XORStrings is best described as the combination of my XORSearch tool and the well-known strings command.
XORStrings will search for strings in the (binary) file you provide it, using the same encodings as XORSearch (XOR, ROL, ROT and SHIFT). For every encoding/key, XORStrings will search for strings and report the number of strings found, the average string length and the maximum string length. The report is sorted by the number of strings found, but can also be sorted by the maximum string length (use option -m). By default, the string terminator is 0x00, but you can provide your own with option -t, like the space character (0x20) in this example:
I’ve used XORStrings to identify the encoding used in TeamViewer traffic.
There are more options than the ones I mentioned here. I’ll create a dedicated page for this tool, but for now, I invite you to discover the options yourself.
XORStrings_V0_0_1.zip (https)
MD5: 27DA0B3BC5296179CB58181BDFF99F8D
SHA256: 5EA7E063A41E38E9E6277F1CD73FCEA2AEF50C33C44D75C226900314FF84A1B5
Didier Stevens 
Good morning,
Any chance of a cross platform release of this? I’ve been using your tools for quite awhile now, but I am spending more and more time doing analysis on non-Windows platforms and would like to bring the useful tools with me. Thank you.
-David
Comment by David Kovar — Monday 15 April 2013 @ 14:08
@David It is cross-platform, XORStrings and XORSearch are written in standard C. In the ZIP file, you’ll find the source code, a Windows binary and an OSX binary. For Linux, you’ll need to compile it yourself with gcc.
Comment by Didier Stevens — Monday 15 April 2013 @ 14:11
Didier,
I should have checked more carefully. Thank you for including all of this, and for diplomatically pointing out the error of my ways!
-David
Comment by Integriography — Monday 15 April 2013 @ 14:17
@David No problem. Maybe I should include a compiled version on Linux too. It probably runs fine on most systems.
Comment by Didier Stevens — Monday 15 April 2013 @ 19:51
[…] Didier Stevens released another excellent tool call xorstrings. Xorstrings will search through binary files and attempt to extract strings that have been hidden through various methods (XOR, ROL, ROT or SHIFT). You can download the tool and source code at https://blog.didierstevens.com/2013/04/15/new-tool-xorstrings/. […]
Pingback by Top Three Security Blog Posts This Week | JustBeck | infosec musings — Friday 19 April 2013 @ 22:32
[…] XORStrings: Locate and decode XOR-obfuscated strings […]
Pingback by REMnux Distro Linux Untuk Analisis Malware | acehlinux.org — Saturday 7 June 2014 @ 12:50
[…] unXOR, XORStrings, ex_pe_xor, XORSearch, brutexor/iheartxor, xortool, NoMoreXOR, […]
Pingback by REMnux: Distribución de Linux especializada en en el análisis de malware | Skydeep — Thursday 20 August 2015 @ 1:49
[…] Deobfuscate XORStrings xorstrings Locate and decode XOR-obfuscated strings remnux-didier (APT) https://blog.didierstevens.com/2013/04/15/new-tool-xorstrings/ Extract and Decode Artifacts: Deobfuscate xortool xortool xortool-xor Locate and deobuscate […]
Pingback by Remnux-A tool for reverse engineering Malware – Infohub — Saturday 8 April 2017 @ 22:41