Obfuscation Part 2: XOR

00:00

Okay, so let's continue our discussion about obfuscation and learn about X or

00:06

another cipher that is similar to the Caesar cipher is X or

00:10

extra is a mathematical bit wise operation. And this means that in this case, instead of using a shift of letters like our Caesar cipher, we are using X or to modify bits.

00:21

Now the extra operation works by evaluating the operations of two sequences of bites and producing a third sequence

00:28

in third sequence. If both operations are the same, the result is zero.

00:33

Otherwise, the result is one

00:36

X or encoding works on this same principle by taking a static byte value and modifying each bite of the plain text by performing the mathematical operation with that value.

00:48

For instance, here we have the plain text message dog.

00:52

This message is encoded with a single X or bite of three F.

00:57

Here you can see the asking characters as well as their hex and binary equivalent on the top.

01:03

Then the X or operation is performed on each character using the bite three F.

01:07

The corresponding cipher text is displayed on the bottom after the operation is performed.

01:12

In this example, you can see that the cipher text contains characters outside of the simple character set of our Caesar cipher.

01:21

Instead, we can use any value of are asking table that we've seen in previous sessions

01:26

X or is implemented quite frequently because it's pretty simple, and it only requires one machine code to reverse it. To decode any cipher text encoded with X, or you simply repeat the function with the same key that you used to encode the plain text.

01:42

Although X or encoding has its advantages when it comes to speed efficiency, it does have its disadvantages. It's really easy to detect with a simple hex editor. Now here I've loaded a file in a tool I like to use. Called violence site. It's not only a hex editor, but also allows you to inspect P E sections as well as to run script right inside.

02:02

As you can see in the encoded file, you'll notice that the bites of the file have a very similar pattern. You could see that the X, or key, of 3/8 prevalent throughout the file.

02:13

This is because the X or scheme amusing is exploring no bites, thes air bites that have no value.

02:19

This demonstrates the weakness of a single by encoding. Despite this, however, malware authors have mitigated this issue by using a no preserving export scheme. This scheme looks for no bites within the file and simply skips them. And if the export scheme detects the key itself, it also skips the bite.

02:37

This makes X, or a little bit harder to detect.

02:39

Yeah,

02:40

because no preserving X or maybe harder to detect the question becomes, well, how do we analyze the files that have been encoded with thes schemes?

02:49

Well, because there's only 256 possible values for a character in a file, it's pretty easy to create a program that will try all of the possible 255 single by X or keys.

03:00

Luckily, there's a few tools out there that will do this for us that are used in the industry.

03:07

One of the most popular options is Zoar Search. This is a tool by DDR Stevens, which will use a brute forcing technique to determine the X, or key, used to encrypt the P E file.

03:20

Using this tool, you can look for a matching string like MZ or this program cannot be run in DOS mode in the decrypted content.

03:30

Another technique to identify X or encoding or X or including loops, is to load the binary in ida pro

03:38

here in our lab and using either pro, you can use the search functionality for all X or instructions

03:45

to perform this operation, load the binary and Ida pro and used the search menu and navigate to text.

03:53

Then you can enter X or in the search field and check the match all occurrences box in the results, you can see that it's very common to see X or operations. Where the operations are the same registers

04:04

thes air instructions used by the compiler to zero out the register value.

04:09

You can ignore these instructions, but to find the encoding you wanna look for X or operandi of a constant value or memory reference in our output, you wanna look for a reference similar to what we have here, where we are exploring three b by E a X.

04:26

Once you find the instruction you are interested in,

04:29

you can double click it, and it will bring you to that section of the program. As you can see this instruction is part of our X or encryption loop.