Didier Stevens

Tuesday 14 August 2007

XORSearch V1.2.0: XOR & ROL

Filed under: My Software — Didier Stevens @ 6:34

Last week I analyzed a piece of malware that had each byte of its strings ROL 1 (ROtate Left) encoded. I’ll give more details about this trick in an upcoming post.

It prompted me to update my XORSearch tool to deal with ROL encoding. Feeling lazy, I only coded ROL support, not ROR. 😉 Or did I, what do you think?

3 Comments »

  1. […] XORSearch V1.2.0: XOR & ROL – I look forward to Didier’s upcoming post with further details. Last week I analyzed a piece of malware that had each byte of its strings ROL 1 (ROtate Left) encoded. I’ll give more details about this trick in an upcoming post. […]

    Pingback by www.andrewhay.ca » Suggested Blog Reading - Thursday August 16th, 2007 — Friday 17 August 2007 @ 11:24

  2. If you ROL 7 times you have effectively ROR’d an 8 bit byte 🙂

    Comment by Tony — Monday 10 September 2007 @ 15:22

  3. “Een kus van de juffrouw en een bank vooruit!”

    In Flanders this means: a kiss of the teacher and move one bench closer to the blackboard! 😉

    Comment by Didier Stevens — Friday 14 September 2007 @ 20:11


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.