Didier Stevens

Tuesday 14 August 2007

XORSearch V1.2.0: XOR & ROL

Filed under: My Software — Didier Stevens @ 6:34

Last week I analyzed a piece of malware that had each byte of its strings ROL 1 (ROtate Left) encoded. I’ll give more details about this trick in an upcoming post.

It prompted me to update my XORSearch tool to deal with ROL encoding. Feeling lazy, I only coded ROL support, not ROR. ;-) Or did I, what do you think?

3 Comments »

  1. [...] XORSearch V1.2.0: XOR & ROL – I look forward to Didier’s upcoming post with further details. Last week I analyzed a piece of malware that had each byte of its strings ROL 1 (ROtate Left) encoded. I’ll give more details about this trick in an upcoming post. [...]

    Pingback by www.andrewhay.ca » Suggested Blog Reading - Thursday August 16th, 2007 — Friday 17 August 2007 @ 11:24

  2. If you ROL 7 times you have effectively ROR’d an 8 bit byte :-)

    Comment by Tony — Monday 10 September 2007 @ 15:22

  3. “Een kus van de juffrouw en een bank vooruit!”

    In Flanders this means: a kiss of the teacher and move one bench closer to the blackboard! ;-)

    Comment by Didier Stevens — Friday 14 September 2007 @ 20:11


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 238 other followers

%d bloggers like this: