• Forum
  • Deobfuscating with Calc.exe

Deobfuscating with Calc.exe

For those who are familiar with the feature [literals], you might be surprised at how easily this is undone. As the title says, calc.exe - that is, the default Windows calculator - is capable to deobfuscate the literals by simply copy-pasting the whole line of mathematical operations. That is if all are literals (and not identifiers, function calls, etc)


To solve the local a = ((16164 + (((3864 + 364101) - 274396) - 67600)) + (190952 - 110638)) from the local demo we simply copy the ((16164 + (((3864 + 364101) - 274396) - 67600)) + (190952 - 110638)), which are all valid mathematical operations, and past them, in our default Windows calculator as shown below.

calc.exe go brrr

Tada, the value hidden underneath those operations is 122447


To harden against basic attacks like these we might want to add some extra flavors to the mix. That's why Mixed Boolean Arithmetics (MBA's) have been added into Alpha v0.1.6!

To elaborate more on what MBAs are, they are simply replacing basic arithmetic operations such as A + B into something like (A & B) + (A | B). However, this is Lua and we can't just do bitwise operations like this. Instead, it will be more like bit32.band(A, B) + bit32.bor(A, B). These will be even more fun to deobfuscate as we can perform string obfuscation on "band" and "bor" lookup. Just keep in mind these bitwise calls add some extra overhead.

The feature can be used with the [MBAv1] button under the "All Obfuscation" tab, enjoy!

Guest Replied
#117 19:35 04/12/2022

woha. cool. i never knew you could deobfuscate with a calculator.

Guest Replied
#118 07:38 06/12/2022

can i also protect my strings with this?

Guest Replied
#130 11:27 19/12/2022

I think you can combine this with string encryption, so you table.concat bytes which you MBA

Guest Replied
#147 19:24 02/01/2023

Wow, I had no idea that calc.exe could be used to deobfuscate literals like that. This is a really interesting and useful tip!

Guest Replied
#148 19:43 02/01/2023

I hadn't heard of Mixed Boolean Arithmetics before, but it sounds like a really useful tool for making our code more secure. I'll definitely have to try it out in my own projects.

Guest Replied
#149 20:06 02/01/2023

This is a really informative post, thanks for sharing all of this information about making our code more hard to deobfuscation. Will definitely try MBAv1

Guest Replied
#164 22:32 11/03/2023

Id: 1 Username: Guest Created At: 00:00 01/01/1970

News Issues Discussion