Skip to Content
Learning Malware Analysis
book

Learning Malware Analysis

by Monnappa K A
June 2018
Beginner
510 pages
13h 7m
English
Packt Publishing
Content preview from Learning Malware Analysis

1.3.3 NULL Ignoring XOR Encoding

In XOR encoding, when a null byte (0x00) is XORed with a key, you get back the key as shown here:

>>> ch = 0x00>>> key = 4>>> ch ^ key4

What this means is that whenever a buffer containing a large number of null bytes is encoded, the single byte xor key becomes clearly visible. In the following example, the plaintext variable is assigned a string containing three null bytes at the end, which is encrypted with a key 0x4b  (character K), and the encrypted output is printed both in hex string format and text format. Note how the three null bytes in plaintext variable are translated to XOR key values 0x4b 0x4b 0x4b or (KKK) in the encrypted content. This property of XOR makes it easy to spot the key if the null ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Start your free trial

You might also like

Practical Malware Analysis

Practical Malware Analysis

Michael Sikorski, Andrew Honig
Malware Analysis Techniques
Mastering Malware Analysis

Mastering Malware Analysis

Alexey Kleymenov, Amr Thabet
Evasive Malware

Evasive Malware

Kyle Cucci

Publisher Resources

ISBN: 9781788392501Other