XORSearch

XORSearch is a program to search for a given string in an XOR or
ROL encoded binary file. An XOR encoded binary file is a file where
some (or all) bytes have been XORed with a constant value (the key).
A ROL (or ROR) encoded file has it bytes rotated by a certain number
of bits (the key). XOR and ROL/ROR encoding is used by malware
programmers to obfuscate strings like URLs.

XORSearch will try all XOR keys (0 to 255) and ROL keys (1 to 7)
when searching. I programmed XORSearch to include key 0, because
this allows to search in an unencoded binary file (X XOR 0 equals
X).

If the search string is found, XORSearch will print it until the 0
(byte zero) is encountered or until 50 characters have been printed,
which ever comes first. 50 is the default value, it can be changed
with option -l. Unprintable characters are replaced by a dot.

WWW: http://blog.didierstevens.com/programs/xorsearch/
Author: Didier Stevens

4 files changed, 60 insertions, 0 deletions

diff --git a/security/xorsearch/Makefile b/security/xorsearch/Makefile
new file mode 100644
index 000000000000..5dbf80241025
--- /dev/null
+++ b/security/xorsearch/Makefile
@@ -0,0 +1,28 @@
+# New ports collection makefile for:	xorsearch
+# Date created:				18 December 2007
+# Whom:				Edwin Groothuis <edwin@mavetju.org>
+#
+# $FreeBSD$
+#
+
+PORTNAME=	xorsearch
+PORTVERSION=	1.2.0
+CATEGORIES=	security textproc
+MASTER_SITES=	http://www.didierstevens.com/files/software/
+DISTNAME=	XORSearch_V1_2_0
+
+MAINTAINER=	edwin@mavetju.org
+COMMENT=	Search for a given string in an XOR or ROL encoded binary file
+
+USE_ZIP=	yes
+WRKSRC=		${WRKDIR}
+
+PLIST_FILES=	bin/xorsearch
+
+do-build:
+	${CC} -o ${WRKDIR}/XORSearch ${WRKDIR}/XORSearch.c
+
+do-install:
+	${INSTALL_PROGRAM} ${WRKDIR}/XORSearch ${PREFIX}/bin/xorsearch
+
+.include <bsd.port.mk>
diff --git a/security/xorsearch/distinfo b/security/xorsearch/distinfo
new file mode 100644
index 000000000000..3dd5db1f8268
--- /dev/null
+++ b/security/xorsearch/distinfo
@@ -0,0 +1,3 @@
+MD5 (XORSearch_V1_2_0.zip) = f4aecc366048aa429a1fe1e6ea220c8e
+SHA256 (XORSearch_V1_2_0.zip) = 04aaceed17afa98283110bde49b6a72988bce0e2328575f37253db3958e03ad2
+SIZE (XORSearch_V1_2_0.zip) = 35772
diff --git a/security/xorsearch/files/patch-XORSearch.c b/security/xorsearch/files/patch-XORSearch.c
new file mode 100644
index 000000000000..b42befea1a63
--- /dev/null
+++ b/security/xorsearch/files/patch-XORSearch.c
@@ -0,0 +1,10 @@
+--- XORSearch.c.orig	Tue Dec 18 07:27:32 2007
++++ XORSearch.c	Tue Dec 18 07:27:38 2007
+@@ -20,7 +20,6 @@
+ #include <stdio.h>

+ #include <stdlib.h>

+ #include <sys/stat.h>

+-#include <malloc.h>

+ #include <string.h>

+ #include <ctype.h>

+ #include <limits.h>

diff --git a/security/xorsearch/pkg-descr b/security/xorsearch/pkg-descr
new file mode 100644
index 000000000000..7ae177a562c8
--- /dev/null
+++ b/security/xorsearch/pkg-descr
@@ -0,0 +1,19 @@
+XORSearch is a program to search for a given string in an XOR or
+ROL encoded binary file. An XOR encoded binary file is a file where
+some (or all) bytes have been XORed with a constant value (the key).
+A ROL (or ROR) encoded file has it bytes rotated by a certain number
+of bits (the key). XOR and ROL/ROR encoding is used by malware
+programmers to obfuscate strings like URLs.
+
+XORSearch will try all XOR keys (0 to 255) and ROL keys (1 to 7)
+when searching. I programmed XORSearch to include key 0, because
+this allows to search in an unencoded binary file (X XOR 0 equals
+X).
+
+If the search string is found, XORSearch will print it until the 0
+(byte zero) is encountered or until 50 characters have been printed,
+which ever comes first. 50 is the default value, it can be changed
+with option -l. Unprintable characters are replaced by a dot.
+
+WWW: http://blog.didierstevens.com/programs/xorsearch/
+Author: Didier Stevens