Hide Strings with One Key XOR

Hi Guys,

I would like to continue my previous post regarding the hiding strings from the malware analyst or antimalaware software.

There are many techniques to evade strings from static analsis which is done by antimalware software or human analyst. I found most common technique yet effective used by the malware is XOR to obfuscate the . I also found some malware use heavy encryption to do the evasion such as Bcrypt or AES.

We will discuse a simple XOR implementation to make us easier to get the idea. I also want to help the reverser to understand the XOR code in assembly

The C code as below

#include <iostream>

void encryptDecrypt(char inpString[])
{
    // Define XOR key 
    // Any character value will work 
    char xorKey = '9';

    // calculate length of input string 
    int len = strlen(inpString);

    // perform XOR operation of key 
    // with every caracter in string 
    for (int i = 0; i < len; i++)
    {
        inpString[i] = inpString[i] ^ xorKey;
    }
}

int main()
{
    char sampleString[] = "kPVfxJTXKX";
    encryptDecrypt(sampleString);
    printf(sampleString);
}

The code above will do the XOR to each char in sampleString (kPVfxJTXKX) with decimal 9 as the key. the expected result value is Rio_Asmara

Lets see how the encryptDecrypt function in assembly. The binary code is compiled with debugging symbol.

The pattern of XOR function will almost look the same as the above. So lets do some analyses to analyze the code. Below is the XOR function operation that has statically been analyzed that might help for further analysis. You can focus to the yellow highlighted one to compare with the above original assembly code before analyzed.

You can follow the code above for reversing the one key XOR operation. There will be slight different but the main things of the operation would be similar from one malware to another malware.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s