Skip to content

cod3nym/VodooDecrypt

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
VodooDecrypt
VodooDecrypt
 
 
assets
assets
 
 
LICENSE.md
LICENSE.md
 
 
README.md
README.md
 
 
VodooDecrypt.sln
VodooDecrypt.sln
 
 

Repository files navigation

VodooDecrypt

Simple string decryption for Vodoo string encryption samples.

Vodoo is a custom obfuscator that is primarily used in low-effort credential stealer malware.

Usage

Either drag&drop the file onto the executable or run it from the command line:

VodooDecrypt.exe <path_to_file>

VodooDecrypt will create a new file with the decrypted strings in the same directory as the input file, appending _decrypted to the original filename.

Make sure the supplied file is a valid .NET assembly, otherwise VodooDecrypt will fail to process it.

Example

Encrypted strings in a sample assembly: encrypted strings

Decrypted strings after running VodooDecrypt: decrypted strings

Identifying Vodoo String Encryption

You can identify Vodoo string encryption by looking at calls to the decryption. Calls will follow this pattern and usually show chinese or Unicode characters in the string argument:

ldstr "encrypted_string"
ldc.i4 12 #some integer
call string decrypt(string, int)

You can also identify it by looking for the decryption method itself, which will look like this:

img.png

About

Simple string decryption for Vodoo string encryption

Topics

deobfuscation malware-analysis decryptor

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

Ready-To-Run Builds Latest
Oct 14, 2025

Languages