Maarten Van Horenbeecks’s post gave me the idea for a new feature for my XORSearch tool: searching for a list of strings. This is achieved with the -f option, like this:
XORSearch -f urls malware.exe
urls is a text file containing a list of URLs to search for.
You’ll still have to use a script if you want to search in more than one file.
And there is something new about the XORSearch.exe in the ZIP file. First one to post a comment with the correct answer gets an honorable mention 😉
Didier Stevens 
Ok, there’s something tricky about ‘And there is something new about the XORSearch.exe in the ZIP file. First one to post a comment with the correct answer gets an honorable mention ;)’
What exactly should we search for? I’ve tought that it’s something regarding the md5 and sha256 checksums, but it’s all good here. There’s nothing extraordinary regarding the zip compression rate (50%). Is it that because it uses snprintf your .exe isn’t vulnerable to buffer overflow’s, or that it detect’s a stack overflow at 0040D9A4, or what? I’ve tried to look after the version 1.0 of your application, but didn’t found it (and i don’t think that there’s where the catch is), so please enlighten us, what exactly should we search for in it?
Comment by Klau — Wednesday 16 January 2008 @ 19:00
Was the previous version a signed binary?
Comment by Jordan — Wednesday 16 January 2008 @ 19:10
Congratz Jordan, you spotted it first, this new version of XORSearch.exe is digitally signed. I rolled my own set of certificates and used it to digitally sign the executable. When you inspect the certificate, you’ll see a warning that the root CA is not trusted. That’s normal, because I created my own root CA and it’s not part of the root CAs that are trusted by default by Windows.
Comment by Didier Stevens — Wednesday 16 January 2008 @ 19:19
Indeed, it shows that you have your own signing certificate (7Didier Stevens Code Signing) along VeriSign Time Stamping Services CA, and here are some other interesting strings that i’ve found:
Brussels1
Brussels1″0
didier stevens Google mail
but since i don’t know to what i should compare it or what to search for, i’m waiting for another clue to enlighten me…
Comment by Klau — Wednesday 16 January 2008 @ 19:20
Yep, only now i’ve seen your comment after the refresh in my browser…
Place No.2 it feel’s so miserable!
Comment by Klau — Wednesday 16 January 2008 @ 19:23
Don’t feel miserable, you still discovered it on your own. Apart from you two, no-one can claim this because the “secret” is out now.
Comment by Didier Stevens — Wednesday 16 January 2008 @ 19:27
The funny part it that i didn’t even get to check my e-mail to see the clue, because i was so caught up with Process Explorer, but what the heck, you’re right, i’ve did it on my own. Looking forward for a new challenge (very soon i hope)
Comment by Klau — Wednesday 16 January 2008 @ 19:31
It’s all about lucky timing of when the post publishes, the RSS reader updates, and when you read it.
I found it the same way too — just looking through strings. I figured I ought to at least try xorsearch against itself and noticed there were too many “didier stevens” strings in the binary compared to the source.
Incidentally, it compiled smoothly on ubuntu gutsy, and works on osx leopard too, though leopard required a change from “malloc.h” to “sys/malloc.h”.
Comment by Jordan — Thursday 17 January 2008 @ 1:55