Last week I analyzed a piece of malware that had each byte of its strings ROL 1 (ROtate Left) encoded. I’ll give more details about this trick in an upcoming post.
It prompted me to update my XORSearch tool to deal with ROL encoding. Feeling lazy, I only coded ROL support, not ROR. 😉 Or did I, what do you think?
[…] XORSearch V1.2.0: XOR & ROL – I look forward to Didier’s upcoming post with further details. Last week I analyzed a piece of malware that had each byte of its strings ROL 1 (ROtate Left) encoded. I’ll give more details about this trick in an upcoming post. […]
Pingback by www.andrewhay.ca » Suggested Blog Reading - Thursday August 16th, 2007 — Friday 17 August 2007 @ 11:24
If you ROL 7 times you have effectively ROR’d an 8 bit byte 🙂
Comment by Tony — Monday 10 September 2007 @ 15:22
“Een kus van de juffrouw en een bank vooruit!”
In Flanders this means: a kiss of the teacher and move one bench closer to the blackboard! 😉
Comment by Didier Stevens — Friday 14 September 2007 @ 20:11