Brutexor-iheartxor

From aldeid
Jump to navigation Jump to search

Description

brutexor (also called iheartxor) by Alexander Hanel brute-forces all possible 1-byte XOR key values and examines the file for strings that might have been encoded with these keys.

Installation

$ cd /data/src/
$ wget http://codepad.org/TPrsNVU0/raw.py -O brutexor.py

Usage

Syntax

Usage: python brutexor.py [options] <file>

Options

-h, --help
show help
-k <KEY>, --key=<KEY>
Static XOR key to use
-f, --full
XOR full file
-r <PATTERN>, --re=<PATTERN>
Regular Expression Pattern to search for

Example

In the following example, we have a hex-encoded string that we know is XOR encoded. It corresponds to one parameter transmitted by a malware named brbbot.exe in a HTTP request:

$ more encoded.hex 
123f373e600822282f3e366028362828753e233e603828292828753e233e602c323537343c3435753e233e60283e292d32
383e28753e233e6037283a2828753e233e602d363a382f33372b753e233e60282d383334282f753e233e60282d38333428
2f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e603e232b3734293e
29753e233e60282b343437282d753e233e602d362f343437283f753e233e60362836283c28753e233e60312a28753e233e
60282a37283e292d29753e233e602d362f343437283f753e233e602c2e3a2e38372f753e233e602c36322b292d283e753e
233e600f0b1a2e2f3418343535082d38753e233e603a373c753e233e602c2838352f3d22753e233e600f0b1a2e2f341834
35353e382f753e233e602c36322b292d283e753e233e6038363f753e233e601d3a303e153e2f753e233e60322b3834353d
323c753e233e6039293939342f753e233e

Let's first transform this hex string to raw data:

$ xxd -r -p encoded.hex > encoded.raw
$ file encoded.raw 
encoded.raw: data

Actually, we already know that the key is 0x5b:

$ translate.py encoded.raw decoded.txt 'byte ^ 0x5b' 
$ more decoded.txt
Idle;System;smss.exe;csrss.exe;winlogon.exe;services.exe;lsass.exe;vmacthlp.exe;svchost.exe;svchost.exe;
svchost.exe;svchost.exe;svchost.exe;explorer.exe;spoolsv.exe;vmtoolsd.exe;msmsgs.exe;jqs.exe;sqlservr.exe;vmtoolsd.exe;wuauclt.exe;
wmiprvse.exe;TPAutoConnSvc.exe;alg.exe;wscntfy.exe;TPAutoConnect.exe;wmiprvse.exe;cmd.exe;FakeNet.exe;ipconfig.exe;brbbot.exe

But let's say we don't know the key yet :) and test brutexor without providing the key:

$ brutexor.py encoded.raw

The above command actually returns nothing! Providing the key helps:

$ brutexor.py -f -k 0x5b encoded.raw | more
Idle;System;smss.exe;csrss.exe;winlogon.exe;services.exe;lsass.exe;vmacthlp.exe;svchost.exe;svchost.exe;
svchost.exe;svchost.exe;svchost.exe;explorer.exe;spoolsv.exe;vmtoolsd.exe;msmsgs.exe;jqs.exe;sqlservr.exe;vmtoolsd.exe;wuauclt.exe;
wmiprvse.exe;TPAutoConnSvc.exe;alg.exe;wscntfy.exe;TPAutoConnect.exe;wmiprvse.exe;cmd.exe;FakeNet.exe;ipconfig.exe;brbbot.exe

Comments