Xortool - A Tool To Analyze Multi-byte XOR Cipher


Xortool is a python tool that allows you to analyze multi-byte xor cipher and guess the xor key (based on count of equal chars) and the key length (base on knowledge of most frequent char).

Note:  Python3 is not supported, use python 2.x.

Usage:





xortool [-h|--help] [OPTIONS] [<filename>]

Options:

  -l,--key-length       length of the key (integer)


  -c,--char             most possible char (one char or hex code)


  -m,--max-keylen=32    maximum key length to probe (integer)


  -x,--hex              input is hex-encoded str


  -b,--brute-chars      brute-force all possible characters


  -o,--brute-printable  same as -b but will only use printable


                        characters for keys


Example:




# xor is xortool/xortool-xor

tests $ xor -f /bin/ls -s "secret_key" > binary_xored

tests $ xortool binary_xored

The most probable key lengths:

   2:   5.0%

   5:   8.7%

   8:   4.9%

  10:   15.4%

  12:   4.8%

  15:   8.5%

  18:   4.8%

  20:   15.1%

  25:   8.4%

  30:   14.9%

Key-length can be 5*n

Most possible char is needed to guess the key!



# 00 is the most frequent byte in binaries

tests $ xortool binary_xored -l 10 -c 00

...

1 possible key(s) of length 10:

secret_key



# decrypted ciphertexts are placed in ./xortool_out/Number_<key repr>

# ( have no better idea )

tests $ md5sum xortool_out/0_secret_key /bin/ls

29942e290876703169e1b614d0b4340a  xortool_out/0_secret_key

29942e290876703169e1b614d0b4340a  /bin/ls
The most common use is to pass just the encrypted file and the most frequent character (usually 00 for binaries and 20 for text files) - length will be automatically chosen:

tests $ xortool tool_xored -c 20

The most probable key lengths:

   2:   5.6%

   5:   7.8%

   8:   6.0%

  10:   11.7%

  12:   5.6%

  15:   7.6%

  20:   19.8%

  25:   7.8%

  28:   5.7%

  30:   11.4%

Key-length can be 5*n

1 possible key(s) of length 20:

an0ther s3cret \xdd key
Here, the key is longer than default 32 limit:
tests $ xortool ls_xored -c 00 -m 64

The most probable key lengths:

   3:   3.3%

   6:   3.3%

   9:   3.3%

  11:   7.0%

  22:   6.9%

  24:   3.3%

  27:   3.2%

  33:   18.4%

  44:   6.8%

  55:   6.7%

Key-length can be 3*n

1 possible key(s) of length 33:

really long s3cr3t k3y... PADDING


So, if automated decryption fails, you can calibrate:
  • (-m) max length to try longer keys.
  • (-l) selected length to see some interesting keys.
  • (-c) the most frequent char to produce right plaintext.

No comments

Note: Only a member of this blog may post a comment.

Powered by Blogger.