Skip to content
Obfuscationbeginner

XOR String Encryption

Storing strings XOR-encrypted and decrypting them on demand at runtime so that static tools and `strings` reveal nothing useful about the binary's behavior.

The cheapest way to hide URLs, API names and configuration from strings and YARA is single- or multi-byte XOR. The ciphertext sits in .data; a tiny routine decrypts it into a stack buffer right before use and (often) re-encrypts it after.

Pattern

c
for (size_t i = 0; i < len; i++)
    out[i] = enc[i] ^ key[i % keylen];

In disassembly this shows up as a tight loop with a xor against a moving index into a key buffer, feeding a freshly allocated/stack buffer.

Concretely, the decrypt loop loads a ciphertext byte, XORs it with the wrapping key byte, stores it, and counts up to len:

asm
        xor     ecx, ecx                ; i = 0
.loop:
        movzx   eax, byte [rsi+rcx]     ; al = enc[i]
        mov     edx, ecx
        and     edx, 7                  ; i % keylen   (keylen = 8 here)
        xor     al, byte [rdi+rdx]      ; al ^= key[i % keylen]
        mov     byte [r8+rcx], al       ; out[i] = al
        add     rcx, 1                  ; i++
        cmp     rcx, r9                 ; i < len ?
        jb      .loop

Recovery

  • FLOSS brute-forces and emulates these decrypt stubs to dump plaintext.
  • For single-byte XOR, frequency analysis or a known-plaintext crib (http, MZ, .dll) recovers the key instantly.
  • Set a breakpoint right after the decrypt loop and read the buffer.
Votes

Comments(0)