Xavier asked me a question from one of his FOR610 students: "how can you perform a regex search with XORsearch"?

XORsearch is a tool like grep but it performs a brute-force attack on the input file, trying out different encodings like XOR.

You can give it a string to search for, but not a regular expression.

There is a work around however: let XORsearch extract all possible strings, and then use a regular expression to grep through the results.

Here is an example with a Cobalt Strike beacon:

Option -S instructs XORsearch to extract all ASCII strings, and re-search.py is used with its built-in regular expression for IPv4 address.

We obtain one address, that we then use directly with XORsearch:

This gives us more information: we see a URL path, and we know the encoding is XOR, and the key is 0x0D.

With option -n, we can look for even more info surrounding that IPv4 address:

There also a method using YARA rules, but for that I need to publish a Python version of xorsearch first. More details in an upcoming diary entry.

Didier Stevens
Senior handler
blog.DidierStevens.com