Obfuscationbeginner
XOR String Encryption
Storing strings XOR-encrypted and decrypting them on demand at runtime so that static tools and `strings` reveal nothing useful about the binary's behavior.
The cheapest way to hide URLs, API names and configuration from strings and
YARA is single- or multi-byte XOR. The ciphertext sits in .data; a tiny
routine decrypts it into a stack buffer right before use and (often) re-encrypts
it after.
Pattern
for (size_t i = 0; i < len; i++)
out[i] = enc[i] ^ key[i % keylen];In disassembly this shows up as a tight loop with a xor against a moving
index into a key buffer, feeding a freshly allocated/stack buffer.
Concretely, the decrypt loop loads a ciphertext byte, XORs it with the wrapping key byte, stores it, and counts up to len:
xor ecx, ecx ; i = 0
.loop:
movzx eax, byte [rsi+rcx] ; al = enc[i]
mov edx, ecx
and edx, 7 ; i % keylen (keylen = 8 here)
xor al, byte [rdi+rdx] ; al ^= key[i % keylen]
mov byte [r8+rcx], al ; out[i] = al
add rcx, 1 ; i++
cmp rcx, r9 ; i < len ?
jb .loopRecovery
- FLOSS brute-forces and emulates these decrypt stubs to dump plaintext.
- For single-byte XOR, frequency analysis or a known-plaintext crib (
http,MZ,.dll) recovers the key instantly. - Set a breakpoint right after the decrypt loop and read the buffer.
Votes