In this section we will have a look at how to loop through numbers to pick out individual characters in a list, to build up a complete and working command. The idea is that there will be no visible part of the obfuscated code until the code runs.
The command will be build inside an environment variable and is no harder that the other tricks we have done with those.

For this to work we need to execute the Command Prompt using the "/V:ON" as we did in the earlier sections. Remember that the "/C" argument will close the Command Prompt window. If you need it open while testing, you can just change it to "/K" and that will keep it open until you close it yourself.
Now we are able to define an environment variable containing all the characters that we need. In this example we have the alphabet in lower case. If you need to, you can add all the upper case letters too. And of course any of the special characters you would also need. It is recommended to add as many as possible to make it less readable. You can also add the same character more than once. When this was seen by ATPs they would also have the characters in a random order to have it blend in with any other obfuscated code.
So we created an environment variable called "alfa" and put in all the letters in the english alphabet. It is advisable to obfuscate the environment variable name but we need to be able to understand this concept before making it too complicated. If you need some hints on doing that, have a look at the previous parts of DOS Obfuscation.

So, how does it work? We can address the first letter in "apfa", ("a") with "0" as if it was an array of characters. The letter "b" would be number "1" and the letter "c" would be "2" etc.

Our command of choice is "powershell" and the numbers we need to write that out with, would be the following.
We will then use a new environment variable to store each letter from the array, according to each number. We are adding one caracter, identified by "n" for each iteration in our loop and store that in an environment variable called "XYZ".

We will add an extra number to the list. One that we are compeletely certain is out of range of the array we have in the "alfa" environment variable. The purpose of this is to exit the loop and execute the command we have build. For each iteration in the loop we will add a character to "XYZ" from "alfa" according to the list of numbers, and verify if the current number is "200" which is the number we will use to exit the loop and execute our command.

The loop including the updated list of numbers will look like the following.
We are updating "XYZ" using the following piece of code.
We will verify if the value from the list, contained in "n" is "200" and execute the newly created command if so.
You may be wondering why we skip the first 5 letters in "XYZ" before executing our command but that is because the environment variable will actually be containing "!XYZ!powershell" and if we attempt to execute that, it will most certainly fail. So by cutting off the first 5 letters, "!XYZ!", we will be left with "powershell" which is a perfectly valid command.

While working on a command it may be useful to see what command you end up being and you can do that by replacing the "call" with "echo". The command will not execute with the "echo" command but it will let you see if you have the correct numbers.
The complete command with loops and all, will look like the following.
Executing the command will give output looking simething like this.
To remove some of the output it is perfectly valid to add the good old "echo off" to disable output. Using "@" in front of "echo off", as in "@echo off" will not make much of a difference in this example.
It goes without saying that other kinds of obfuscation should be added and most of what you can do in a Command Prompt will work just fine in combination with this.