Comments on: XORSearch

By: K P

K P — Mon, 06 Dec 2010 02:49:47 +0000

The idea would be to watch as the 010 Hex Operations (or the Decode tab in FileInsight) steps through adding binary 1, e.g.:
nddgqwythy -> oeehrxzuiz -> pffisy{vj{ and onward.
Then all the XOR keys (0 to 255) that XORSearch tries, e.g.:
nddgqwythy -> oeefpvxuix -> lffesu{vj{ and onward.
And the ROL/ROR transforms that XORSearch does.
Ideally it would dump these to a list that could be inspected to find the “real” string that has been obfuscated.

By: Didier Stevens

Didier Stevens — Sun, 05 Dec 2010 21:16:57 +0000

@Anonymous So you want to see each transformation so you can select the one that makes sense to you? No, don’t know such a program.

I could add binary add, but this would double the execution time of XORSearch.

By: Anonymous

Anonymous — Sun, 05 Dec 2010 19:35:04 +0000

Do you know of a program (or have a 010 Editor script, or FileInsight plugin) that starts with an obfuscated string portion like nddgqwythy.net and applies those Hex Modifications XOR, ROL, and ROT in sequence, so we can spot the original string by eye?

Would adding binary add to XORSearch be useful?

By: REMnux: A Linux Distribution for Reverse-Engineering Malware

REMnux: A Linux Distribution for Reverse-Engineering Malware — Sun, 25 Jul 2010 04:03:54 +0000

[...] [...]

By: REMnux – Distribución de Linux para el Análisis e Ingeniería Inversa de Malware | Tux Files

Sat, 24 Jul 2010 03:51:09 +0000

[...] de protecciones y cifrados: upx, packerid, bytehist, xorsearch, [...]

By: Marcosof Informatica y Telecomunicaciones » Blog Archive » REMnux, Distribución de Linux para el Análisis e Ingeniería Inversa de Malware Leer más: Noticias de Seguridad Informática – Segu-Info: REMnux, Distribución de Linux para e

Thu, 22 Jul 2010 05:16:33 +0000

[...] objdump, Radare, shellcode2.exe Detección de protecciones y cifrados: upx, packerid, bytehist, xorsearch, TRiD. Análisis de PDF maliciosos: Didier’s PDF tools, Origami framework, Jsunpack-n, pdftk. [...]

By: REMnux, Distribución de Linux para el Análisis e Ingeniería Inversa de Malware | Shadow Security

Wed, 21 Jul 2010 08:50:45 +0000

By: REMnux, Distribución de Linux para el Análisis e Ingeniería Inversa de Malware | Command Line

Tue, 20 Jul 2010 16:05:57 +0000

[...] Radare, shellcode2.exe Detección de protecciones y cifrados: upx, packerid, bytehist, xorsearch, TRiD. Análisis de PDF maliciosos: Didier’s PDF tools, Origami framework, Jsunpack-n, [...]

By: REMnux, Distribución de Linux para el Análisis e Ingeniería Inversa de Malware | Laboratorio de Seguridad y Hacking

Tue, 20 Jul 2010 15:36:39 +0000

By: REMnux, Distribución de Linux para el Análisis e Ingeniería Inversa de Malware | SinapsysMx.Net

Tue, 20 Jul 2010 14:00:39 +0000