b64chain

Multi-stage encoder/decoder for chained encoding operations

v1.0.2

Linux

Quick Start

Install b64chain (one-liner)

curl -fsSL https://cli.johlem.net/tools/b64chain/install.sh | bash

This drops a single Rust binary at ~/.local/bin/b64chain and verifies its SHA-256 (and Ed25519 signature, if signify is installed).

Encode and decode

b64chain encode "Hello" --chain b64                  # SGVsbG8=
b64chain encode "Hello" --chain b64,hex              # double-encoded
b64chain decode SGVsbG8= --chain b64                 # Hello
echo "secret" | b64chain encode --chain b64,rot:13   # stdin pipe
b64chain encode "HELLO" --chain xor:0x20             # parametric XOR

Auto-detect unknown blobs

b64chain identify "SGVsbG8sIHdvcmxkIQ=="     # confidence-ranked hits
b64chain decode SGVsbG8=                     # decode without --chain → auto
b64chain bruteforce NDg2NTZjNmM2Zg== --depth 3  # try nested chains

Uninstall

rm ~/.local/bin/b64chain ~/.local/bin/b64chain.bak 2>/dev/null
rm -rf ~/.local/share/b64chain/

What it does

b64chain is the swiss-army knife for layered encoding. CTF challenges, malware obfuscation, Cookie payloads, JWT introspection — wherever you find bytes wrapped in three layers of base64-over-hex-over-rot13, b64chain peels them in one pipe.

19 encoding primitives. b64, b64url, b32, b85/ascii85 (new in the Rust port), hex, url, urlall, html, rot13, rot:N, xor:KEY, ascii, binary, octal, utf8, gzip, reverse, upper, lower.
Chaining with `,` or `+`. b64chain encode "hi" --chain url,b64,hex runs three stages in sequence. Decoding reverses the chain.
Identify subcommand. Heuristic-driven auto-detect with confidence ranking. Regex patterns compiled once via OnceLock — faster than the Python original on bulk input.
Bruteforce subcommand. Try every plausible decode chain up to depth 5, rank by readability of the resulting payload.
Pipe-clean JSON. --format json on any subcommand emits a structured record with all intermediate steps for scripting and SIEM ingest.

Subcommands

Command	What it does
`encode <input> --chain <chain>`	Apply the chain left-to-right
`decode <input> [--chain <chain>]`	Reverse the chain — omit `--chain` to auto-detect
`identify <input>`	Confidence-ranked single-stage detection
`bruteforce <input> [--depth N]`	Try nested decode chains up to depth N (default 3, max 5)
`list [--format json]`	List every encoding primitive with descriptions
`docs`	In-depth usage reference

Global flags

--format raw|json|hexdump — output format (default raw)
--verbose — show per-step input → output trace
--minimal — suppress banners, emit only the result
--no-color — disable ANSI colours (auto when stdout is not a TTY)

On-disk layout

~/.local/bin/b64chain        # the static binary itself
~/.local/bin/b64chain.bak    # previous version (rollback target)
~/.local/share/b64chain/     # installed-version marker, future state

Security model: b64chain refuses to install a binary whose SHA-256 doesn't match the manifest. If signify is available, Ed25519 signature verification is mandatory — a tampered binary is rejected loudly before being placed. The tool itself does zero network I/O at runtime; everything happens locally on the bytes you hand it.

Review every script before piping into bash: install.sh · b64chain/install.sh