This blag post describes my though-process during identification of the string deobfuscation method in a sample belonging to the <a href="https://malpedia.caad.fkie.fraunhofer.de/details/win.zloader">Zloader</a> malware family. Specifically, I wanted to identify the function or functions responsible for string deobfuscation only using static analysis and Ghidra, understand the algorithm, emulate it in Java and implement a Ghidra script to deobfuscate all strings in a binary of this family. The target audience of this post are people that have some experience with static reverse engineering and Ghidra but who always asked themselves how the f those reversing wizards identify specific functionality within a binary without wasting hours, days and weeks. <a href="https://blag.nullteilerfrei.de/2020/05/24/zloader-string-obfuscation/#more-5258" class="more-link">Show me what you got!</a>