Parsing error: "The Unicode escape sequence is not valid."

[hxmaudit]

Hey there.

Great project, and looking forward to playing with it moving forward.

I'm running PS 6.0.0-beta on Linux (Ubuntu), and trying to obfuscate a couple of payloads but keep getting a 'The Unicode escape sequence is not valid' error. I'm unsure if this is due to my environment, or if its the latest beta of PS itself.

Let me know if you need more info or need me to test something. Thanks!

Name Value
---- ----- > PSVersion 6.0.0-beta
PSEdition Core
GitCommitId v6.0.0-beta.5
OS Linux 4.4.* UTC 2017
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0

Command and output:

$ powershell -Command 'Invoke-Obfuscation -ScriptPath data/misc/ToObfuscate.ps1 -Command "Token,All,1" -Quiet | Out-File -Encoding ASCII data/misc/Obfuscated.ps1'

$ powershell -Command 'Invoke-Obfuscation -ScriptPath data/misc/ToObfuscate.ps1 -Command "Token,All,1" -Quiet | Out-File -Encoding ASCII data/misc/Obfuscated.ps1'
Exception calling "Create" with "1" argument(s): "At line:55 char:34
+         ${e`MA`i`LsuB`jEcT} = ${s`ubjE`CT}
+                                  ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:83 char:12
+         ${o`ut`loOk} = Get-OutlookInstance
+            ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:100 char:71
+ ... stem.Runtime.Interopservices.Marshal]::ReleaseComObject(${o`uTlO`oK}) ...
+                                                                ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:121 char:32
+         [System.__ComObject]${o`utlook},
+                                ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:156 char:16
+             ${r`u`LEs} = ${M`Api}.DefaultStore.GetRules()
+                ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:159 char:31
+             ${S`UBte`XT} = ${R`uLe}.Conditions.Subject
+                               ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:162 char:16
+             ${s`ubte`xt}.Text = ${F`LA`gS}
+                ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:168 char:20
+                 ${n`ulL},
+                    ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:240 char:17
+         [int]${n`um}
+                 ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:303 char:51
+     ${val`UE} = ${OLd`Efau`l`TfOlDERs}.Item(${DeFa`ul`TFOLDEr`N`AME})
+                                                   ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
Not all parse errors were reported.  Correct the reported errors and try again."
At /usr/local/share/powershell/Modules/Invoke-Obfuscation/Out-ObfuscatedTokenCommand.ps1:137 char:13
+             $ScriptString = Out-ObfuscatedTokenCommand ([ScriptBlock] ...
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : ParseException

Exception calling "Create" with "1" argument(s): "At line:55 char:34

• ${eMAiLsuBjEcT} = ${subjECT}
• ~~ The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'. At line:83 char:12
• ${outloOk} = Get-OutlookInstance
• ~~ The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'. At line:100 char:71
• ... stem.Runtime.Interopservices.Marshal]::ReleaseComObject(${ouTlOoK}) ...
• ~~ The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'. At line:121 char:32
• [System.__ComObject]${o`utlook},
• ~~ The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'. At line:156 char:16
• ${ruLEs} = ${M`Api}.DefaultStore.GetRules()
• ~~ The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'. At line:159 char:31
• ${SUBteXT} = ${R`uLe}.Conditions.Subject
• ~~ The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'. At line:162 char:16
• ${subtext}.Text = ${FLAgS}
• ~~ The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'. At line:168 char:20
• ${n`ulL},
• ~~ The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'. At line:240 char:17
• [int]${n`um}
• ~~ The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'. At line:303 char:51
• ${valUE} = ${OLdEfaulTfOlDERs}.Item(${DeFaulTFOLDErNAME})
• ~~ The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'. Not all parse errors were reported. Correct the reported errors and try again." At /usr/local/share/powershell/Modules/Invoke-Obfuscation/Out-ObfuscatedTokenCommand.ps1:137 char:13
• $ScriptString = Out-ObfuscatedTokenCommand ([ScriptBlock] ...

• 
  + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
  + FullyQualifiedErrorId : ParseException

Exception calling "Create" with "1" argument(s): "At line:55 char:34

• ${eMAiLsuBjEcT} = ${subjECT}
• ~~ The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'. At line:83 char:12
• ${outloOk} = Get-OutlookInstance
• ~~ The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'. At line:100 char:71
• ... stem.Runtime.Interopservices.Marshal]::ReleaseComObject(${ouTlOoK}) ...
• ~~ The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'. At line:121 char:32
• [System.__ComObject]${o`utlook},
• ~~ The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'. At line:156 char:16
• ${ruLEs} = ${M`Api}.DefaultStore.GetRules()
• ~~ The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'. At line:159 char:31
• ${SUBteXT} = ${R`uLe}.Conditions.Subject
• ~~ The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'. At line:162 char:16
• ${subtext}.Text = ${FLAgS}
• ~~ The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'. At line:168 char:20
• ${n`ulL},
• ~~ The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'. At line:240 char:17
• [int]${n`um}
• ~~ The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'. At line:303 char:51
• ${valUE} = ${OLdEfaulTfOlDERs}.Item(${DeFaulTFOLDErNAME})
• ~~ The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'. Not all parse errors were reported. Correct the reported errors and try again." At /usr/local/share/powershell/Modules/Invoke-Obfuscation/Out-ObfuscatedTokenCommand.ps1:137 char:13
• $ScriptString = Out-ObfuscatedTokenCommand ([ScriptBlock] ...

• 
  + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
  + FullyQualifiedErrorId : ParseException

Exception calling "Create" with "1" argument(s): "At line:55 char:34

• ${eMAiLsuBjEcT} = ${subjECT}
• ~~ The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'. At line:83 char:12
• ${outloOk} = Get-OutlookInstance
• ~~ The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'. At line:100 char:71
• ... stem.Runtime.Interopservices.Marshal]::ReleaseComObject(${ouTlOoK}) ...
• ~~ The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'. At line:121 char:32
• [System.__ComObject]${o`utlook},
• ~~ The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'. At line:156 char:16
• ${ruLEs} = ${M`Api}.DefaultStore.GetRules()
• ~~ The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'. At line:159 char:31
• ${SUBteXT} = ${R`uLe}.Conditions.Subject
• ~~ The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'. At line:162 char:16
• ${subtext}.Text = ${FLAgS}
• ~~ The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'. At line:168 char:20
• ${n`ulL},
• ~~ The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'. At line:240 char:17
• [int]${n`um}
• ~~ The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'. At line:303 char:51
• ${valUE} = ${OLdEfaulTfOlDERs}.Item(${DeFaulTFOLDErNAME})
• ~~ The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'. Not all parse errors were reported. Correct the reported errors and try again." At /usr/local/share/powershell/Modules/Invoke-Obfuscation/Out-ObfuscatedTokenCommand.ps1:137 char:13
• $ScriptString = Out-ObfuscatedTokenCommand ([ScriptBlock] ...

• 
  + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
  + FullyQualifiedErrorId : ParseException

[cobbr]

'u' was added as a special character in PS 6.0 and needs to be upper-cased to be preceded by a ` mark. This has been updated and should be fixed as of: 950785e5f846fb0e8d3be8484d2ba466c2340469