAwAHgANgBFACkAJAAoAFsAYwBoAGEAcgBdADAAeAA3ADQAKQAkACgAWwBjAGgAYQByAF0AMAB4ADYAOQApACQAKABbAGMAaABhAHIAXQAwAHgANgBFACkAJAAoAFsAYwBoAGEAcgBdADAAeAA3ADUAKQAkACgAWwBjAGgAYQByAF0AMAB4ADYANQApACIADQAKACAAIAAgACAAQwBsAEUAQQByAC0ASABvAHMAdAANAAoAIAAgACAAIABTAGgATwB3AC0AQgBhAE4AbgBFAHIADQAKAH0ADQAKAA0ACgB3AHIAaQB0AGUAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnAFkARwBCAHUAUgAyADkAdgBaAEcASgA1AFoAUwA0AD0AJwApACkAKQANAA==')
    )
  )
)

This is a standard PowerShell obfuscation pattern, the entire script body is base64-encoded, decoded at runtime to a string, compiled into a scriptblock, and executed. Decoding the base64 (as Unicode, not UTF-8, note the ::Unicode call) reveals the actual script.

Layer 2: The Inner Script

Inside the decoded script, a switch statement uses obfuscated arithmetic to mask its case values:

switch ($choICE) {
    $(77 -bxor 76)  { Get-sysTemINFo }   # = 1
    $(30 / 15)      { RUn-DIaGnostics }  # = 2
    $(-63 -bxor -62){ reveaL-FLAG }      # = 1 (same as XOR above, both resolve to 1)
    $(14 -bxor 10)  { break }            # = 4
    dEfAUlT         { write "Invalid option." }
}

The arithmetic obfuscation (-bxor, /) evaluates at runtime but is trivially readable statically. Following reveaL-FLAG (however it's reached) leads to the flag function.

Layer 3: The Flag Function

function reVEaL-FlAG {
    $EncOdED = ('UmF'+'wdG9ye1d'+'pb'+'kQwd1NT'+'X1NtNHN'+'oaU5nX1B'+'TX0NyNHN'+'oSW5'+'nf'+'Q'+'==')

    $bytEs = [sysTem.cONVeRt]::FroMBASe64strING($ENCoDed)
    $flag  = [SYSTem.teXT.enCoding]::utf8.GETSTrInG($ByteS)

    write $flAG
}

The flag is base64-encoded and split across concatenated string fragments , the same technique seen in the James Smith JS challenge. Joining and decoding:

UmFwdG9ye1dpbkQwd1NTX1NtNHNoaU5nX1BTX0NyNHNoSW5nfQ==
→ Raptor{WinD0wSS_Sm4shiNg_PS_Cr4shIng}

PowerShell Obfuscation Patterns Used

This script stacked three common techniques:

1. Base64 + Unicode encoding: wrapping the entire script in FromBase64String + ::Unicode hides the content from casual inspection and evades simple string-based AV signatures.

2. Case randomization: reVEaL-FlAG, sysTem.cONVeRt, GETSTrInG. PowerShell is case-insensitive, so this has zero effect on execution but makes the code harder to read and breaks naive pattern matching.

3. String concatenation and arithmetic obfuscation: splitting base64 strings across + expressions and replacing literal case values with evaluated expressions (77 -bxor 76) obscures the logic without changing it.

None of these are cryptographic, they're all reversible with static analysis. The approach is the same regardless of language: decode the outermost layer, read what's inside, repeat until you hit plaintext.

Key Takeaways

PowerShell deobfuscation is Rev, just with a scripting language instead of a compiled binary. The layers here were shallow enough for manual analysis, in more aggressive real-world samples, tools like PSDecode or PowerShell ISE with breakpoints can handle deeper nesting. When layers get truly complex, letting the script decode itself in a sandboxed environment and capturing the final scriptblock before execution is often faster than manual unwrapping.

< Back to All Writeups

ma1ice@ctf:~/writeups$ cat whamazon-rev-1-stage.md | wc -l

Published 2026-02-28 • Reverse Engineering