Comments on: XORSearch V1.3.0

By: Jordan

Jordan — Thu, 17 Jan 2008 01:55:00 +0000

It’s all about lucky timing of when the post publishes, the RSS reader updates, and when you read it.

I found it the same way too — just looking through strings. I figured I ought to at least try xorsearch against itself and noticed there were too many “didier stevens” strings in the binary compared to the source.

Incidentally, it compiled smoothly on ubuntu gutsy, and works on osx leopard too, though leopard required a change from “malloc.h” to “sys/malloc.h”.

By: Klau

Klau — Wed, 16 Jan 2008 19:31:18 +0000

The funny part it that i didn’t even get to check my e-mail to see the clue, because i was so caught up with Process Explorer, but what the heck, you’re right, i’ve did it on my own. Looking forward for a new challenge (very soon i hope)

By: Didier Stevens

Didier Stevens — Wed, 16 Jan 2008 19:27:59 +0000

Don’t feel miserable, you still discovered it on your own. Apart from you two, no-one can claim this because the “secret” is out now.

By: Klau

Klau — Wed, 16 Jan 2008 19:23:54 +0000

Yep, only now i’ve seen your comment after the refresh in my browser…
Place No.2 it feel’s so miserable!

By: Klau

Klau — Wed, 16 Jan 2008 19:20:42 +0000

Indeed, it shows that you have your own signing certificate (7Didier Stevens Code Signing) along VeriSign Time Stamping Services CA, and here are some other interesting strings that i’ve found:
Brussels1
Brussels1″0
didier stevens Google mail
but since i don’t know to what i should compare it or what to search for, i’m waiting for another clue to enlighten me…

By: Didier Stevens

Didier Stevens — Wed, 16 Jan 2008 19:19:51 +0000

Congratz Jordan, you spotted it first, this new version of XORSearch.exe is digitally signed. I rolled my own set of certificates and used it to digitally sign the executable. When you inspect the certificate, you’ll see a warning that the root CA is not trusted. That’s normal, because I created my own root CA and it’s not part of the root CAs that are trusted by default by Windows.

By: Jordan

Jordan — Wed, 16 Jan 2008 19:10:52 +0000

Was the previous version a signed binary?

By: Klau

Klau — Wed, 16 Jan 2008 19:00:31 +0000

Ok, there’s something tricky about ‘And there is something new about the XORSearch.exe in the ZIP file. First one to post a comment with the correct answer gets an honorable mention ’
What exactly should we search for? I’ve tought that it’s something regarding the md5 and sha256 checksums, but it’s all good here. There’s nothing extraordinary regarding the zip compression rate (50%). Is it that because it uses snprintf your .exe isn’t vulnerable to buffer overflow’s, or that it detect’s a stack overflow at 0040D9A4, or what? I’ve tried to look after the version 1.0 of your application, but didn’t found it (and i don’t think that there’s where the catch is), so please enlighten us, what exactly should we search for in it?