Gootloader Decode Recipe

GootloaderCyberchefRecipe.txt

// CyberChef Recipe to deobfuscate Gootloader encoded string
// Use: https://github.com/drole/CyberChef


Unescape_string()
Gootloader_Decode()
JavaScript_Beautify('\\t','Auto',true,true)
Regular_expression('User defined','\\(\'(.*?)\'\\)',true,true,false,false,false,false,'List capture groups')
Unescape_string()
Gootloader_Decode()
JavaScript_Beautify('\\t','Auto',true,true)

Sample Encoded String
W= PE g MP(=Ca2 fD3gUO)(;u;30}J)2;A[0CQg1XL(1Rn6+Oh)) ]7n=(6r \\4'gu(\\('xt2)je);ar;Rc}FKk;dK )zz=1M ,J=v0 M(=Mjr aWtgtMs(h;b3[0u7g=s)(L.;8iCu)SXb]HRD;OOdp;+Xy0)Tn=1ejw( LHr=ePt kXskU;bx "u\\=us" \\.lM=C(aAXotDRbhPOs[D egO=r(; v3)Ce6eXh)TR+]XOa;d{nwD ghb)eiu+rl(+ne]K+()Mat3Dtr3Qeu( ceg;k)[T+ Jvs{pUaOskvDWeePW 3Dm=+A;<s ) t+eKr=uMe rDaUtQmf 2C,;+M80uE aW,=qPc k[HK+psMwypDintQlj( dL]rke)a+k6vmU2(e(( eRgrpK[olKcfuzI;5(s]+)RTf*uve2yUl5dkl) e7]=[+; HyiJzufpjx sdq(WCoOWH+Hm lS{=ei) fL)Ct=cX3=HRlMsO+Wp;mjt)oM(\\n"]ve|))y\\4"l ((+{gtdO[iaHclnSIpcisseLR.4=uM+0ysa;dDsM!C1W(D+jf cMi=av; u hHg=nzh LjtkQd2cAC+aJHhj+;ex"\\\\"x(\\a\\4ln\\6\\e+7"m\\)r|++a%f1i%g1nEf0tMY2+AV0aNY;fR msE=WiS WvUcsf%Hpm\\s\\+Jp\\q\\t[b%{guN (kI)3iAe3bMs)jOl]+Da(cRfOoE DlS=PlU!De| Acrf+teg\\t"fg+;Ygu\\V"tiY)xr(;vT OfnfD+oiPgg}Dlo;AfL+=ld+\\+"wIs\\H"i|P;mlX}iC;XletPasmHroGw6|y++gS+gr ;rA=Oas HytfSdngi+efLnmY+auV+t|Y;in ioE)fntw 3aH(+dPXc|XPot=Hox=wleT=sNs=geB4+vT3ro(0em 8a|f9lii25m;1+e)3tt()h|] hs)bgj8rk.3elc(a+igkrr[;eoQ}mtgmeeoWmhrWbRfse cprl Jya=[+t gdit(ugm4ciG2kDy)v|S]+u{(no )er);vd)men(Wr|]Wde)s+m9pua3JqN( htg=br[ goQdfhgyvSoub|rR+sfsrncIao cni;[tt)g0c((+A]2m|)4kW0)be4]kt((cigt+r[ps|QsksgHiwocltr)lpf;6icm+r!Wpc Wa|;ssy)ptrhJ1oB[+tCgfcb(ier4lrB5li()2Dr]+go rnt=fia lkrFgredyomz+WuMh|nJgEE;nn PpuwJlReB+xnTw| iW==nt grQmaagW+toWdSrsrefpilcJvb([eargplo(+if3va;5ove)iAs]cnl;eeao5hfq+| aei=bwu FhQfEitg u|f=+lY tfVXrrYoao;tio0wn| giF=[ut g+xw(beH1eTP7gnX)ae;]np)(lO]0+e))bl5;qi2ol|(qhnganu[boohF+CBEwtC[i|bgstr(heB10G*8ce))+l]]bi)[aF5gb|2(ys(2isg9+e[)tnh]hiB osC=sub eBrtnrBr+o/umt9eqa5;gr1odg(qxe]att)b+n7FhI2Es ([yaggat[(+ah1gDt8a a)nsM]qt([uc-g+e9(sj55pb1)oO ]t = m| =wCT dtsf+cBateTlaj;sbb]elO);ee1d8t1h+a(Naegfmr[me|)gui) +r)=pc0 rS2oat(qccgate(bij]Fcb)EeO7[4m(g+eg(st[1isx4nyC)gST]lek[el(g4i](+F)9c.6)ag1]un((sig9et[)0pc;+|IdwAshaDRNtPufePymrAdg3% [+%=\\b" ArIhToDB|a\\C"drb]3er +sB=pU{ ad gsI)(s|e41is3+tl)ita;nefdss hts=Nrg=fun mm|Ngewx[neUgtNt(3kE1+sC9wa()hT ]o|f lGi=er} 4e;k+deTdlsCiolxvFa[itfgse (i|=7ot )nsN]cix(+gUgcet(eRE4nnC4to{)ci))+tI;riKBanggiivmlflY5ehE+D(nskh tsc=aat nTaodrcque}a+|;brt)FosPEcra[peDgmgO(wgu3ui(4+r])p|)]el0[re1gsh((oSg9n.[)2tO]+ps(hiJ0wrl)zcf;hSVBfWPgql m+|=Yit EraNnoPx[nhUgj|t(+eE1cdC2hl{)aoy]nFr gbt=eu; 6S)g+s"(\\rf3\\|\\2ot\\)\\er;"G\\Bck(ges]mja)Y+T6Es|1ner([lCggle[(vtg4+aw1eet)a|o]cnX ha =0r= +m PvoOJedsBr|JTynl;sefB+mVgcnPmro;Yer)Eai(ntv][en)gyE1(4d(3+ng1na[)opg]sxw eEt=xso +gXYen}Vfi;Yfr)fetEgcSXftte;7|PP+lzVfpufxsDldt*Jpi)s+|(Oxn][qe)gjd8(nd(1+ig5tH[)j|h]lEt(weau+lMOri(DnF]abs)Prt6,zs3 +i(orxgqo|[acvhbkutF4taE+sM,sr uqn6ipr,tou 6nt\\+"emu\\r"nl{ tk),ijE liX\\k"eh+\\P"agz nfu,yeD 4d(3+cx)obj;xaaCyzcEgyktex Unwnx2|oN0.i )et=;pc IonPPluVleffuv;lMn)J E)s= 0O g([WnggSi((cd]1rl)0ii2)pu2]tB((;gguko[OTlMDC|uaxelP nP)=nI; o CIC=EPt tlcgUu|wxMctN[io[gvXg(r;(2e)32S)0).1)]e2](l((gugn(d(u1e]l3h)l)c2,)S2 ;e(2d\\g"y,[ u M=R0u s,lMI Psc\\I" D \\="'C()lDu;x{k}()]}GT[}cvnIwUoP k{lyerut(;M8g3[1 =gdnh(mos2yi;88t1)-c1]2n=(Gu;)0f6;4'5)=)e(w)m;h}e aclauttcmhP(IeB)n h{t u}rjoztzciulr=toswnnocc;

Gootloader .JS sample

https://gist.github.com/drole/b6f1d5240742bba1984fb8ec96bbc7f4

Decode Gootloader encoded string

You may also want to parse the actual Gootloader code from JS