> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-5/malware-analysis/trick-0423.md).

# Analyze Script for Encryption Key/IV

***

After deobfuscating a script, particularly a loader script, read through it line by line. Look for variables or constants assigned strings or byte sequences that resemble encryption keys or initialization vectors (IVs). These are often found near function calls related to cryptographic operations, such as AES decryption or encryption. Identifying these parameters allows you to decrypt subsequently loaded or embedded encrypted payloads. For example, analyzing a PowerShell script might reveal hardcoded AES parameters like these:

```
Key: sksd89D2G0X9jk2fF1b4S2a7Gh8aVk0L
IV: Md33eFa0wNx2Zq5LjK6X9t3G7oN45mY1
```

Once these parameters are identified, you can use them to decrypt the encrypted payload. To decrypt a string in PowerShell using a given key and IV, you typically need to use the `System.Security.Cryptography.AesCryptoServiceProvider` class. The process involves converting the key and IV strings to byte arrays, creating the AES object, and then using a decryptor to transform the encrypted data.

Here is a PowerShell example demonstrating how to perform AES decryption with a known key and IV:

```powershell
# Example usage:
$key = "sksd89D2G0X9jk2fF1b4S2a7Gh8aVk0L" # 32 bytes for AES-256
$iv = "Md33eFa0wNx2Zq5LjK6X9t3G7oN45mY1"   # 16 bytes for AES-128/192/256
$encryptedString = "your_base64_encrypted_string_here"

# Convert key and IV to byte arrays
$keyBytes = [System.Text.Encoding]::UTF8.GetBytes($key)
$ivBytes = [System.Text.Encoding]::UTF8.GetBytes($iv)

# Create AES object
$aes = New-Object System.Security.Cryptography.AesCryptoServiceProvider
$aes.Key = $keyBytes
$aes.IV = $ivBytes
$aes.Mode = [System.Security.Cryptography.CipherMode]::CBC
$aes.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7

# Convert base64 encrypted string to byte array
$cipherTextBytes = [System.Convert]::FromBase64String($encryptedString)

# Create decryptor
$decryptor = $aes.CreateDecryptor($aes.Key, $aes.IV)

# Decrypt the data
$plainTextBytes = $decryptor.TransformFinalBlock($cipherTextBytes, 0, $cipherTextBytes.Length)

# Convert decrypted bytes back to string
$decryptedString = [System.Text.Encoding]::UTF8.GetString($plainTextBytes)

# Output the decrypted string
Write-Host "Decrypted String: $($decryptedString)"
```

Alternatively, the decryption logic might be encapsulated within a function, which is also common in malicious scripts:

```powershell
Function Decrypt-AES {
Param (
[Parameter(Mandatory=$true)][byte[]]$EncryptedData,
[Parameter(Mandatory=$true)][byte[]]$Key,
[Parameter(Mandatory=$true)][byte[]]$IV
)
$AES = New-Object System.Security.Cryptography.AesCryptoServiceProvider
$AES.Mode = [System.Security.Cryptography.CipherMode]::CBC
$AES.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7
$decrypt = $AES.CreateDecryptor($Key, $IV)
$plain = $decrypt.TransformFinalBlock($EncryptedData, 0, $EncryptedData.Length)
$plainText = [System.Text.Encoding]::UTF8.GetString($plain)
Return $plainText
}
```

This function takes the encrypted data (as bytes), the key (as bytes), and the IV (as bytes) as parameters to perform the decryption. Analyzing how this function is called within the script will reveal the encrypted data and the specific key/IV used.
