unXOR
This tool will search through an XOR-encoded file (binary, text-file, whatever) and use known-plaintext attacks to deduce the original keystream. Works on keys half as long as the known-plaintext, in linear complexity.
Here's a demo of the Golang binary decrypting a plaintext file XORed with
0xABCDEF
(3 bytes) and where our known-plaintext is leggings
.
Usage (Golang)
This should work:
$ go get github.com/tomchop/unxor
$ $GOBIN/unxor -h
Usage of /Users/tomchop/code/go/bin/unxor:
-f string
Filename to decrypt
-g string
Known plaintext (string)
-gh string
Known plaintext (hex encoded)
Usage (Docker)
You need to map $PWD
(or the directory where your file is) to the /data
volume in Docker so that the container knows where to find your files. The
decrypted file will be written in the same directory.
$ docker pull tomchop/unxor
$ docker run --rm -v $PWD:/data tomchop/unxor -h
Usage of /go/bin/unxor:
-f string
Filename to decrypt
-g string
Known plaintext (string)
-gh string
Known plaintext (hex encoded)
Usage (Python)
Python sources are contained in the pyunxor
directory.
$ cd pyunxor
$ python unxor.py
usage: unxor.py [-h] (-g GUESS | -k KEY) [-m {iterative,selective}] [-x]
[-v {0,1,2}]
[infile] [outfile]
unxor.py: error: one of the arguments -g/--guess -k/--key is required
Related Work
unXOR is included in Lenny Zeltser's REMnux, along with other great tools such as: