NoMoreXOR

From aldeid
Jump to: navigation, search
Draft.png
DRAFT
This page is still a draft. Thank you for your understanding.

Description

Tool by Glenn P. Edwards Jr. to help guess a files 256 byte XOR key by using frequency analysis.

Installation

NoMoreXOR

$ cd /data/src/
$ wget https://raw.github.com/hiddenillusion/NoMoreXOR/master/NoMoreXOR.py
$ chmod +x NoMoreXOR.py

Yara file

NoMoreXOR is based on Yara signatures to determine whether a potential key value worked: if the decoded content matches one of the signatures in you file, then probably the key was guessed correctly. In that case, the tool deobfuscates corresponding contents and extracts them from the original file.

You can either create your own Yara file or use the one by Michael Hale:

$ wget https://malwarecookbook.googlecode.com/svn/trunk/3/5/capabilities.yara

Usage

Syntax

Usage: NoMoreXOR.py [-h] [-a] [-c] [-xor key] [-g] [-o outfile] [-y YARARULES] Path

Options

-h, --help
show this help message and exit
-a, --analyze
Auto analyze the specified file by looking for all possible XOR keys then apply each of them & scan with YARA to try and determine if it's the correct XOR key (requires an output file)
-c, --convert
Convert the input file to a hex_file (requires an output file)
-xor <key>
XOR the file with the supplied XOR key (requires an output file)
-g, --guess
Print out information from the hex_file including most common characters and possible SHA256 keys
-o <outfile>, --out <outfile>
Name of output file to create
-y <YARARULES>, --yararules <YARARULES>
Path to YARA rules to be used during auto analysis if different than what's hardcoded

Example

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.