DRAFT

This page is still a draft. Thank you for your understanding.

Description

Tool by Glenn P. Edwards Jr. to help guess a files 256 byte XOR key by using frequency analysis.

Installation

NoMoreXOR

$ cd /data/src/
$ wget https://raw.github.com/hiddenillusion/NoMoreXOR/master/NoMoreXOR.py
$ chmod +x NoMoreXOR.py

Yara file

NoMoreXOR is based on Yara signatures to determine whether a potential key value worked: if the decoded content matches one of the signatures in you file, then probably the key was guessed correctly. In that case, the tool deobfuscates corresponding contents and extracts them from the original file.

You can either create your own Yara file or use the one by Michael Hale:

$ wget https://malwarecookbook.googlecode.com/svn/trunk/3/5/capabilities.yara

Usage

Syntax

Usage: NoMoreXOR.py [-h] [-a] [-c] [-xor key] [-g] [-o outfile] [-y YARARULES] Path

Options

-h, --help

show this help message and exit

-a, --analyze

Auto analyze the specified file by looking for all possible XOR keys then apply each of them & scan with YARA to try and determine if it's the correct XOR key (requires an output file)

-c, --convert

Convert the input file to a hex_file (requires an output file)

-xor <key>

XOR the file with the supplied XOR key (requires an output file)

-g, --guess

Print out information from the hex_file including most common characters and possible SHA256 keys

-o <outfile>, --out <outfile>

Name of output file to create

-y <YARARULES>, --yararules <YARARULES>

Path to YARA rules to be used during auto analysis if different than what's hardcoded

Example

INCOMPLETE SECTION OR ARTICLE

This section/article is being written and is therefore not complete.
Thank you for your comprehension.