This new version of XORSearch comes with a new operation: shifting left.
It comes in handy to reverse engineer protocols like TeamViewer’s remote access protocol.
Here’s an example. When you run TeamViewer, your machine gets an ID:
We capture some TeamViewer traffic with Wireshark, and then we use XORSearch to search for TeamViewer ID 441055893 in this traffic:
And as you can see, XORSearch finds this ID by left-shifting the content of the pcap file with one bit.