XORSearch

XORSearch is a program to search for a given string in an XOR or ROL encoded binary file. An XOR encoded binary file is a file where some (or all) bytes have been XORed with a constant value (the key). A ROL (or ROR) encoded file has it bytes rotated by a certain number of bits (the key). XOR and ROL/ROR encoding is used by malware programmers to obfuscate strings like URLs. XORSearch will try all XOR keys (0 to 255) and ROL keys (1 to 7) when searching. I programmed XORSearch to include key 0, because this allows to search in an unencoded binary file (X XOR 0 equals X). If the search string is found, XORSearch will print it until the 0 (byte zero) is encountered or until 50 characters have been printed, which ever comes first. 50 is the default value, it can be changed with option -l. Unprintable characters are replaced by a dot. WWW: http://blog.didierstevens.com/programs/xorsearch/ Author: Didier Stevens
svn path=/head/; revision=203947
2024-11-20 00:21:35 +00:00 · 2007-12-17 20:33:59 +00:00 · 2007-12-17 20:33:59 +00:00 · 4ed8e97ed0 · 2021-03-31 03:12:20 +00:00
commit 4ed8e97ed0
parent 5c3719104a
5 changed files with 61 additions and 0 deletions
--- a/security/Makefile
+++ b/security/Makefile
@ -771,6 +771,7 @@
    SUBDIR += xinetd
    SUBDIR += xmlsec
    SUBDIR += xmlsec1
+    SUBDIR += xorsearch
    SUBDIR += xspy
    SUBDIR += xyssl
    SUBDIR += yafic
--- a/security/xorsearch/Makefile
+++ b/security/xorsearch/Makefile
@ -0,0 +1,28 @@
+# New ports collection makefile for:	xorsearch
+# Date created:				18 December 2007
+# Whom:				Edwin Groothuis <edwin@mavetju.org>
+#
+# $FreeBSD$
+#
+
+PORTNAME=	xorsearch
+PORTVERSION=	1.2.0
+CATEGORIES=	security textproc
+MASTER_SITES=	http://www.didierstevens.com/files/software/
+DISTNAME=	XORSearch_V1_2_0
+
+MAINTAINER=	edwin@mavetju.org
+COMMENT=	Search for a given string in an XOR or ROL encoded binary file
+
+USE_ZIP=	yes
+WRKSRC=		${WRKDIR}
+
+PLIST_FILES=	bin/xorsearch
+
+do-build:
+	${CC} -o ${WRKDIR}/XORSearch ${WRKDIR}/XORSearch.c
+
+do-install:
+	${INSTALL_PROGRAM} ${WRKDIR}/XORSearch ${PREFIX}/bin/xorsearch
+
+.include <bsd.port.mk>
--- a/security/xorsearch/distinfo
+++ b/security/xorsearch/distinfo
@ -0,0 +1,3 @@
+MD5 (XORSearch_V1_2_0.zip) = f4aecc366048aa429a1fe1e6ea220c8e
+SHA256 (XORSearch_V1_2_0.zip) = 04aaceed17afa98283110bde49b6a72988bce0e2328575f37253db3958e03ad2
+SIZE (XORSearch_V1_2_0.zip) = 35772
--- a/security/xorsearch/files/patch-XORSearch.c
+++ b/security/xorsearch/files/patch-XORSearch.c
@ -0,0 +1,10 @@
+--- XORSearch.c.orig	Tue Dec 18 07:27:32 2007
+++ XORSearch.c	Tue Dec 18 07:27:38 2007
+@@ -20,7 +20,6 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <sys/stat.h>
+-#include <malloc.h>
+ #include <string.h>
+ #include <ctype.h>
+ #include <limits.h>
--- a/security/xorsearch/pkg-descr
+++ b/security/xorsearch/pkg-descr
@ -0,0 +1,19 @@
+XORSearch is a program to search for a given string in an XOR or
+ROL encoded binary file. An XOR encoded binary file is a file where
+some (or all) bytes have been XORed with a constant value (the key).
+A ROL (or ROR) encoded file has it bytes rotated by a certain number
+of bits (the key). XOR and ROL/ROR encoding is used by malware
+programmers to obfuscate strings like URLs.
+
+XORSearch will try all XOR keys (0 to 255) and ROL keys (1 to 7)
+when searching. I programmed XORSearch to include key 0, because
+this allows to search in an unencoded binary file (X XOR 0 equals
+X).
+
+If the search string is found, XORSearch will print it until the 0
+(byte zero) is encountered or until 50 characters have been printed,
+which ever comes first. 50 is the default value, it can be changed
+with option -l. Unprintable characters are replaced by a dot.
+
+WWW: http://blog.didierstevens.com/programs/xorsearch/
+Author: Didier Stevens