From ce36c58ba08c929a258fdf26cfc7daa467b8e91b Mon Sep 17 00:00:00 2001 From: Steve Embling <34773749+steve-embling@users.noreply.github.com> Date: Mon, 13 Apr 2026 13:46:12 +0100 Subject: [PATCH 01/10] testing base64url unpadded decode --- .../httpx/c2_code/webserver/transforms.go | 15 +++++++++++++ .../httpx/httpx/c2functions/transforms.go | 21 ++++++++++++------- 2 files changed, 29 insertions(+), 7 deletions(-) diff --git a/C2_Profiles/httpx/httpx/c2_code/webserver/transforms.go b/C2_Profiles/httpx/httpx/c2_code/webserver/transforms.go index 4a27865..77781db 100644 --- a/C2_Profiles/httpx/httpx/c2_code/webserver/transforms.go +++ b/C2_Profiles/httpx/httpx/c2_code/webserver/transforms.go @@ -21,6 +21,21 @@ func transformBase64Reverse(prev []byte, value string) ([]byte, error) { func transformBase64URL(prev []byte, value string) ([]byte, error) { return []byte(base64.URLEncoding.EncodeToString(prev)), nil } +func transformBase64URLReverse(prev []byte, value string) ([]byte, error) { + decodedLength := base64.URLEncoding.DecodedLen(len(prev)) + decoded := make([]byte, decodedLength) + actualDecoded, err := base64.URLEncoding.Decode(decoded, prev) + if err == nil { + return decoded[:actualDecoded], nil + } + decodedLength := base64.RawURLEncoding.DecodedLen(len(prev)) + decoded = make([]byte, decodedLength)) + actualDecoded, err = base64.RawURLEncoding.Decode(decoded, prev) + if err != nil { + return nil, err + } + return decoded[:actualDecoded], nil +} func transformBase64URLReverse(prev []byte, value string) ([]byte, error) { decodedLength := base64.URLEncoding.DecodedLen(len(prev)) decoded := make([]byte, decodedLength) diff --git a/C2_Profiles/httpx/httpx/c2functions/transforms.go b/C2_Profiles/httpx/httpx/c2functions/transforms.go index a5f6633..c30e771 100644 --- a/C2_Profiles/httpx/httpx/c2functions/transforms.go +++ b/C2_Profiles/httpx/httpx/c2functions/transforms.go @@ -23,14 +23,21 @@ func transformBase64Reverse(prev []byte, value string) ([]byte, error) { func transformBase64URL(prev []byte, value string) ([]byte, error) { return []byte(base64.URLEncoding.EncodeToString(prev)), nil } +} func transformBase64URLReverse(prev []byte, value string) ([]byte, error) { - decodedLength := base64.URLEncoding.DecodedLen(len(prev)) - decoded := make([]byte, decodedLength) - actualDecoded, err := base64.URLEncoding.Decode(decoded, prev) - if err != nil { - return nil, err - } - return decoded[:actualDecoded], nil + decodedLength := base64.URLEncoding.DecodedLen(len(prev)) + decoded := make([]byte, decodedLength) + actualDecoded, err := base64.URLEncoding.Decode(decoded, prev) + if err == nil { + return decoded[:actualDecoded], nil + } + decodedLength := base64.RawURLEncoding.DecodedLen(len(prev)) + decoded = make([]byte, decodedLength)) + actualDecoded, err = base64.RawURLEncoding.Decode(decoded, prev) + if err != nil { + return nil, err + } + return decoded[:actualDecoded], nil } func transformPrepend(prev []byte, value string) ([]byte, error) { From 94936ab8e60e3719f7db6e6762aedda1aa6bcc20 Mon Sep 17 00:00:00 2001 From: Steve Embling <34773749+steve-embling@users.noreply.github.com> Date: Mon, 13 Apr 2026 14:13:28 +0100 Subject: [PATCH 02/10] fix --- C2_Profiles/httpx/httpx/c2functions/transforms.go | 1 - 1 file changed, 1 deletion(-) diff --git a/C2_Profiles/httpx/httpx/c2functions/transforms.go b/C2_Profiles/httpx/httpx/c2functions/transforms.go index c30e771..b5f0f05 100644 --- a/C2_Profiles/httpx/httpx/c2functions/transforms.go +++ b/C2_Profiles/httpx/httpx/c2functions/transforms.go @@ -23,7 +23,6 @@ func transformBase64Reverse(prev []byte, value string) ([]byte, error) { func transformBase64URL(prev []byte, value string) ([]byte, error) { return []byte(base64.URLEncoding.EncodeToString(prev)), nil } -} func transformBase64URLReverse(prev []byte, value string) ([]byte, error) { decodedLength := base64.URLEncoding.DecodedLen(len(prev)) decoded := make([]byte, decodedLength) From 3255fc2a41dba6c37d95b1ff86f1b10378f61beb Mon Sep 17 00:00:00 2001 From: Steve Embling <34773749+steve-embling@users.noreply.github.com> Date: Mon, 13 Apr 2026 14:16:32 +0100 Subject: [PATCH 03/10] fix --- C2_Profiles/httpx/httpx/c2functions/transforms.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/C2_Profiles/httpx/httpx/c2functions/transforms.go b/C2_Profiles/httpx/httpx/c2functions/transforms.go index b5f0f05..519167f 100644 --- a/C2_Profiles/httpx/httpx/c2functions/transforms.go +++ b/C2_Profiles/httpx/httpx/c2functions/transforms.go @@ -31,7 +31,7 @@ func transformBase64URLReverse(prev []byte, value string) ([]byte, error) { return decoded[:actualDecoded], nil } decodedLength := base64.RawURLEncoding.DecodedLen(len(prev)) - decoded = make([]byte, decodedLength)) + decoded = make([]byte, decodedLength) actualDecoded, err = base64.RawURLEncoding.Decode(decoded, prev) if err != nil { return nil, err From f842d58cad7f21f01c2c44d1bf108c0f5e577c5e Mon Sep 17 00:00:00 2001 From: Steve Embling <34773749+steve-embling@users.noreply.github.com> Date: Mon, 13 Apr 2026 14:26:23 +0100 Subject: [PATCH 04/10] more fixes, sigh --- .../httpx/httpx/c2_code/webserver/transforms.go | 13 ++----------- C2_Profiles/httpx/httpx/c2functions/transforms.go | 2 +- 2 files changed, 3 insertions(+), 12 deletions(-) diff --git a/C2_Profiles/httpx/httpx/c2_code/webserver/transforms.go b/C2_Profiles/httpx/httpx/c2_code/webserver/transforms.go index 77781db..b85bd71 100644 --- a/C2_Profiles/httpx/httpx/c2_code/webserver/transforms.go +++ b/C2_Profiles/httpx/httpx/c2_code/webserver/transforms.go @@ -28,23 +28,14 @@ func transformBase64URLReverse(prev []byte, value string) ([]byte, error) { if err == nil { return decoded[:actualDecoded], nil } - decodedLength := base64.RawURLEncoding.DecodedLen(len(prev)) - decoded = make([]byte, decodedLength)) + decodedLength = base64.RawURLEncoding.DecodedLen(len(prev)) + decoded = make([]byte, decodedLength) actualDecoded, err = base64.RawURLEncoding.Decode(decoded, prev) if err != nil { return nil, err } return decoded[:actualDecoded], nil } -func transformBase64URLReverse(prev []byte, value string) ([]byte, error) { - decodedLength := base64.URLEncoding.DecodedLen(len(prev)) - decoded := make([]byte, decodedLength) - actualDecoded, err := base64.URLEncoding.Decode(decoded, prev) - if err != nil { - return nil, err - } - return decoded[:actualDecoded], nil -} func transformPrepend(prev []byte, value string) ([]byte, error) { return append([]byte(value), prev...), nil diff --git a/C2_Profiles/httpx/httpx/c2functions/transforms.go b/C2_Profiles/httpx/httpx/c2functions/transforms.go index 519167f..d9db479 100644 --- a/C2_Profiles/httpx/httpx/c2functions/transforms.go +++ b/C2_Profiles/httpx/httpx/c2functions/transforms.go @@ -30,7 +30,7 @@ func transformBase64URLReverse(prev []byte, value string) ([]byte, error) { if err == nil { return decoded[:actualDecoded], nil } - decodedLength := base64.RawURLEncoding.DecodedLen(len(prev)) + decodedLength = base64.RawURLEncoding.DecodedLen(len(prev)) decoded = make([]byte, decodedLength) actualDecoded, err = base64.RawURLEncoding.Decode(decoded, prev) if err != nil { From 86eeb2221c68fbf5f19d4788e41bda4642e21f35 Mon Sep 17 00:00:00 2001 From: Steve Embling <34773749+steve-embling@users.noreply.github.com> Date: Wed, 22 Apr 2026 18:49:56 +0100 Subject: [PATCH 05/10] Padding check decision --- .../httpx/c2_code/webserver/transforms.go | 29 ++++++++++------- .../httpx/httpx/c2functions/transforms.go | 31 +++++++++++-------- 2 files changed, 35 insertions(+), 25 deletions(-) diff --git a/C2_Profiles/httpx/httpx/c2_code/webserver/transforms.go b/C2_Profiles/httpx/httpx/c2_code/webserver/transforms.go index b85bd71..d5b82ba 100644 --- a/C2_Profiles/httpx/httpx/c2_code/webserver/transforms.go +++ b/C2_Profiles/httpx/httpx/c2_code/webserver/transforms.go @@ -22,19 +22,24 @@ func transformBase64URL(prev []byte, value string) ([]byte, error) { return []byte(base64.URLEncoding.EncodeToString(prev)), nil } func transformBase64URLReverse(prev []byte, value string) ([]byte, error) { - decodedLength := base64.URLEncoding.DecodedLen(len(prev)) - decoded := make([]byte, decodedLength) - actualDecoded, err := base64.URLEncoding.Decode(decoded, prev) - if err == nil { - return decoded[:actualDecoded], nil + if len(prev) > 0 { + if prev[len(prev)-1] == '=' { + decodedLength := base64.URLEncoding.DecodedLen(len(prev)) + decoded := make([]byte, decodedLength) + actualDecoded, err := base64.URLEncoding.Decode(decoded, prev) + if err == nil { + return decoded[:actualDecoded], nil + } + } else { + decodedLength := base64.RawURLEncoding.DecodedLen(len(prev)) + decoded := make([]byte, decodedLength) + actualDecoded, err = base64.RawURLEncoding.Decode(decoded, prev) + if err != nil { + return nil, err + } + return decoded[:actualDecoded], nil + } } - decodedLength = base64.RawURLEncoding.DecodedLen(len(prev)) - decoded = make([]byte, decodedLength) - actualDecoded, err = base64.RawURLEncoding.Decode(decoded, prev) - if err != nil { - return nil, err - } - return decoded[:actualDecoded], nil } func transformPrepend(prev []byte, value string) ([]byte, error) { diff --git a/C2_Profiles/httpx/httpx/c2functions/transforms.go b/C2_Profiles/httpx/httpx/c2functions/transforms.go index d9db479..3037b27 100644 --- a/C2_Profiles/httpx/httpx/c2functions/transforms.go +++ b/C2_Profiles/httpx/httpx/c2functions/transforms.go @@ -24,19 +24,24 @@ func transformBase64URL(prev []byte, value string) ([]byte, error) { return []byte(base64.URLEncoding.EncodeToString(prev)), nil } func transformBase64URLReverse(prev []byte, value string) ([]byte, error) { - decodedLength := base64.URLEncoding.DecodedLen(len(prev)) - decoded := make([]byte, decodedLength) - actualDecoded, err := base64.URLEncoding.Decode(decoded, prev) - if err == nil { - return decoded[:actualDecoded], nil - } - decodedLength = base64.RawURLEncoding.DecodedLen(len(prev)) - decoded = make([]byte, decodedLength) - actualDecoded, err = base64.RawURLEncoding.Decode(decoded, prev) - if err != nil { - return nil, err - } - return decoded[:actualDecoded], nil + if len(prev) > 0 { + if prev[len(prev)-1] == '=' { + decodedLength := base64.URLEncoding.DecodedLen(len(prev)) + decoded := make([]byte, decodedLength) + actualDecoded, err := base64.URLEncoding.Decode(decoded, prev) + if err == nil { + return decoded[:actualDecoded], nil + } + } else { + decodedLength := base64.RawURLEncoding.DecodedLen(len(prev)) + decoded := make([]byte, decodedLength) + actualDecoded, err = base64.RawURLEncoding.Decode(decoded, prev) + if err != nil { + return nil, err + } + return decoded[:actualDecoded], nil + } + } } func transformPrepend(prev []byte, value string) ([]byte, error) { From ecb081548296ffb91991677321590dea9c51196c Mon Sep 17 00:00:00 2001 From: Steve Embling <34773749+steve-embling@users.noreply.github.com> Date: Wed, 22 Apr 2026 19:02:57 +0100 Subject: [PATCH 06/10] fix --- C2_Profiles/httpx/httpx/c2functions/transforms.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/C2_Profiles/httpx/httpx/c2functions/transforms.go b/C2_Profiles/httpx/httpx/c2functions/transforms.go index 3037b27..683f5ce 100644 --- a/C2_Profiles/httpx/httpx/c2functions/transforms.go +++ b/C2_Profiles/httpx/httpx/c2functions/transforms.go @@ -35,7 +35,7 @@ func transformBase64URLReverse(prev []byte, value string) ([]byte, error) { } else { decodedLength := base64.RawURLEncoding.DecodedLen(len(prev)) decoded := make([]byte, decodedLength) - actualDecoded, err = base64.RawURLEncoding.Decode(decoded, prev) + actualDecoded, err := base64.RawURLEncoding.Decode(decoded, prev) if err != nil { return nil, err } From 751bd73e9c2e04b40d98ac543ee7e301af02404c Mon Sep 17 00:00:00 2001 From: Steve Embling <34773749+steve-embling@users.noreply.github.com> Date: Wed, 22 Apr 2026 19:06:43 +0100 Subject: [PATCH 07/10] another fix --- .../httpx/httpx/c2functions/transforms.go | 30 +++++++++---------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/C2_Profiles/httpx/httpx/c2functions/transforms.go b/C2_Profiles/httpx/httpx/c2functions/transforms.go index 683f5ce..fbee720 100644 --- a/C2_Profiles/httpx/httpx/c2functions/transforms.go +++ b/C2_Profiles/httpx/httpx/c2functions/transforms.go @@ -24,23 +24,21 @@ func transformBase64URL(prev []byte, value string) ([]byte, error) { return []byte(base64.URLEncoding.EncodeToString(prev)), nil } func transformBase64URLReverse(prev []byte, value string) ([]byte, error) { - if len(prev) > 0 { - if prev[len(prev)-1] == '=' { - decodedLength := base64.URLEncoding.DecodedLen(len(prev)) - decoded := make([]byte, decodedLength) - actualDecoded, err := base64.URLEncoding.Decode(decoded, prev) - if err == nil { - return decoded[:actualDecoded], nil - } - } else { - decodedLength := base64.RawURLEncoding.DecodedLen(len(prev)) - decoded := make([]byte, decodedLength) - actualDecoded, err := base64.RawURLEncoding.Decode(decoded, prev) - if err != nil { - return nil, err - } - return decoded[:actualDecoded], nil + if len(prev) > 0 && prev[len(prev)-1] == '=' { + decodedLength := base64.URLEncoding.DecodedLen(len(prev)) + decoded := make([]byte, decodedLength) + actualDecoded, err := base64.URLEncoding.Decode(decoded, prev) + if err == nil { + return decoded[:actualDecoded], nil + } + } else { + decodedLength := base64.RawURLEncoding.DecodedLen(len(prev)) + decoded := make([]byte, decodedLength) + actualDecoded, err := base64.RawURLEncoding.Decode(decoded, prev) + if err != nil { + return nil, err } + return decoded[:actualDecoded], nil } } From 256db088cf2ad16dbf1571f4cf7005dcbd031d59 Mon Sep 17 00:00:00 2001 From: Steve Embling <34773749+steve-embling@users.noreply.github.com> Date: Wed, 22 Apr 2026 19:09:47 +0100 Subject: [PATCH 08/10] another --- .../httpx/c2_code/webserver/transforms.go | 30 +++++++++---------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/C2_Profiles/httpx/httpx/c2_code/webserver/transforms.go b/C2_Profiles/httpx/httpx/c2_code/webserver/transforms.go index d5b82ba..62b8f13 100644 --- a/C2_Profiles/httpx/httpx/c2_code/webserver/transforms.go +++ b/C2_Profiles/httpx/httpx/c2_code/webserver/transforms.go @@ -22,23 +22,21 @@ func transformBase64URL(prev []byte, value string) ([]byte, error) { return []byte(base64.URLEncoding.EncodeToString(prev)), nil } func transformBase64URLReverse(prev []byte, value string) ([]byte, error) { - if len(prev) > 0 { - if prev[len(prev)-1] == '=' { - decodedLength := base64.URLEncoding.DecodedLen(len(prev)) - decoded := make([]byte, decodedLength) - actualDecoded, err := base64.URLEncoding.Decode(decoded, prev) - if err == nil { - return decoded[:actualDecoded], nil - } - } else { - decodedLength := base64.RawURLEncoding.DecodedLen(len(prev)) - decoded := make([]byte, decodedLength) - actualDecoded, err = base64.RawURLEncoding.Decode(decoded, prev) - if err != nil { - return nil, err - } - return decoded[:actualDecoded], nil + if len(prev) > 0 && prev[len(prev)-1] == '=' { + decodedLength := base64.URLEncoding.DecodedLen(len(prev)) + decoded := make([]byte, decodedLength) + actualDecoded, err := base64.URLEncoding.Decode(decoded, prev) + if err == nil { + return decoded[:actualDecoded], nil } + } else { + decodedLength := base64.RawURLEncoding.DecodedLen(len(prev)) + decoded := make([]byte, decodedLength) + actualDecoded, err := base64.RawURLEncoding.Decode(decoded, prev) + if err != nil { + return nil, err + } + return decoded[:actualDecoded], nil } } From 8a54fbeebcad137864c00ff2e5861ae0ff5f5590 Mon Sep 17 00:00:00 2001 From: Steve Embling <34773749+steve-embling@users.noreply.github.com> Date: Wed, 22 Apr 2026 19:13:51 +0100 Subject: [PATCH 09/10] again --- C2_Profiles/httpx/httpx/c2_code/webserver/transforms.go | 6 +++--- C2_Profiles/httpx/httpx/c2functions/transforms.go | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/C2_Profiles/httpx/httpx/c2_code/webserver/transforms.go b/C2_Profiles/httpx/httpx/c2_code/webserver/transforms.go index 62b8f13..d3b458e 100644 --- a/C2_Profiles/httpx/httpx/c2_code/webserver/transforms.go +++ b/C2_Profiles/httpx/httpx/c2_code/webserver/transforms.go @@ -33,11 +33,11 @@ func transformBase64URLReverse(prev []byte, value string) ([]byte, error) { decodedLength := base64.RawURLEncoding.DecodedLen(len(prev)) decoded := make([]byte, decodedLength) actualDecoded, err := base64.RawURLEncoding.Decode(decoded, prev) - if err != nil { - return nil, err + if err == nil { + return decoded[:actualDecoded], nil } - return decoded[:actualDecoded], nil } + return nil, err } func transformPrepend(prev []byte, value string) ([]byte, error) { diff --git a/C2_Profiles/httpx/httpx/c2functions/transforms.go b/C2_Profiles/httpx/httpx/c2functions/transforms.go index fbee720..d12d3c3 100644 --- a/C2_Profiles/httpx/httpx/c2functions/transforms.go +++ b/C2_Profiles/httpx/httpx/c2functions/transforms.go @@ -35,11 +35,11 @@ func transformBase64URLReverse(prev []byte, value string) ([]byte, error) { decodedLength := base64.RawURLEncoding.DecodedLen(len(prev)) decoded := make([]byte, decodedLength) actualDecoded, err := base64.RawURLEncoding.Decode(decoded, prev) - if err != nil { - return nil, err + if err == nil { + return decoded[:actualDecoded], nil } - return decoded[:actualDecoded], nil } + return nil, err } func transformPrepend(prev []byte, value string) ([]byte, error) { From 008c44429451456d1903b49b1f9ccabc306e9ccc Mon Sep 17 00:00:00 2001 From: Steve Embling <34773749+steve-embling@users.noreply.github.com> Date: Wed, 22 Apr 2026 19:15:49 +0100 Subject: [PATCH 10/10] again --- C2_Profiles/httpx/httpx/c2_code/webserver/transforms.go | 3 ++- C2_Profiles/httpx/httpx/c2functions/transforms.go | 4 +++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/C2_Profiles/httpx/httpx/c2_code/webserver/transforms.go b/C2_Profiles/httpx/httpx/c2_code/webserver/transforms.go index d3b458e..b7d4fdd 100644 --- a/C2_Profiles/httpx/httpx/c2_code/webserver/transforms.go +++ b/C2_Profiles/httpx/httpx/c2_code/webserver/transforms.go @@ -29,6 +29,7 @@ func transformBase64URLReverse(prev []byte, value string) ([]byte, error) { if err == nil { return decoded[:actualDecoded], nil } + return nil, err } else { decodedLength := base64.RawURLEncoding.DecodedLen(len(prev)) decoded := make([]byte, decodedLength) @@ -36,8 +37,8 @@ func transformBase64URLReverse(prev []byte, value string) ([]byte, error) { if err == nil { return decoded[:actualDecoded], nil } + return nil, err } - return nil, err } func transformPrepend(prev []byte, value string) ([]byte, error) { diff --git a/C2_Profiles/httpx/httpx/c2functions/transforms.go b/C2_Profiles/httpx/httpx/c2functions/transforms.go index d12d3c3..e7ae70c 100644 --- a/C2_Profiles/httpx/httpx/c2functions/transforms.go +++ b/C2_Profiles/httpx/httpx/c2functions/transforms.go @@ -31,6 +31,7 @@ func transformBase64URLReverse(prev []byte, value string) ([]byte, error) { if err == nil { return decoded[:actualDecoded], nil } + return nil, err } else { decodedLength := base64.RawURLEncoding.DecodedLen(len(prev)) decoded := make([]byte, decodedLength) @@ -38,10 +39,11 @@ func transformBase64URLReverse(prev []byte, value string) ([]byte, error) { if err == nil { return decoded[:actualDecoded], nil } + return nil, err } - return nil, err } + func transformPrepend(prev []byte, value string) ([]byte, error) { return append([]byte(value), prev...), nil }