XOR Key Evaluator for Encrypted Executables
_ ______ ___ _____ __
| |/_/ __ \/ _ \/ __/ |/_/
_> </ /_/ / , _/ _/_> <
/_/|_|\____/_/|_/___/_/|_|
XOR Key Evaluator for Encrypted Executables
Florian Roth, July 2020, 0.2.0
usage: xorex.py [-h] [-f input_file] [-w max-window-size] [-m max-offset] [-o output-path] [--debug]
XOR Key Extractor
optional arguments:
-h, --help show this help message and exit
-f input_file Path to input file
-w max-window-size Window Size (max. XOR key size)
-m max-offset Maximum look into the file
-o output-path Output Path for decrypted PE files
--debug Debug output
The idea is to run some statistical analysis on the file to extract possible keys based on their frequency of occurrence. Since Portable Executables (PE files) often contain ranges of binary zeros, we can assume that we find the XOR key more often than other byte chains.
I validate the possible candidates by applying them to a portion of the data blob looking for typical MS-DOS header stubs.
Furthermore, I then try to find a MZ header in order to detect junk code or shellcode before the actual PE file, adjusting the offset and rotating the preliminary XOR key to its more likely version.
- Git clone the repo and cd into it
git clone https://github.com/Neo23x0/xorex.git && cd xorex - Install requirements
pip install -r requirements.txt - Try it with the demo files
python xorex.py -f ./examples/mustang-1.xored - Check the output files in the
./outputfolder
File Recovery - new in v0.2
- This only works with static XOR keys
- The script currently only works with encrypted Windows executables
Consider this code as Proof-of-Concept. I had 3 hours to write it and used it for the single purpose of decrypting a sample related to the Mustang Panda threat group [1] [2], but thought that it could be helpful to have such a script for other XORed executables.
If you have more time to spend and decide to build something similar or better, please let me know.
Follow me on Twitter