GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → Neo23x0 → xorex

Neo23x0 / xorex

Licence: Apache-2.0 license
XOR Key Extractor

Programming Languages

python
139335 projects - #7 most used programming language

XOREX

XOR Key Evaluator for Encrypted Executables

Usage

   _  ______  ___  _____  __
  | |/_/ __ \/ _ \/ __/ |/_/
 _>  </ /_/ / , _/ _/_>  <
/_/|_|\____/_/|_/___/_/|_|

XOR Key Evaluator for Encrypted Executables
Florian Roth, July 2020, 0.2.0

usage: xorex.py [-h] [-f input_file] [-w max-window-size] [-m max-offset] [-o output-path] [--debug]

XOR Key Extractor

optional arguments:
  -h, --help          show this help message and exit
  -f input_file       Path to input file
  -w max-window-size  Window Size (max. XOR key size)
  -m max-offset       Maximum look into the file
  -o output-path      Output Path for decrypted PE files
  --debug             Debug output

The Idea

The idea is to run some statistical analysis on the file to extract possible keys based on their frequency of occurrence. Since Portable Executables (PE files) often contain ranges of binary zeros, we can assume that we find the XOR key more often than other byte chains.

I validate the possible candidates by applying them to a portion of the data blob looking for typical MS-DOS header stubs.

Furthermore, I then try to find a MZ header in order to detect junk code or shellcode before the actual PE file, adjusting the offset and rotating the preliminary XOR key to its more likely version.

Get Started

  1. Git clone the repo and cd into it git clone https://github.com/Neo23x0/xorex.git && cd xorex
  2. Install requirements pip install -r requirements.txt
  3. Try it with the demo files python xorex.py -f ./examples/mustang-1.xored
  4. Check the output files in the ./output folder

Screenshots

Screen 1

Screen 2

File Recovery - new in v0.2

Screen 4

Known Issues

  • This only works with static XOR keys
  • The script currently only works with encrypted Windows executables

Warning

Consider this code as Proof-of-Concept. I had 3 hours to write it and used it for the single purpose of decrypting a sample related to the Mustang Panda threat group [1] [2], but thought that it could be helpful to have such a script for other XORed executables.

If you have more time to spend and decide to build something similar or better, please let me know.

Contact

Follow me on Twitter

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].