Closed melomac closed 1 year ago
This looks like XOR key is working great when the string to match length is greater than 4.
Test file:
#import <Foundation/Foundation.h>
int main(int argc, char *argv[]) {
@autoreleasepool {
NSString *a = @"12345";
NSString *b = @"abcde";
NSString *d = @"dummy";
NSString *c = @"etllxfwoo{";
}
}
Test 1 ok ✅
rule oneTwoThree {
strings:
$a = "abcde" xor
condition:
all of them
}
rule test {
strings:
$a = "dummy" xor
condition:
$a
}
yara -s -X test_rules.yara $TMPDIR/CodeRunner/Untitled
oneTwoThree /var/folders/4n/4cnph2ps2t77b9xms19fsqrc0000gn/T//CodeRunner/Untitled
0x3f98:$a:xor(0x50): 12345
0x3f9e:$a:xor(0x00): abcde
test /var/folders/4n/4cnph2ps2t77b9xms19fsqrc0000gn/T//CodeRunner/Untitled
0x3fa4:$a:xor(0x00): dummy
0x3faa:$a:xor(0x01): etllx
0x3faf:$a:xor(0x02): fwoo{
Test 2 ko ❌
rule oneTwoThree {
strings:
$a = "abcd" xor
condition:
all of them
}
rule test {
strings:
$a = "dummy" xor
condition:
$a
}
yara -s -X test_rules.yara $TMPDIR/CodeRunner/Untitled
oneTwoThree /var/folders/4n/4cnph2ps2t77b9xms19fsqrc0000gn/T//CodeRunner/Untitled
0x3f9c:$a:xor(0x00): 1234
0x3fa1:$a:xor(0x00): abcd
test /var/folders/4n/4cnph2ps2t77b9xms19fsqrc0000gn/T//CodeRunner/Untitled
0x3fa6:$a:xor(0x00): dummy
0x3fac:$a:xor(0x01): etllx
0x3fb1:$a:xor(0x02): fwoo{
On compiling YARA with --with-debug-verbose=2
, the output reveals _yr_scan_xor_compare()
isn't invoked when a XOR'd string to match is less than 5 characters. Attaching output.
This is definitely a bug, thanks for finding it and for the detailed analysis. It looks like if the string fits in a single atom we do not record the XOR key properly. I'm working on a fix for this now.
Just pushed a fix for this in #1849. I didn't want to put it in a different branch since this branch was really helpful in seeing the plaintext while debugging.
This bug has likely existed since the xor modifier went in, and you were right that it only happens on short strings (which was a significant clue for what is going on).
Many thanks for your reactivity, this sets the tone of a promising year 👏
I am very excited by the new XOR key option and noticed the XOR key is always zero in my tests with the yara-python project. I realized this actually is a YARA problem as the CLI won't print the XOR key either:
Here you have the original story from the now closed issue on the yara-python project:
Out of curiosity, I created this Mach-O test file using CodeRunner for example:
and this YARA test rule:
The string
123
should match the NSStringa
C string with XOR key 0 and the NSStringb
C string with XOR keyP
:On compiling the rule file and looking for matches in the compiled Mach-O file, I am getting the two instances as expected:
But the XOR key value is 0 in both cases:
Would you please be so kind to consider this as a problem to fix for version 4.3 final candidate?
Many thanks for this new feature that will be very interesting to work with in a near future!