Add FOR610 tool/workflow knowledge base and data pipeline

Build comprehensive malware analysis knowledge base from 3 sources:
- SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes
- REMnux salt-states: 340 packages parsed from GitHub
- REMnux docs: 280+ tools scraped from docs.remnux.org

Master inventory merges all sources into 447 tools with help tiers
(rich/standard/basic). Pipeline generates: tools.db (397 entries),
397 cheatsheets with multi-tool recipes, 15 workflow guides, 224
TLDR pages, and coverage reports.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

data/generated/cheatsheets/xorsearch.cheat

@@ -0,0 +1,37 @@
+# XORSearch
+# Search for XOR/ROL/ROT/SHIFT-encoded patterns including shellcode signatures
+# FOR610 Labs: 3.5, 5.2 | Sections: 3, 5 | Author: Didier Stevens
+# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation
+
+% xor, shellcode-detection, pattern-search, didier-stevens
+
+# Basic usage
+XORSearch -W -d 3 file.bin
+
+# Select specific item
+XORSearch -i -s specimen.exe http:
+
+
+# --- Recipes (multi-tool chains) ---
+
+# >> Extract Shellcode from RTF Document
+# Scan RTF structure — look for groups with lots of hex data
+rtfdump.py <document.rtf>
+# Extract the hex-heavy group as binary
+rtfdump.py <document.rtf> -s <group_num> -H -d > extracted.bin
+# Scan for shellcode patterns (even XOR-encoded)
+XORSearch -W -d 3 extracted.bin
+# Emulate shellcode at found offset
+scdbgc /f extracted.bin /foff <offset> /s -1
+
+# >> Brute-Force XOR Key
+# Quick check for XOR-encoded URLs/PE headers
+XORSearch <file> http:
+# Brute-force single-byte XOR keys
+brxor.py <file>
+# Try XOR, ROL, ADD combinations
+bbcrack -l 1 <file>
+# Guess multi-byte XOR key length and value
+xortool <file>
+# Decode with known key
+xortool-xor -s '<key>' -i <encoded> -o <decoded>