XORSearch

XORSearch is a program to search for a given string in an XOR, ROL, ROT or SHIFT encoded binary file. An XOR encoded binary file is a file where some (or all) bytes have been XORed with a constant value (the key). A ROL (or ROR) encoded file has its bytes rotated by a certain number of bits (the key). A ROT encoded file has its alphabetic characters (A-Z and a-z) rotated by a certain number of positions. A SHIFT encoded file has its bytes shifted left by a certain number of bits (the key): all bits of the first byte shift left, the MSB of the second byte becomes the LSB of the first byte, all bits of the second byte shift left, … XOR and ROL/ROR encoding is used by malware programmers to obfuscate strings like URLs.

XORSearch will try all XOR keys (0 to 255), ROL keys (1 to 7), ROT keys (1 to 25) and SHIFT keys (1 to 7) when searching. I programmed XORSearch to include key 0, because this allows to search in an unencoded binary file (X XOR 0 equals X).

If you think the file is encoded with a 32-bit XOR key, use option k. Normally, XORSearch does a bruteforce attack with 8-bit keys and smaller. A 32-bit key bruteforce attack would take too long. Option -k instructs XORSearch to do a 32-bit dictionary attack in stead of a 8-bit bruteforce attack. The dictionary is extracted from the file itself: it is assumed that the 32-bit key is inside the file as a sequence of 4 consecutive bytes (MSB and LSB are both tried). Key 0x00000000 is excluded.

If the search string is found, XORSearch will print it until the 0 (byte zero) is encountered or until 50 characters have been printed, which ever comes first. 50 is the default value, it can be changed with option -l. Unprintable characters are replaced by a dot.

Usage: XORSearch [-siuhkpwWLxrS] [-l length] [-n [-+]length] [-f search-file] [-e byte] [-d encodings] file [string|hex|rule] XORSearch V1.11.3, search for a XOR, ROL, ROT, SHIFT or ADD encoded string in a file Use filename - to read from stdin Use -x when the file to search is a hexdump Use -s to save the XOR, ROL, ROT, SHIFT or ADD encoded file containing the string Use -l length to limit the number of printed characters (50 by default, 38 with option -p) Use -i to ignore the case when searching Use -u to search for Unicode strings (limited support) Use -r to reverse the file before searching Use -f to provide a file with search strings Use -n [-+]length to print neighbouring characters (before & after the found keyword) Use -h to search for hex strings Use -k to decode with embedded keys Use -S to print all strings Use -p to search for PE-files Use -w to search with wildcards Use -W to search with embedded wildcards Use -L to list embedded wildcards Use -e to exclude a particular byte-value from encoding Use -d to disable encoding(s) 1: XOR 2: ROL 3: ROT 4: SHIFT 5: ADD Options -l and -n are mutually exclusive Options -u and -h are mutually exclusive Options -k and -e are mutually exclusive Option -p is not compatible with options -i, -u, -h, -n and -r When using -p, do not provide a search string or use -f When using -W, do not provide a search string or use -f Use option -L without arguments or other options Source code put in the public domain by Didier Stevens, no Copyright Use at your own risk https://DidierStevens.com

Compiled with Windows gcc, Linux gcc and Xcode gcc.

Download:

Thanks to Google, I can no longer host this program on my own site. More info: FalsePositive GitHub Repository.

XORSearch_V1_11_4.zip

MD5: E66290D1EB15D9394C8D1264A09ECFE6

SHA256: BF20A1D76AAD83FC3AABEDC6DDC7F96B655DC94BEC3FA276A50AF6046EBB554C

XORStrings

XORStrings is best described as the combination of my XORSearch tool and the well-known strings command.

XORStrings will search for strings in the (binary) file you provide it, using the same encodings as XORSearch (XOR, ROL, ROT and SHIFT). For every encoding/key, XORStrings will search for strings and report the number of strings found, the average string length and the maximum string length. The report is sorted by the number of strings found, but can also be sorted by the maximum string length (use option -m). By default, the string terminator is 0x00, but you can provide your own with option -t, like the space character (0x20) in this example:

The output can also be formatted as a CSV file: use option -c to achieve this.

To dump the longest string found with each encoding and key, use option -d.

To view all strings with a particular encoding and key, use options -o and -k, like this:

xorstrings -o XOR -k 0x20 sample.exe

And to save the decoded files, use option -s. Files will be saved with an extension indicating the encoding and the key.

Usage: XORStrings [options] file XORStrings V0.0.1, look for XOR, ROL or SHIFT encoded strings in a file Use -s to save the XOR, ROL or SHIFT encoded file Use -d to dump the longest string Use -m sort by maximum string length Use -l to set the minimum string length (default 5) Use -t to set the string terminator character, accepts integer or hex number (de fault 0) Use -c to output CSV Use -o to select the operation (XOR, ROL or SHIFT) to perform (to be used togeth er with -k) Use -k to select the key for the operation to perform (to be used together with -o) Source code put in the public domain by Didier Stevens, no Copyright Use at your own risk https://DidierStevens.com

Compiled with Borland’s free C++ 5.5 compiler, Linux gcc and Xcode gcc.

XORStrings_V0_0_1.zip (https)

MD5: 27DA0B3BC5296179CB58181BDFF99F8D

SHA256: 5EA7E063A41E38E9E6277F1CD73FCEA2AEF50C33C44D75C226900314FF84A1B5