2013/09/25

XOR Script (Skips NULL bytes “00”)

by InterDimensional_Shambler
Categories: Analysis, Coding, Malware Reverse Engineering, Python
Tags: , ,
Comments: Leave a Comment

[Description of XOR Script]

Updated January 2014

Hello!

I’ve made a script (in python) that can take an XORed (file or string) and will XOR it with a user-defined XOR Key (single-byte or multi-byte). The reason for this is because there is XORed malware out there that is scripted to apply an XOR in various ways .

If you are unfamiliar with the bitwise XOR operation (also known as Exclusive OR, EOR, EXOR) there is a write-up on Wikipedia HERE

There are multiple ways this script will apply the XOR key:

When it runs into either skip a (NULL byte “00”) OR (when XOR key byte = byte to XOR) you can specify it to either:

  • (Ignore Option) – This Option will not treat null/match bytes any differently.
  • (Skip Byte, XOR unchanged) – This will increment the XOR Key when a null/match byte is reached. The XOR key will not change on this byte.
  • (Skip Byte, XOR Increment) – This will increment the XOR Key when a null/match byte is reached. The XOR key will increment on this byte
  • (Skip Byte, XOR Decrement) – This will increment the XOR Key when a null/match byte is reached. The XOR key will Decrement on this byte

You can also do the following:

  • Specify a starting offset and finishing offset (to XOR a byte range in a file or string)
  • Ignore all the options and XOR normally.

Currently the only output is a raw file.

Things To Do:

  • Cleanup up global variables and declaration lines.
  • Add argparse (So all the options aren’t required)

[Feedback]

Since my entire programming career is based of a few 100-level courses; I know my code is still in need of cleanup. To be honest this is the first script I’ve written in Python as well. Any constructive feedback is very appreciated.

To leave feedback either post a comment, or send an E-mail to interdimensional_shambler@malwerewolf.com.

Code for this can be found here:

https://github.com/MalWerewolf/XOR_Null_Script


Leave a Reply

Your email address will not be published. Required fields are marked *



Today is Saturday
2017/06/24