I’ve been developing a new Python program similar to XORSearch. decoder-search.py does brute-forcing and searching of a file like XORSearch, but it stead of simple operations like XOR, ROL, …, it can handle more complex translations. Templates for these translations have to be provided in a configuration file, for example like this:
expression ((byte + %i1:1-10%) ^ %i2:1-32%) % 0x100
This template specifies a translation expression that adds a number to each byte in the file, and then XORs the sum. The first integer added to each byte is brute-forced from 1 to 10 (%i1:1-10%), and the second integer used for the XOR operation is brute-forced from 1 to 32 (%i2:1-32%). Such an encoding has been used in the last hancitor maldoc samples.
Here is the result on a sample that contains an encoded EXE:
And here is the result on a sample that contains encoded URLs:
For me this tool is still in beta phase, because I might change the format of the configuration file in later versions, without providing backwards compatibility. You can find it in my GitHub Beta repository.
Didier Stevens 
[…] The first is a beta of a script called decoder-search.py, which “does brute-forcing and searching of a file like XORSearch, but instead of simple operations like XOR, ROL, …, it can handle more complex translations” decoder-search.py Beta […]
Pingback by Week 39 – 2016 – This Week In 4n6 — Sunday 2 October 2016 @ 11:33
[…] decoder-search.py Beta […]
Pingback by Overview of Content Published In September | Didier Stevens — Monday 3 October 2016 @ 0:00