Obfuscationbeginner
XOR String Encryption
Storing strings XOR-encrypted and decrypting them on demand at runtime so that static tools and `strings` reveal nothing useful about the binary's behavior.
The cheapest way to hide URLs, API names and configuration from strings and
YARA is single- or multi-byte XOR. The ciphertext sits in .data; a tiny
routine decrypts it into a stack buffer right before use and (often) re-encrypts
it after.
Pattern
for (size_t i = 0; i < len; i++)
out[i] = enc[i] ^ key[i % keylen];In disassembly this shows up as a tight loop with a xor against a moving
index into a key buffer, feeding a freshly allocated/stack buffer.
Recovery
- FLOSS brute-forces and emulates these decrypt stubs to dump plaintext.
- For single-byte XOR, frequency analysis or a known-plaintext crib (
http,MZ,.dll) recovers the key instantly. - Set a breakpoint right after the decrypt loop and read the buffer.
Votes