Single-Byte Xor Decode Web App

Last month I blogged about detecting the XOR key without reversing the encoder.  I have since been learning NodeJS and AngularJS.  This led me to writing a client-side web application that can take the output of shellcode opened in hex fiend and perform an XOR collusion attack against it.

I ported the web app to heroku.

The app shows the versatility of collusion.  A shellcode is entered in for analysis.  Analysis normalizes the content and then compares the result to like-normalized shellcode terms.  These terms include the more common urlmon and Svr32 assemble operations.

Xor Decode App on Heroku

Xor Decode App on Heroku

The results when a term is detected includes the XOR key used, and the offset to where the term occurred.  This is a subset of terms that would be used as a labeling library to quickly analyze shellcode faster.

Here is a small video tutorial of the site.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: