{%hackmd C76nuH1pTfedlTW7n2cwbQ %} # Cyber Chef Recipes ## Infosec ### Telegram Decoder: ```md URL_Decode() Regular_expression('User defined','(?<=startapp=)[a-zA-Z0-9+/=]+',true,true,false,false,false,false,'List matches') From_Base64('A-Za-z0-9+/=',true,false) ``` ## Cryptocurrency - Arkham Specific ### Extract Arkham Used to extract unique ethereum addresses from Arkham Intelligence URL links and return them as line feed instances ```md URL_Decode() Regular_expression('User defined','\\b(0x)?[A-Fa-f0-9]{40}\\b',true,true,false,false,false,false,'List matches') Unique('Line feed',false) ``` ### Profile Labels Used to make consistent, profile labels for ethereum Anonymous account instances ```md Regular*expression('User defined','0x[a-fA-F0-9]{8}',true,true,false,false,false,false,'List matches') Find*/_Replace({'option':'Regex','string':'^'},'Anon (',true,false,true,false) Find_/\_Replace({'option':'Regex','string':'$'},')',true,false,true,false) ``` ### Ethereum Cluster Splice Used to normalize data from Ethereum datasets and output them as user specified address cluster counts for use via Arkham intelligence ```md Regular*expression('User defined','\\b(0x)?[A-Fa-f0-9]{40}\\b',true,true,false,false,false,false,'List matches') Find*/_Replace({'option':'Regex','string':'((?:0x[a-fA-F0-9]{40}\\n?){10})'},'\\nhttps://platform.arkhamintelligence.com/visualizer/entity/\\n$1',true,false,true,false) Find_/_Replace({'option':'Regex','string':'\\n(0x[a-fA-F0-9]{40})'},',$1',true,false,true,false) Find_/\_Replace({'option':'Regex','string':'entity/,'},'entity/',true,false,true,false) ``` <br /><br /> <details> <summary> Expand for more Cryptocurrency Regular Expressions(Regex) Below</summary> <p> ### BTC (Bitcoin): Matches legacy and Bech32 addresses. Format: ```javascript \b(bc1|[13])[a-zA-HJ-NP-Z0-9]{25,39}\b ``` ### BCH (Bitcoin Cash): Matches both prefixed and plain formats. Format: ```javascript \b(bitcoincash:|bchreg:|bchtest:)?(q|p)[a-z0-9]{41}\b ``` ### ETH (Ethereum): Matches 40 hexadecimal characters, optionally prefixed with 0x. Format: ```javascript \b(0x)?[a-fA-F0-9]{40}\b ``` ### LTC (Litecoin): Matches Litecoin address formats starting with L, M, or 3. Format: ```javascript \b[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}\b ``` ### DOGE (Dogecoin): Matches Dogecoin addresses. Format: ```javascript \bD{1}[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32}\b ``` ### DASH: Matches Dash addresses. Format: ```javascript \bX[1-9A-HJ-NP-Za-km-z]{33}\b ``` ### XMR (Monero): Matches Monero standard addresses. Format: ```javascript \b[48][0-9AB][1-9A-HJ-NP-Za-km-z]{93}\b ``` ### NEO: Matches NEO addresses. Format: ```javascript \bA[0-9a-zA-Z]{33}\b ``` ### XRP (Ripple): Matches XRP addresses. Format: ```javascript \br[0-9a-zA-Z]{33}\b ``` ### USDT on Ethereum (ERC20): Matches USDT on Ethereum addresses. Format: ```javascript \b(0x)?[a-fA-F0-9]{40}\b ``` USDT on TRON (TRC20): Matches USDT on TRON addresses. Format: ```javascript \bT[0-9a-zA-Z]{33}\b ``` ### ADA (Cardano): Matches Cardano addresses. Format: ```javascript \baddr1[0-9a-z]{58}\b ``` ### DOT (Polkadot): Matches Polkadot addresses. Format: ```javascript \b[1-9A-HJ-NP-Za-km-z]{48}\b ``` ### BNB (Binance Coin, BEP2): Matches Binance Coin addresses. Format: ```javascript \b(bnb1)[0-9a-z]{38}\b ``` ### SOL (Solana): Matches Solana addresses. Format: ```javascript \b[1-9A-HJ-NP-Za-km-z]{32,44}\b ``` </p> </details>