Didier Stevens

Monday 15 April 2013

New Tool: XORStrings

Filed under: Forensics,My Software,Reverse Engineering — Didier Stevens @ 0:00

XORStrings is best described as the combination of my XORSearch tool and the well-known strings command.

XORStrings will search for strings in the (binary) file you provide it, using the same encodings as XORSearch (XOR, ROL, ROT and SHIFT). For every encoding/key, XORStrings will search for strings and report the number of strings found, the average string length and the maximum string length. The report is sorted by the number of strings found, but can also be sorted by the maximum string length (use option -m). By default, the string terminator is 0x00, but you can provide your own with option -t, like the space character (0x20) in this example:

20130308-213053

I’ve used XORStrings to identify the encoding used in TeamViewer traffic.

There are more options than the ones I mentioned here. I’ll create a dedicated page for this tool, but for now, I invite you to discover the options yourself.

XORStrings_V0_0_1.zip (https)
MD5: 27DA0B3BC5296179CB58181BDFF99F8D
SHA256: 5EA7E063A41E38E9E6277F1CD73FCEA2AEF50C33C44D75C226900314FF84A1B5

7 Comments »

  1. Good morning,

    Any chance of a cross platform release of this? I’ve been using your tools for quite awhile now, but I am spending more and more time doing analysis on non-Windows platforms and would like to bring the useful tools with me. Thank you.

    -David

    Comment by David Kovar — Monday 15 April 2013 @ 14:08

  2. @David It is cross-platform, XORStrings and XORSearch are written in standard C. In the ZIP file, you’ll find the source code, a Windows binary and an OSX binary. For Linux, you’ll need to compile it yourself with gcc.

    Comment by Didier Stevens — Monday 15 April 2013 @ 14:11

  3. Didier,

    I should have checked more carefully. Thank you for including all of this, and for diplomatically pointing out the error of my ways!

    -David

    Comment by Integriography — Monday 15 April 2013 @ 14:17

  4. @David No problem. Maybe I should include a compiled version on Linux too. It probably runs fine on most systems.

    Comment by Didier Stevens — Monday 15 April 2013 @ 19:51

  5. […] Didier Stevens released another excellent tool call xorstrings. Xorstrings will search through binary files and attempt to extract strings that have been hidden through various methods (XOR, ROL, ROT or SHIFT). You can download the tool and source code at https://blog.didierstevens.com/2013/04/15/new-tool-xorstrings/. […]

    Pingback by Top Three Security Blog Posts This Week | JustBeck | infosec musings — Friday 19 April 2013 @ 22:32

  6. […] XORStrings: Locate and decode XOR-obfuscated strings […]

    Pingback by REMnux Distro Linux Untuk Analisis Malware | acehlinux.org — Saturday 7 June 2014 @ 12:50

  7. […] unXOR, XORStrings, ex_pe_xor, XORSearch, brutexor/iheartxor, xortool, NoMoreXOR, […]

    Pingback by REMnux: Distribución de Linux especializada en en el análisis de malware | Skydeep — Thursday 20 August 2015 @ 1:49


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 456 other followers

%d bloggers like this: