Created by Alexander Hanel last modified 2016-08-02

pe_brute_xor.py

      '''
    Author: 
        Alexander Hanel
    Name: 
        pe_brute_xor.py
    Purpose:
        - POC that searches for n-grams and uses them as the XOR key.  
        - Portable executables can contain a lot of padding because of 
        section alignment. 
        - When the padding is XORed it will imprint the XOR key.
        - For example the following hex shows some padding (not caused by section 
        alignment).

00000000  4d 5a 90 00 03 00 00 00  04 00 00 00 ff ff 00 00  |MZ..............|
00000010  b8 00 00 00 00 00 00 00  40 00 00 00 00 00 00 00  |........@.......|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000030  00 00 00 00 00 00 00 00  00 00 00 00 f8 00 00 00  |................|
00000040  0e 1f ba 0e 00 b4 09 cd  21 b8 01 4c cd 21 54 68  |........!..L.!Th|
        
        - The data was XORed with a key of J7QkcaYItXEsuDzUfhfmpUHx3k3Y0aHL. 
        - Remnants of the XOR key can be seen in the padding starting at 0x30.
        
00000000  07 6d c1 6b 60 61 59 49  70 58 45 73 8a bb 7a 55  |.m.k`aYIpXEs..zU|
00000010  de 68 66 6d 70 55 48 78  73 6b 33 59 30 61 48 4c  |.hfmpUHxsk3Y0aHL|
00000020  4a 37 51 6b 63 61 59 49  74 58 45 73 75 44 7a 55  |J7QkcaYItXEsuDzU|
00000030  66 68 66 6d 70 55 48 78  33 6b 33 59 c8 61 48 4c  |fhfmpUHx3k3Y.aHL|
00000040  44 28 eb 65 63 d5 50 84  55 e0 44 3f b8 65 2e 3d  |D(.ec.P.U.D?.e.=|
        
        - By searching the most common occuring n-grams the XOR key can be predicited. 
        - 9u8jreve is an encoded Locky payload. 
        
word@up:~/Downloads$ python pe_brute_xor.py 9u8jreve 
Length: 32, Count: 253 Key: J7QkcaYItXEsuDzUfhfmpUHx3k3Y0aHL File Name: 0.bin

'''
import sys
import pefile
import re
from collections import Counter
from itertools import cycle


def xor_mb(message, key):
    '''Multi-byte XOR of a string message and string key'''
    return''.join(chr(ord(m_byte)^ord(k_byte)) for m_byte,k_byte in zip(message, cycle(key)))

def pe_carv(data):
    '''carve out executable using pefile's trim'''
    c = 1
    for offset in [temp.start() for temp in re.finditer('\x4d\x5a',data)]:
        # slice out executable 
        temp_buff = data[offset:]
        try:
            pe = pefile.PE(data=temp_buff)
        except:
            continue
        return pe.trim()
    return None

def run():
    data = open(sys.argv[1],'rb').read()
    c = 0
    used_key = ""
    # source http://stackoverflow.com/a/25071991
    # most common XOR key sizes
    for n in [2,4,8,16,32,64,128,256,512]:
        substr_counter = Counter(data[i: i+n] for i in range(len(data) - n))
        # get top 32 most common
        sub_count = substr_counter.most_common(32)
        for temp in sub_count:
            key, count = temp
            if count == 1:
                    break
            temp = xor_mb(data, key)
            pe_c = pe_carv(temp)
            if pe_c:
                print "Length: %s, Count: %s Key: %s File Name: %s.bin" % (len(key), count, key, str(c))
                f = open(str(c) + ".bin", "wb")
                fk = open( "key-" + str(c) + ".bin", "wb")
                f.write(temp)
                fk.write(key)
                f.close()
                fk.close()
                c +=1
                # comment out if you want to see all the keys. 
                # It will match the same key but of different sizes. 
                return
                

run()

    

Comments (1)

Linda Melson

goodreads.com/user/show/177488397-editsiz-serverler twitch.tv/editsizserverler behance.net/editsizserverl instapaper.com/p/14184805 coub.com/metin2-pvpserverler myanimelist.net/profile/editsizserverler worldcosplay.net/member/1754620 onmogul.com/editsiz-serverler metin2pvpserverler.hashnode.dev/metin2-pvp-serverler gaiaonline.com/profiles/editsizserverler/46656672/ leetcode.com/editsizserverler/ coolors.co/u/editsiz_serverler unsplash.com/@editsizserverler metin2-pvp-serverler.jimdosite.com/ zazzle.com/mbr/238039878416461152 brownbook.net/business/52637466/metin2-pvp-serverler community.tubebuddy.com/index.php?members/205346/#about reedsy.com/discovery/user/editsizserverler hackerearth.com/@editsizserverlerorg wakelet.com/wake/7OIcdWsbjqXHh82vRa9ZZ peatix.com/user/21877725/view penzu.com/public/eef09aac2dcbfc71 experiment.com/users/eeditsizserverler pearltrees.com/editsizserverler wefunder.com/editsizserverler imageevent.com/editsizserverler ourclass.mn.co/members/23696284 friendtalk.mn.co/members/23696354 slides.com/editsizserverler roosterteeth.com/g/user/EditsizServerler/activity opencollective.com/editsiz-serverler pastelink.net/erd7vohi fairygodboss.com/users/profile/48WIpe-gxe/editsizserverler codingame.com/profile/e076eaf315403d3ed090624d8cdccc234708506 jigsawplanet.com/editsizserverler?viewas=3d85ff6a3ee9 jsfiddle.net/editsizserverler/x0sorwL5/6/ jsfiddle.net/editsizserverler/x0sorwL5/7/ jsfiddle.net/editsizserverler/x0sorwL5/8/ jsfiddle.net/editsizserverler/x0sorwL5/9/ jsfiddle.net/editsizserverler/x0sorwL5/10/ jsfiddle.net/editsizserverler/x0sorwL5/11/ jsfiddle.net/editsizserverler/x0sorwL5/12/ jsfiddle.net/editsizserverler/x0sorwL5/13/ jsfiddle.net/editsizserverler/x0sorwL5/14/ jsfiddle.net/editsizserverler/x0sorwL5/15/ jsfiddle.net/editsizserverler/x0sorwL5/16/ jsfiddle.net/editsizserverler/x0sorwL5/17/ jsfiddle.net/editsizserverler/x0sorwL5/18/ jsfiddle.net/editsizserverler/x0sorwL5/19/ jsfiddle.net/editsizserverler/x0sorwL5/20/ jsfiddle.net/editsizserverler/x0sorwL5/21/ jsfiddle.net/editsizserverler/x0sorwL5/22/ jsfiddle.net/editsizserverler/x0sorwL5/23/ jsfiddle.net/editsizserverler/x0sorwL5/24/ jsfiddle.net/editsizserverler/x0sorwL5/25/ jsfiddle.net/editsizserverler/x0sorwL5/26/ jsfiddle.net/editsizserverler/x0sorwL5/27/ jsfiddle.net/editsizserverler/x0sorwL5/28/ jsfiddle.net/editsizserverler/x0sorwL5/29/ jsfiddle.net/editsizserverler/x0sorwL5/30/ jsfiddle.net/editsizserverler/x0sorwL5/31/ jsfiddle.net/editsizserverler/x0sorwL5/32/ jsfiddle.net/editsizserverler/x0sorwL5/33/ jsfiddle.net/editsizserverler/x0sorwL5/34/ jsfiddle.net/editsizserverler/x0sorwL5/35/ jsfiddle.net/editsizserverler/x0sorwL5/36/ jsfiddle.net/editsizserverler/x0sorwL5/37/ jsfiddle.net/editsizserverler/x0sorwL5/38/ jsfiddle.net/editsizserverler/x0sorwL5/39/ jsfiddle.net/editsizserverler/x0sorwL5/40/ jsfiddle.net/editsizserverler/x0sorwL5/41/ jsfiddle.net/editsizserverler/x0sorwL5/42/ jsfiddle.net/editsizserverler/x0sorwL5/43/ jsfiddle.net/editsizserverler/x0sorwL5/44/ jsfiddle.net/editsizserverler/x0sorwL5/45/ jsfiddle.net/editsizserverler/x0sorwL5/46/ jsfiddle.net/editsizserverler/x0sorwL5/47/ jsfiddle.net/editsizserverler/x0sorwL5/48/ jsfiddle.net/editsizserverler/x0sorwL5/49/ jsfiddle.net/editsizserverler/x0sorwL5/50/ jsfiddle.net/editsizserverler/x0sorwL5/51/ jsfiddle.net/editsizserverler/x0sorwL5/52/ jsfiddle.net/editsizserverler/x0sorwL5/53/ jsfiddle.net/editsizserverler/x0sorwL5/54/ jsfiddle.net/editsizserverler/x0sorwL5/55/ jsfiddle.net/editsizserverler/x0sorwL5/56/ jsfiddle.net/editsizserverler/x0sorwL5/57/ jsfiddle.net/editsizserverler/x0sorwL5/58/ jsfiddle.net/editsizserverler/x0sorwL5/59/ jsfiddle.net/editsizserverler/x0sorwL5/60/ jsfiddle.net/editsizserverler/x0sorwL5/61/ jsfiddle.net/editsizserverler/x0sorwL5/62/ jsfiddle.net/editsizserverler/x0sorwL5/63/ jsfiddle.net/editsizserverler/x0sorwL5/64/ jsfiddle.net/editsizserverler/x0sorwL5/65/ jsfiddle.net/editsizserverler/x0sorwL5/66/ jsfiddle.net/editsizserverler/x0sorwL5/67/ jsfiddle.net/editsizserverler/x0sorwL5/68/ jsfiddle.net/editsizserverler/x0sorwL5/69/ jsfiddle.net/editsizserverler/x0sorwL5/70/ jsfiddle.net/editsizserverler/x0sorwL5/71/ jsfiddle.net/editsizserverler/x0sorwL5/72/ jsfiddle.net/editsizserverler/x0sorwL5/73/ jsfiddle.net/editsizserverler/x0sorwL5/74/ jsfiddle.net/editsizserverler/x0sorwL5/75/ jsfiddle.net/editsizserverler/x0sorwL5/76/ jsfiddle.net/editsizserverler/x0sorwL5/77/ jsfiddle.net/editsizserverler/x0sorwL5/78/ jsfiddle.net/editsizserverler/x0sorwL5/79/ jsfiddle.net/editsizserverler/x0sorwL5/80/ jsfiddle.net/editsizserverler/x0sorwL5/81/ jsfiddle.net/editsizserverler/x0sorwL5/82/ jsfiddle.net/editsizserverler/x0sorwL5/83/ jsfiddle.net/editsizserverler/x0sorwL5/84/ jsfiddle.net/editsizserverler/x0sorwL5/85/ jsfiddle.net/editsizserverler/x0sorwL5/86/ jsfiddle.net/editsizserverler/x0sorwL5/87/ jsfiddle.net/editsizserverler/x0sorwL5/88/ jsfiddle.net/editsizserverler/x0sorwL5/89/ jsfiddle.net/editsizserverler/x0sorwL5/90/ jsfiddle.net/editsizserverler/x0sorwL5/91/ jsfiddle.net/editsizserverler/x0sorwL5/92/ jsfiddle.net/editsizserverler/x0sorwL5/93/ jsfiddle.net/editsizserverler/x0sorwL5/94/ jsfiddle.net/editsizserverler/x0sorwL5/95/ jsfiddle.net/editsizserverler/x0sorwL5/96/ jsfiddle.net/editsizserverler/x0sorwL5/97/ jsfiddle.net/editsizserverler/x0sorwL5/98/ jsfiddle.net/editsizserverler/x0sorwL5/99/ jsfiddle.net/editsizserverler/x0sorwL5/100/ intensedebate.com/people/johnhenry2233 pxhere.com/en/photographer-me/4238660 longisland.com/profile/editsizserverler/ metin2-pvp-serverler.webflow.io/ anyflip.com/homepage/gwyra/preview pinshape.com/users/4109032-editsizserverlerorg allmyfaves.com/editsizserverler pexels.com/tr-tr/@editsiz-serverler-1225707393/ slideserve.com/editsizserverler archive.org/details/@editsizserverler divephotoguide.com/user/editsizserverler/ metal-archives.com/users/editsizserverler band.us/band/94702101 camp-fire.jp/profile/editsizserverler subscribe.ru/author/31420877 my.desktopnexus.com/blogamca/journal/metin2-pvp-serverler-49878/ replit.com/@editsizserverle fliphtml5.com/tr/homepage/pspuy/editsizserverlerorg/ free-ebooks.net/profile/1562629/editsiz-serverler qooh.me/editsizsrvl pubhtml5.com/homepage/exapj/ zzb.bz/Ib8s8 australian-school-holidays.mn.co/members/23780373 metin2pvpserverler.gallery.ru/ justpaste.it/eoa85 profile.hatena.ne.jp/editsizserverler/ indiegogo.com/individuals/37682987 taz.de/ list.ly/editsizserverlerorg/lists mypaper.pchome.com.tw/tomasvanek/post/1381781942 mypaper.pchome.com.tw/tomasvanek/post/1381781943 metin2pvpserverler.mystrikingly.com/ ted.com/profiles/46748800 play.eslgaming.com/player/20056929/ metin2pvpserverler.threadless.com/about knowyourmeme.com/users/editsiz-serverler active.popsugar.com/@editsizserverler/profile sitetanitimlari.seesaa.net/article/503120781.html sitetanitimlari.seesaa.net/article/502999078.html sitetanitimlari.seesaa.net/article/502585593.html sitetanitimlari.seesaa.net/article/502585551.html sitetanitimlari.seesaa.net/article/502585519.html sitetanitimlari.seesaa.net/article/502585492.html sitetanitimlari.seesaa.net/article/502585455.html sitetanitimlari.seesaa.net/article/498056830.html filmizle2018.blog.fc2.com/blog-entry-21.html filmizle2018.blog.fc2.com/blog-entry-26.html filmizle2018.blog.fc2.com/blog-entry-31.html ameblo.jp/sitetanitimlari/entry-12787859138.html connect.garmin.com/modern/profile/97fe48da-7177-4ae0-bf0e-34fbe1334538 reddit.com/user/uflee/ agario.buzzsprout.com/2066066/14949093-metin2 linkedin.com/posts/okeyoyna_metin2-ejderhalar-merhaba-metin2-oyununa-activity-7171861395326582784-UlrI/ linkedin.com/pulse/metin2-pvp-serverler-listeleri-okey-oyna-jyhpf/ blogger.com/profile/15166393869257970818 draft.blogger.com/profile/15166393869257970818 instagram.com/realokey/ blogger.com/profile/05227574979353865473 draft.blogger.com/profile/05227574979353865473 tumblr.com/onlineokey twitter.com/mt2org twitch.tv/okeyoynaa pinterest.com/a99io/ google.com/url?q=https://www.okeyoyna.com vimeo.com/846733433 wordpress.com/tr/forums/topic/metin2-pvp-tanirim-scpriti/ dailymotion.com/video/x8e47pq gravatar.com/realokey grepo.travelcarma.com/okeyoyna/okey-oyna beatstars.com/zaferozkel okeyoyunu.mystrikingly.com/ gamblingtherapy.org/user/okeyoyna public.tableau.com/app/profile/okey.oyna/vizzes okeyoyna.amebaownd.com/posts/53051499 wefunder.com/okey sovren.media/u/okeyoyna/ lazi.vn/user/okeyoyna gravatar.com/realokey soundcloud.com/okey-oyna okey-oyna.webflow.io/ guides.co/g/okey-oyna/372469 flickr.com/people/200607646@N08/ my.desktopnexus.com/realokey giantbomb.com/profile/okeyoyna/ giantbomb.com/profile/okeyoyna/blog/ encinitas.bubblelife.com/community/okey_oyna sites.bubblelife.com/users/okeyoynacom_a31336 fanart-central.net/user/okeyoyna/profile klse.i3investor.com/web/cube/blog/okeyoyna globalcatalog.com/okeyoyna.tr articlesjust4you.com/members/okeyoyna/ issuu.com/realokey audiomack.com/okeyoynacom/song/dj-okey-oyna-dii-kartal audiomack.com/okeyoynacom gitlab.nic.cz/okeyoyna ameblo.jp/okeyoyna/entry-12849563639.html ameblo.jp/okeyoyna/ profile.ameba.jp/ameba/okeyoyna nintendo-master.com/profil/okeyoyna band.us/band/94698085 pastelink.net/192agg8x pastelink.net/sxqkqqcx pastelink.net/do4ziud7 pastelink.net/9ebiqvd9 pastelink.net/urv9w3xn agario.buzzsprout.com/2066066/14949093-metin2 reverbnation.com/okeyoynacom disqus.com/by/efehanzkel/about/ hub.docker.com/u/okeyoyna tinhte.vn/members/okey-oyna.3017475/ openhumans.net/member/okeyoyna/ research.openhumans.org/member/okeyoyna/ openhumans.com/member/okeyoyna/ portfolium.com/okeyoyna anobii.com/en/0152c9fb8c9e13a07a/profile/activity gitlab.ifam.edu.br/okeyoyna peatix.com/group/16198815 peatix.com/user/21949084/view rapidapi.com/okeyoynacom/api/demo-project85460/details zillow.com/profile/okeyoynacom/ pinterest.com/a99io/ pinterest.ph/a99io/ pinterest.com/a99io/ pinterest.com.mx/a99io/ pinterest.it/a99io/ pinterest.fr/a99io/ pinterest.ca/a99io/ pinterest.jp/a99io/ pinterest.co.uk/a99io/ pinterest.de/a99io/ pinterest.es/a99io/ se.pinterest.com/a99io/ tr.pinterest.com/a99io/ ru.pinterest.com/a99io/ id.pinterest.com/a99io/ cs.pinterest.com/a99io/ es.pinterest.com/a99io/ pl.pinterest.com/a99io/ pt.pinterest.com/a99io/ br.pinterest.com/a99io/ co.pinterest.com/a99io/ nl.pinterest.com/a99io/ se.pinterest.com/a99io/ at.pinterest.com/a99io/ dk.pinterest.com/a99io/ in.pinterest.com/a99io/ ro.pinterest.com/a99io/ sk.pinterest.com/a99io/ fi.pinterest.com/a99io/ ar.pinterest.com/a99io/ freelance.habr.com/freelancers/okeyoyna 500px.com/p/okeyoyna?view=photos
- 2024-05-02T17:02:45+00:00

HTTPS

SSH

You can clone a snippet to your computer for local editing. Learn more.