Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Unpack

Unpack pattern

Intent

This pattern extracts sub-objects from a grouping or aggregate under a super-object.

Motivation

There were many occurrences of grouping objects but few explicit mentions of the inverse. However, many grouping actions are reversible processes, meaning that an inverse operation is implied, such as by decompressing, de-obfuscating, decoding, and decrypting objects. These actions reduce to transferring objects out of a super-object.

Possible use cases

Use Unpack when:

  • Extracting the constituents of an aggregate of objects.
  • Recovering objects expressed in another intermediate format.
  • Extracting container objects or executable objects hidden inside other objects.
  • Extracting multiple objects collected in an archive.
  • Decompressing a singular object to retrieve its constituents.
  • Decoding objects expressed in a different format.
  • Decrypting enciphered objects.
  • Extracting embedded objects.
  • Unwrapping encapsulated objects.

Code example

asset Host {
 | decompress >
    A> self / ~files[Compressed].sub.host

 | decrypt >
    A> self / keys.ciphertext.sub.host
    R> keys / ciphertext
}

asset File {}
asset Compressed extends File {}
asset EncryptionKey {}

associations {
  Host [host] 1 <-- Contains --> * [files] File
  File [super] 1 <-- Nesting --> * [sub] File
  Host [host] * <-- Carry --> * [keys] Key
  Key [key] 1 <-- Crypto --> * [ciphertext] File
}

Possible synonyms

•decode •decrypt •deobfuscate

Occurrences

ATT&CK

•Deobfuscate/decode files or information