Jump to content

Welcome to NulledBlog
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. If you already have an account, login here - otherwise create an account for free today!
Photo

Decrypting Simple Single-Key XOR Encrypted Windows Executables


  • Please log in to reply
1 reply to this topic

#1
jasonfish4

  • Offline
  • Red Vice

  • Posts:
    28
    Reputation:
    29
    Joined:
    02 Apr, 2015

Today in this tutorial, I'm going to demonstrate with pseudocode on how to decrypt Windows executable files that use simple XOR encryption. The decryption process relies less on logic, but more on bruteforcing.

 

Background

 

XOR is used in various types of encryption, and is sometimes used as it's own encryption in it's raw form without any supporting algorithms. When binary values at the same index are equal, it's 0, when they're opposites it's 1 (For XOR).

Let's take two binary values called data and key:

Data: 01100101

Key:   00101011

The result is: 01001110

 

Need to know:

Windows executable files will usually start with two bytes, 0x4D and 0x5A which in ASCII are "MZ". This is a file format to differentiate between COM files and executables.

 

How It's Used in Programs

 

Some programs will use XOR encryption on their bytes, XOR can be used to encrypt whole files, a character, a string, a portion of a file, etc...

In pseudocode, this is an algorithm that encrypts a whole file

Please Login or Register to see this Hidden Content

Please Login or Register to see this Hidden Content

Bruteforcing The Encryption

 

Now that EncryptedFile has been encrypted with a key between 0 and 255, the file format at the beginning of a file 0x00000000 and 0x00000001 won't be "MZ" but something random like "%:". This would be an algorithm to get the key from just the first two bytes and then decrypt the entire file. *pseudocode*

Please Login or Register to see this Hidden Content

Please Login or Register to see this Hidden Content

Now you have the encryption key for the encrypted file. All you have to do now is call the xorFile function with the encryption key now and decrypt the file to it's original data.

Please Login or Register to see this Hidden Content

You've successfully decrypted a file that uses a single character XOR key cipher.


Edited by jasonfish4, 16 April 2016 - 01:28 PM.

  • 1

#2
amjadshareef

  • Offline
  • Advanced Member

  • Posts:
    112
    Reputation:
    0
    Joined:
    12 Dec, 2015

ty


  • 0


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users