XORSearch is a program to search for a given string in an XOR, ROL or ROT encoded binary file. An XOR encoded binary file is a file where some (or all) bytes have been XORed with a constant value (the key). A ROL (or ROR) encoded file has its bytes rotated by a certain number of bits (the key). A ROT encoded file has its alphabetic characters (A-Z and a-z) rotated by a certain number of positions. XOR and ROL/ROR encoding is used by malware programmers to obfuscate strings like URLs.
XORSearch will try all XOR keys (0 to 255), ROL keys (1 to 7) and ROT keys (1 to 25) when searching. I programmed XORSearch to include key 0, because this allows to search in an unencoded binary file (X XOR 0 equals X).
If the search string is found, XORSearch will print it until the 0 (byte zero) is encountered or until 50 characters have been printed, which ever comes first. 50 is the default value, it can be changed with option -l. Unprintable characters are replaced by a dot.
Usage: XORSearch [-si] [-l length] [-f search-file] file string
XORSearch V1.4, search for a XOR, ROL or ROT encoded string in a file
Use -s to save the XOR or ROL encoded file containing the string
Use -l length to limit the number of printed characters (50 by default)
Use -i to ignore the case when searching
Use -f to provide a file with search strings
Source code put in the public domain by Didier Stevens, no Copyright
Use at your own risk
https://DidierStevens.com
Compiled with Borland’s free C++ 5.5 compiler.
Download:
MD5: AA04084644BD49174CDD41020E16396E
SHA256: 6E41A34C1867F78FC28533FFBDC793AD46C5F927088CBF9828D9A774BB2D7986
[...] XORSearch V1.1.0 Filed under: My Software — Didier Stevens @ 8:49 I’ve updated XORSearch: [...]
Pingback by XORSearch V1.1.0 « Didier Stevens — Tuesday 30 January 2007 @ 8:49
thank you, comes in handy
Comment by mario — Tuesday 22 May 2007 @ 1:56
[...] prompted me to update my XORSearch tool to deal with ROL encoding. Feeling lazy, I only coded ROL support, not ROR. Or did I, what do [...]
Pingback by XORSearch V1.2.0: XOR & ROL « Didier Stevens — Tuesday 14 August 2007 @ 6:34
[...] descifrando binarios XORSearch es una herramienta para buscar una cadena cualquiera de texto en un archivo binario, cuyos bytes [...]
Pingback by XORSearch, descifrando binarios « TIDDER — Tuesday 21 August 2007 @ 10:40
[...] up with an unpacked PE file. BinText reveals some strings, but not URLs. Searching for HTTP with XORSearch (version 1.1) doesn’t reveal any XOR [...]
Pingback by Reversing ROL-1 Malware « Didier Stevens — Sunday 16 September 2007 @ 7:16
[...] Stevens @ 7:57 Maarten Van Horenbeecks’s post gave me the idea for a new feature for my XORSearch tool: searching for a list of strings. This is achieved with the -f option, like [...]
Pingback by XORSearch V1.3.0 « Didier Stevens — Wednesday 16 January 2008 @ 7:58
[...] updated my XORSearch tool to support ROT encoding. Comments [...]
Pingback by Update: XORSearch V1.4.0 « Didier Stevens — Sunday 19 April 2009 @ 16:43
Hi Didier. Great program xorsearch is. I was curious if there is a linux compatible version out there.
Thanks!
Comment by Mike — Monday 20 April 2009 @ 18:23
Yes, I use it on Linux too. You just have to compile it: gcc -o XORSearch XORSearch.c
Comment by Didier Stevens — Monday 20 April 2009 @ 18:27