XORSearch is a program to search for a given string in an XOR or ROL encoded binary file. An XOR encoded binary file is a file where some (or all) bytes have been XORed with a constant value (the key). A ROL (or ROR) encoded file has it bytes rotated by a certain number of bits (the key). XOR and ROL/ROR encoding is used by malware programmers to obfuscate strings like URLs.
XORSearch will try all XOR keys (0 to 255) and ROL keys (1 to 7) when searching. I programmed XORSearch to include key 0, because this allows to search in an unencoded binary file (X XOR 0 equals X).
If the search string is found, XORSearch will print it until the 0 (byte zero) is encountered or until 50 characters have been printed, which ever comes first. 50 is the default value, it can be changed with option -l. Unprintable characters are replaced by a dot.
Usage: XORSearch [-si] [-l length] [-f search-file] file string
XORSearch V1.3, search for a XOR or ROL encoded string in a file
Use -s to save the XOR or ROL encoded file containing the string
Use -l length to limit the number of printed characters (50 by default)
Use -i to ignore the case when searching
Use -f to provide a file with search strings
Source code put in the public domain by Didier Stevens, no Copyright
Use at your own risk
https://DidierStevens.com
Compiled with Borland’s free C++ 5.5 compiler.
Download:
MD5: 0A1F5DD50924E574A6624DF872A98C78
SHA256: FFC7E2D48512DB0BD2F13A0074E374E1BFE658A620A40E38FC451E07C9F7807C
[...] XORSearch V1.1.0 Filed under: My Software — Didier Stevens @ 8:49 I’ve updated XORSearch: [...]
Pingback by XORSearch V1.1.0 « Didier Stevens — Tuesday 30 January 2007 @ 8:49
thank you, comes in handy
Comment by mario — Tuesday 22 May 2007 @ 1:56
[...] prompted me to update my XORSearch tool to deal with ROL encoding. Feeling lazy, I only coded ROL support, not ROR. Or did I, what do [...]
Pingback by XORSearch V1.2.0: XOR & ROL « Didier Stevens — Tuesday 14 August 2007 @ 6:34
[...] descifrando binarios XORSearch es una herramienta para buscar una cadena cualquiera de texto en un archivo binario, cuyos bytes [...]
Pingback by XORSearch, descifrando binarios « TIDDER — Tuesday 21 August 2007 @ 10:40
[...] up with an unpacked PE file. BinText reveals some strings, but not URLs. Searching for HTTP with XORSearch (version 1.1) doesn’t reveal any XOR [...]
Pingback by Reversing ROL-1 Malware « Didier Stevens — Sunday 16 September 2007 @ 7:16
[...] Stevens @ 7:57 Maarten Van Horenbeecks’s post gave me the idea for a new feature for my XORSearch tool: searching for a list of strings. This is achieved with the -f option, like [...]
Pingback by XORSearch V1.3.0 « Didier Stevens — Wednesday 16 January 2008 @ 7:58