# XORSearch
# Search for XOR/ROL/ROT/SHIFT-encoded patterns including shellcode signatures
# FOR610 Labs: 3.5, 5.2 | Sections: 3, 5 | Author: Didier Stevens
# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation

% xor, shellcode-detection, pattern-search, didier-stevens

# Basic usage
XORSearch -W -d 3 file.bin

# Select specific item
XORSearch -i -s specimen.exe http:


# --- Recipes (multi-tool chains) ---

# >> Extract Shellcode from RTF Document
# Scan RTF structure — look for groups with lots of hex data
rtfdump.py <document.rtf>
# Extract the hex-heavy group as binary
rtfdump.py <document.rtf> -s <group_num> -H -d > extracted.bin
# Scan for shellcode patterns (even XOR-encoded)
XORSearch -W -d 3 extracted.bin
# Emulate shellcode at found offset
scdbgc /f extracted.bin /foff <offset> /s -1

# >> Brute-Force XOR Key
# Quick check for XOR-encoded URLs/PE headers
XORSearch <file> http:
# Brute-force single-byte XOR keys
brxor.py <file>
# Try XOR, ROL, ADD combinations
bbcrack -l 1 <file>
# Guess multi-byte XOR key length and value
xortool <file>
# Decode with known key
xortool-xor -s '<key>' -i <encoded> -o <decoded>