Malware, Malware Analysis

Analyze multi-byte xor cipher

A tool to do some xor analysis

  • guess the key length (based on count of equal chars)
  • guess the key (base on knowledge of most frequent char)


git clone


xortool [-h|--help] [OPTIONS] [filename]
  -l,--key-length       length of the key (integer)
  -c,--char             most possible char (one char or hex code)
  -m,--max-keylen=32    maximum key length to probe (integer)
  -x,--hex              input is hex-encoded str
  -b,--brute-chars      brute-force all possible characters
  -o,--brute-printable  same as -b but will only use printable
                        characters for keys

Usage Examples

xor -f /bin/ls -s "secret_key" > binary_xored
xortool binary_xored

00 is the most frequent byte in binaries

xortool binary_xored -l 10 -c 00

The most common use is to pass just the encrypted file and the most frequent character (usually 00 for binaries and 20 for text files) – length will be automatically chosen:

xortool tool_xored -c 20

Here, the key is longer than 32:

xortool ls_xored -c 00 -m 64

If automated decryption fails, you can calibrate

    (-m) max length to try longer keys
    (-l) selected length to see some interesting keys
    (-c) the most frequent char to produce right plaintext