Didier Stevens

XORSearch

XORSearch is a program to search for a given string in an XOR, ROL or ROT encoded binary file. An XOR encoded binary file is a file where some (or all) bytes have been XORed with a constant value (the key). A ROL (or ROR) encoded file has its bytes rotated by a certain number of bits (the key). A ROT encoded file has its alphabetic characters (A-Z and a-z) rotated by a certain number of positions. XOR and ROL/ROR encoding is used by malware programmers to obfuscate strings like URLs.

XORSearch will try all XOR keys (0 to 255),  ROL keys (1 to 7) and ROT keys (1 to 25) when searching. I programmed XORSearch to include key 0, because this allows to search in an unencoded binary file (X XOR 0 equals X).

If the search string is found, XORSearch will print it until the 0 (byte zero) is encountered or until 50 characters have been printed, which ever comes first. 50 is the default value, it can be changed with option -l. Unprintable characters are replaced by a dot.

Usage: XORSearch [-siuh] [-l length] [-n length] [-f search-file] file string
XORSearch V1.6, search for a XOR, ROL or ROT encoded string in a file
Use -s to save the XOR, ROL or ROT encoded file containing the string
Use -l length to limit the number of printed characters (50 by default)
Use -i to ignore the case when searching
Use -u to search for Unicode strings (limited support)
Use -f to provide a file with search strings
Use -n length to print the length neighbouring charaters (before & after the found keyword)
Use -h to search for hex strings
Options -l and -n are mutually exclusive
Options -u and -h are mutually exclusive
Source code put in the public domain by Didier Stevens, no Copyright
Use at your own risk

https://DidierStevens.com

Compiled with Borland’s free C++ 5.5 compiler and gcc.

Download:

XORSearch_V1_6_0.zip (https)

MD5: F672F95F49DD72ECCF93D1779BB0EBCC

SHA256: B2D0E60C5A04164E176A3B3CA8C91631FFE145D3E4DFE0118C091262626B6242

22 Comments »

  1. [...] XORSearch V1.1.0 Filed under: My Software — Didier Stevens @ 8:49 I’ve updated XORSearch: [...]

    Pingback by XORSearch V1.1.0 « Didier Stevens — Tuesday 30 January 2007 @ 8:49

  2. thank you, comes in handy

    Comment by mario — Tuesday 22 May 2007 @ 1:56

  3. [...] prompted me to update my XORSearch tool to deal with ROL encoding. Feeling lazy, I only coded ROL support, not ROR. Or did I, what do [...]

    Pingback by XORSearch V1.2.0: XOR & ROL « Didier Stevens — Tuesday 14 August 2007 @ 6:34

  4. [...] descifrando binarios XORSearch es una herramienta para buscar una cadena cualquiera de texto en un archivo binario, cuyos bytes [...]

    Pingback by XORSearch, descifrando binarios « TIDDER — Tuesday 21 August 2007 @ 10:40

  5. [...] up with an unpacked PE file. BinText reveals some strings, but not URLs. Searching for HTTP with XORSearch (version 1.1) doesn’t reveal any XOR [...]

    Pingback by Reversing ROL-1 Malware « Didier Stevens — Sunday 16 September 2007 @ 7:16

  6. [...] Stevens @ 7:57 Maarten Van Horenbeecks’s post gave me the idea for a new feature for my XORSearch tool: searching for a list of strings. This is achieved with the -f option, like [...]

    Pingback by XORSearch V1.3.0 « Didier Stevens — Wednesday 16 January 2008 @ 7:58

  7. [...] updated my XORSearch tool to support ROT encoding. Comments [...]

    Pingback by Update: XORSearch V1.4.0 « Didier Stevens — Sunday 19 April 2009 @ 16:43

  8. Hi Didier. Great program xorsearch is. I was curious if there is a linux compatible version out there.

    Thanks!

    Comment by Mike — Monday 20 April 2009 @ 18:23

  9. Yes, I use it on Linux too. You just have to compile it: gcc -o XORSearch XORSearch.c

    Comment by Didier Stevens — Monday 20 April 2009 @ 18:27

  10. Does it support Unicode text in addition to ASCII? That would be a great feature!

    Comment by MarkF — Saturday 12 December 2009 @ 1:59

  11. No, it doesn’t, but it’s a good idea.

    Comment by Didier Stevens — Sunday 13 December 2009 @ 17:49

  12. Hello,
    I tried out XORSearch and it found lots of neat stuff in chm and pdf files.
    One thing I searched for was “.exe” but I discovered there’s no quick way to see text before the found text. Seems like a useful option may be to show N bytes after the found text but also some number of bytes before the text. It would be handy in not having to open each file in a hex editor and jump to the location and try to decode around that spot.

    Great tool. I hope you might think of adding this option sometime.
    BTW Using a linux gcc version here.
    Thanks.

    Comment by Chris S. — Tuesday 12 January 2010 @ 14:34

  13. hello,

    how to find xor key in pdf file which is 256 bye . any one help me .

    Comment by san — Wednesday 21 April 2010 @ 10:59

  14. [...] oprogramowania: upx, packerid, bytehist, xorsearch, [...]

    Pingback by » REMnux — programy do analizy złośliwego oprogramowania -- Niebezpiecznik.pl -- — Monday 12 July 2010 @ 9:15

  15. [...] with protected executables: upx, packerid, bytehist, xorsearch, [...]

    Pingback by Malware Analysis Tools Set Up for Linux « Wikihead's Blog — Saturday 17 July 2010 @ 9:31

  16. [...] objdump, Radare, shellcode2.exe Detección de protecciones y cifrados: upx, packerid, bytehist, xorsearch, TRiD. Análisis de PDF maliciosos: Didier’s PDF tools, Origami framework, Jsunpack-n, pdftk. [...]

    Pingback by REMnux, Distribución de Linux para el Análisis e Ingeniería Inversa de Malware | SinapsysMx.Net — Tuesday 20 July 2010 @ 14:00

  17. [...] objdump, Radare, shellcode2.exe Detección de protecciones y cifrados: upx, packerid, bytehist, xorsearch, TRiD. Análisis de PDF maliciosos: Didier’s PDF tools, Origami framework, Jsunpack-n, pdftk. [...]

    Pingback by REMnux, Distribución de Linux para el Análisis e Ingeniería Inversa de Malware | Laboratorio de Seguridad y Hacking — Tuesday 20 July 2010 @ 15:36

  18. [...] Radare, shellcode2.exe Detección de protecciones y cifrados: upx, packerid, bytehist, xorsearch, TRiD. Análisis de PDF maliciosos: Didier’s PDF tools, Origami framework, Jsunpack-n, [...]

    Pingback by REMnux, Distribución de Linux para el Análisis e Ingeniería Inversa de Malware | Command Line — Tuesday 20 July 2010 @ 16:05

  19. [...] objdump, Radare, shellcode2.exe Detección de protecciones y cifrados: upx, packerid, bytehist, xorsearch, TRiD. Análisis de PDF maliciosos: Didier’s PDF tools, Origami framework, Jsunpack-n, pdftk. [...]

    Pingback by REMnux, Distribución de Linux para el Análisis e Ingeniería Inversa de Malware | Shadow Security — Wednesday 21 July 2010 @ 8:50

  20. [...] objdump, Radare, shellcode2.exe Detección de protecciones y cifrados: upx, packerid, bytehist, xorsearch, TRiD. Análisis de PDF maliciosos: Didier’s PDF tools, Origami framework, Jsunpack-n, pdftk. [...]

    Pingback by Marcosof Informatica y Telecomunicaciones » Blog Archive » REMnux, Distribución de Linux para el Análisis e Ingeniería Inversa de Malware Leer más: Noticias de Seguridad Informática – Segu-Info: REMnux, Distribución de Linux para e — Thursday 22 July 2010 @ 5:16

  21. [...] de protecciones y cifrados: upx, packerid, bytehist, xorsearch, [...]

    Pingback by REMnux – Distribución de Linux para el Análisis e Ingeniería Inversa de Malware | Tux Files — Saturday 24 July 2010 @ 3:51

  22. [...] [...]

    Pingback by REMnux: A Linux Distribution for Reverse-Engineering Malware — Sunday 25 July 2010 @ 4:03


RSS feed for comments on this post. TrackBack URI

Leave a comment

Blog at WordPress.com.