Last week I analyzed a piece of malware that had each byte of its strings ROL 1 (ROtate Left) encoded. I’ll give more details about this trick in an upcoming post.
It prompted me to update my XORSearch tool to deal with ROL encoding. Feeling lazy, I only coded ROL support, not ROR. Or did I, what do you think?