Converting Integers to Hex with CyberChef – Recipe 1

About the Newsletter

Join 100+ subscribers who get 0x1 actionable security bit every week.

While analyzing malware, it’s common to encounter situations where you need to disassemble code sourced from an integer array. However, when you attempt to use the ‘To Hex’ function in CyberChef, it won’t work.

The solution is to employ the ‘To Base’ operation with a radix value of 16.

I was working on an initial .NET file that drops AsyncRAT. It contains following code to evade AMSI and found this sample from OALABS Twitch stream.


For a quick guide to converting the integer array into Hex, padding zeros, and disassembling the code using CyberChef tool, follow the steps detailed below.

.NET code for AMSI Bypass
.NET code for AMSI Bypass

Complete CyberChef Recipe

Fork(',',' ',false)
Disassemble_x86('32','Full x86 architecture',16,0,true,true)

Step 1

184, 87, 0, 7, 128, 195

We’ll employ the Fork operation to separate the input based on the ‘,’ delimiter, then proceed to run the next operation on each individual integer.

Step 1 - CyberChef using Fork
Step 1 CyberChef Recipe using Fork

Step 2

Using the To Base operation with a radix of 16, convert the integers to hex. Then, use the Merge operation to consolidate all the inputs into a single string.

Step 2 - CyberChef using To Base
Step 2 - CyberChef using To Base

Final step

Upon completion of the previous steps, it’s likely that some of the hex bytes are missing a leading zero.

b8 57 0 7 80 c3

Let’s fix this using a simple regex \b(\w)\b to detect single characters and replace the matches with 0$1 to add an extra zero in front.

Once adjusted, you can either leverage an online disassembler or the built-in CyberChef Disassemble x86 operation.

Last Step CyberChef Recipe

And there we have it – our integer array has been decoded to code:
b8 57 00 07 80  mov eax,0x80070057
c3               ret

This code helps in AMSI bypass, for more details please read this AMSI Bypass Using Memory Patching

Thanks for reading. Feel free to connect with me on or LinkedIn for any suggestions or comments.

Don’t forgot to join the newsletter for the latest updates about malware analysis & DFIR journey. Happy Reversing! 😊

Join 100+ subscribers who get 0x1 actionable security bit every week.

Related Posts