![]() ![]() ![]() The dictionary is extracted from the file itself: it is assumed that the 32-bit key is inside the file as a sequence of 4 consecutive bytes (MSB and LSB are both tried). Option -k instructs XORSearch to do a 32-bit dictionary attack in stead of a 8-bit bruteforce attack. A 32-bit key bruteforce attack would take too long. Normally, XORSearch does a bruteforce attack with 8-bit keys and smaller. If you think the file is encoded with a 32-bit XOR key, use option k. I programmed XORSearch to include key 0, because this allows to search in an unencoded binary file (X XOR 0 equals X). XORSearch will try all XOR keys (0 to 255), ROL keys (1 to 7), ROT keys (1 to 25) and SHIFT keys (1 to 7) when searching. A SHIFT encoded file has its bytes shifted left by a certain number of bits (the key): all bits of the first byte shift left, the MSB of the second byte becomes the LSB of the first byte, all bits of the second byte shift left, … XOR and ROL/ROR encoding is used by malware programmers to obfuscate strings like URLs. A ROT encoded file has its alphabetic characters (A-Z and a-z) rotated by a certain number of positions. A ROL (or ROR) encoded file has its bytes rotated by a certain number of bits (the key). An XOR encoded binary file is a file where some (or all) bytes have been XORed with a constant value (the key). XORSearch is a program to search for a given string in an XOR, ROL, ROT or SHIFT encoded binary file. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |