Didier Stevens

Thursday 28 January 2021

Update: XORSelection.1sc Version 6.0

Filed under: 010 Editor,Encryption,Malware,My Software — Didier Stevens @ 0:00

I released an update to my 010 Editor script XORSelection.1sc.

010 is a binary editor with a scripting engine. XORSelection.1sc is a script I wrote years ago, that will XOR-encode a (partial) file open in the editor.

The first version just accepted a printable, arbitrary-length string as XOR-key. Later versions accepted an hexadecimal key too, and introduced various options.

With version 6.0, I add support for a dynamic XOR-key. That is a key that changes while it is being used. It can change, one byte at-a-time, before or after each XOR operation at byte-level is executed.

Hence option cb means change before, and ca means change after. Watch this video to understand exactly how the key changes (if you want to skip the part explaining my script XORSelection, you can jump directly to the dynamic XOR-key explanation).

 

I made this update to my XORSelection script, because I had to “manually” decode a Cobalt Strike beacon that was XOR-encoded with a changing XOR key (it is part of a WebLogic server attack). Later I included this decoding in my Cobalt Strike beacon analysis tool 1768.py.

The decoding shellcode is in the first 62 bytes (0x3E) of the file:

After the shellcode comes the XOR-key, the size and the beacon:

We can decode the beacon size, that is XOR-encoded with key 0x3F0882FB, as follows. First we select the bytes to be decoded:

Then we launch 010 Editor script XORSelection.1sc:

Provide the XOR key (prefix 0x is to indicate that the key is provide as hexadecimal byte values):

And then, after pressing OK, the bytes that contain the beacon size are decoded by XOR-ing them with the provided key:

This beacon size (bytes 00 14 04 00) is a little-endian, 32-bit integer: 0x041400.

To decode the beacon, we select the encoded beacon and launch script XORSelection.1sc again:

This time, we need to provide an option to change the XOR-decoding process. We press OK without entering a value, this will make the next prompt appear, where we can provide options:

The option we need to use to decode this Cobalt Strike beacon, is cb: change before.

In the next prompt, we can provide the XOR-key:

And we end up with the decoded beacon (you can see parts of the PE file that is the beacon):

Remark that you can enter “h” at the option prompt, to get a help screen:

I made this video explaining how to use this new option, and also explaining how the XOR key is changed exactly when using option change before (cb) or change after (ca).

If you want to skip the part explaining my script XORSelection, you can jump directly to the dynamic XOR-key explanation.

XORSelection_V6_0.zip (https)
MD5: C1872C275B59E236906D38B2302F3F4B
SHA256: 1970A506299878FAC2DDD193F9CE230FD717854AC1C85554610DDD95E04DE9E9

 

Saturday 29 December 2018

New Tool: SimpleEncoder

Filed under: 010 Editor,My Software — Didier Stevens @ 0:00

I needed a 010 Editor script to do ROT-47 encoding. The script I developed supports different types of simple encodings (including ROT-47):

With custom shift encoding, you choose the shift value by providing a number in a second input dialog. This number can be negative to shift the characters to the left in stead of to the right.µ

FYI: I submitted this script to 010 Editor’s repository.

SimpleEncoder_V1_0.zip (https)
MD5: 02C7BA20D8BF9EB965B3957BE8D26094
SHA256: 7C98B404F49F5E22A8A052AB4E100BF4ABCE37F39518293FC697D21C1D36A4F3

Monday 16 April 2018

Update: XORSelection.1sc Version 4.0

Filed under: 010 Editor,My Software,Update — Didier Stevens @ 0:00

XORSelection is a 010 Editor script I wrote some time ago, and it is included in the 010 Editor script repository. You provided it with an XOR key (ASCII or HEX), and then it will XOR-encode the file (or selection) open in 010 Editor.

I discovered it will not work properly if the hexadecimal key contains a NULL byte (0x00). This is fixed in this new version.

This new version also allows whitespace characters when an hexadecimal key is provided (hexadecimal keys start with 0x).

XORSelection_V4_0.zip (https)
MD5: 1B3DB8C8DA51224DDE7CA0E4BDAAC945
SHA256: 22E60E10BC99BD24A408C12CC674858DB6F318088CD34B7C70782833401AACF2

Tuesday 10 May 2016

MovingXORSelection.1sc

Filed under: 010 Editor,My Software — Didier Stevens @ 0:00

This is a new script for 010 Editor. Like my XORSelection.1sc script, it encodes/decodes with the XOR operator.

The encoding method is as follows: the values of byte 1 and 2 are XORed and the result is stored as byte 2. Then this result (byte 2) is XORed with the value of byte 3, and that result is stored as byte 3. This goes on until all selected bytes are encoded.

Decoding is similar, but from right to left.

The script takes 2 parameters:

  1. Moving XOR is performed from left-to-right (L) or from right-to-left (R).
  2. The offset of the “previous” byte to XOR with the current byte (default -1).

20160508-172356

20160508-172436

The result:

20160508-173128

MovingXORSelection_V1_0.zip (https)
MD5: C0B069044E0CA64856B74DE03250F837
SHA256: CE4D0F139728DBCD7F3B817BB3B610FFAA893B3B5BDF73715345EE170166F36C

Monday 16 June 2014

Wireshark-export

Filed under: 010 Editor,My Software — Didier Stevens @ 0:37

Here is the 010 Editor script I developed to generate Wireshark hex dumps.

Watch how to use it in my previous blogpost: “Packet Class: Wireshark – Import Hex Dump”.

wireshark-export_v0_0_1.zip (https)
MD5: B339EFD0898B6506CBEAAFCBCE08B3A6
SHA256: 557B39246FAC3BD91CE24EAD3DF07F8B68100778241393A26C67A566756C404B

Tuesday 10 June 2014

Packet Class: Wireshark – Import Hex Dump

Filed under: 010 Editor,My Software,Wireshark — Didier Stevens @ 20:34

During my “Packet Class: Wireshark” training, we do an exercise on importing a hex dump in Wireshark.

I recently created a 010 Editor script to help with the creation of hex dumps for Wireshark.

This video shows its usage:

Thursday 18 July 2013

Update: js-unicode-unescape.1sc

Filed under: 010 Editor,My Software,Update — Didier Stevens @ 18:36

Because I had to use a workaround in my js-unicode-unescape.1sc script to copy an array of bytes to the clipboard, I asked the 010 Editor developers if they could add a function that does exactly this.

They included this new function, CopyBytesToClipboard, in their new version 5.0.

Here is a new version that uses this function:
js-unicode-unescape_v0_0_2.zip (https)
MD5: 6200C4F235CA527E8C0DCD5076CB1C09
SHA256: 2CACC9EE1BB1D1BC4C9FABC6EC3B3440CFF304AA560966B0B531279C369549BB

Sunday 21 April 2013

js-unicode-unescape.1sc

Filed under: 010 Editor,My Software — Didier Stevens @ 0:00

As a thank you to those who nominated me for the European Security Bloggers Awards, I’m going to release some new scripts this week. Here’s the sixth one.

This script does the opposite of js-unicode-escape.1sc: a Unicode escape encode string is decode to bytes.

js-unicode-unescape_v0_0_1.zip (https)
MD5: E4FF29FB631142AC995636EED4CFB2AB
SHA256: C5659BCED1C6A7F92C2F7F9058DAA5807D2907283041E4F9DD1E4B6F318F2BBD

Saturday 20 April 2013

js-unicode-escape.1sc

Filed under: 010 Editor,My Software — Didier Stevens @ 0:00

As a thank you to those who nominated me for the European Security Bloggers Awards, I’m going to release some new scripts this week. Here’s the fifth one.

010 Editor has a different functions to copy bytes from a file. As raw bytes, as hex, as base64, …

This script copies the selected bytes to the clipboard as a Unicode escape encoded string for JavaScript: %u3421%u9a0d…

js-unicode-escape_v0_0_3.zip (https)
MD5: B86B7E73D93C5A4C086384C2FF89303C
SHA256: 81F26C328FD67FB7512CD60485481D7FFD8B7FE5ACE95455D45F4F635EADF81C

Thursday 18 April 2013

search-and-replace-with-wildcards.1sc

Filed under: 010 Editor,My Software — Didier Stevens @ 0:00

As a thank you to those who nominated me for the European Security Bloggers Awards, I’m going to release some new scripts this week. Here’s the third one.

010 Editor has a search feature with wildcards (like FC 01 * 10 CF), but no search and replace with wildcards (like FC 01 * 10 CF -> FD 02 * 20 DF). This scripts implements such a feature.

search-and-replace-with-wildcards_v0_0_1.zip (https)
MD5: 7D620E8BEFFD4ED5563D9944C9B0B859
SHA256: B7F074304660A8DBF7AB2261D8619FFFFD461EFB5EE4C6E42880C87A3C1A4AB7

Next Page »

Blog at WordPress.com.