>>> matches[0].strings[0].instances[0].xor_key
0 / 0x0 # expected
>>> matches[0].strings[0].instances[1].xor_key
0 / 0x0 # not expected: this should be the ordinal value of P i.e. 80 / 0x50
Would you please be so kind to consider this as a problem to fix for version 4.3 final candidate?
Many thanks for this new feature that will be very interesting to work with in a near future!
EDIT:
This actually is a YARA problem as the CLI won't print the XOR key either:
I am very excited by StringMatch and StringMatchInstance objects in yara-python version 4.3 release candidate and also the XOR key property.
I needed to support the new objects and also wanted to implement the XOR property in some of my code.
Out of curiosity, I created this Mach-O test file using CodeRunner for example:
and this YARA test rule:
The string
123
should match the NSStringa
C string with XOR key 0 and the NSStringb
C string with XOR keyP
:On compiling the rule file and looking for matches in the compiled Mach-O file, I am getting the two instances as expected:
But the XOR key value is 0 in both cases:
Would you please be so kind to consider this as a problem to fix for version 4.3 final candidate?
Many thanks for this new feature that will be very interesting to work with in a near future!
EDIT: This actually is a YARA problem as the CLI won't print the XOR key either: