pentaphobe · July 1, 2017 09:05
diff --git a/scanning_demo.js b/scanning_demo.js
 /**
 * This is an insultingly simple demo due to nerd rage
 *
 * There are claims of people using static XOR keys to hide shell code in malware
 *
 * The only thing more embarrassing than this is that it supposedly prevent detection.
 *
 */


 /**
 * generates an Int8Array containing random bytes and the specified signature/key somewhere within
 */
 function generateBuffer(key) {
  let result = new Int8Array(Math.max(key.length * 2, 256));
  for (let i=0; i < result.length; i++) {
     result[i] = ~~(Math.random() * 256);
  }
  let last = result.length - key.length - 1;
  let offs = ~~(Math.random() * last);
  for (let i=0; i < key.length; i++) {
    result[offs + i] = key.charCodeAt(i);
  }
  return result;
 }

 /**
 * builds an Int8Array of inter-byte xor'd deltas from a signature/key
 */
 function buildMatchDelta(key) {
   let deltas = new Int8Array(key.length-1);
   for (let i=1; i < key.length; i++) {
     deltas[i-1] = key.charCodeAt(i) ^ key.charCodeAt(i-1);
   }
   return deltas;
 } 

 /**
 * Performs the actual scanning
 */
 function scanFor(buffer, deltaArray) {
  const last = buffer.length - deltaArray.length;

  function isAt(index) {
    for (let i=0; i < deltaArray.length; i++) {
       let delt = buffer[index+i+1] ^ buffer[index+i];
       if (delt != deltaArray[i]) return false;
    }
    return true;
  }

  for (let i=0; i < last; i++) {
    if (isAt(i)) return i;
  }
  return -1;
 }

 //
 //////// EXAMPLE
 //

 let buff = generateBuffer('hello');     // a buffer with 'hello' and some random padding bytes
 let delts = buildMatchDelta('hello');   // a "magical" matcher which finds "encrypted" keys 
 let matchPos = scanFor(buff, delts);

 if (matchPos !== -1) {
  console.log('matched at position:', matchPos);
 }

 // arbitrary encryption of buffer

 // choose a static key
 const xorKey = ~~(Math.random() * 256);
 // encrypt our buffer
 for (let i=0; i<buff.length; i++) { 
  buff[i] ^= xorKey;
 }

 // should find the data at the same position, regardless of the random key
 if (matchPos !== -1) {
  console.log('matched at position:', matchPos);
 }
	/**
	* This is an insultingly simple demo due to nerd rage
	*
	* There are claims of people using static XOR keys to hide shell code in malware
	*
	* The only thing more embarrassing than this is that it supposedly prevent detection.
	*
	*/


	/**
	* generates an Int8Array containing random bytes and the specified signature/key somewhere within
	*/
	function generateBuffer(key) {
	let result = new Int8Array(Math.max(key.length * 2, 256));
	for (let i=0; i < result.length; i++) {
	result[i] = ~~(Math.random() * 256);
	}
	let last = result.length - key.length - 1;
	let offs = ~~(Math.random() * last);
	for (let i=0; i < key.length; i++) {
	result[offs + i] = key.charCodeAt(i);
	}
	return result;
	}

	/**
	* builds an Int8Array of inter-byte xor'd deltas from a signature/key
	*/
	function buildMatchDelta(key) {
	let deltas = new Int8Array(key.length-1);
	for (let i=1; i < key.length; i++) {
	deltas[i-1] = key.charCodeAt(i) ^ key.charCodeAt(i-1);
	}
	return deltas;
	}

	/**
	* Performs the actual scanning
	*/
	function scanFor(buffer, deltaArray) {
	const last = buffer.length - deltaArray.length;

	function isAt(index) {
	for (let i=0; i < deltaArray.length; i++) {
	let delt = buffer[index+i+1] ^ buffer[index+i];
	if (delt != deltaArray[i]) return false;
	}
	return true;
	}

	for (let i=0; i < last; i++) {
	if (isAt(i)) return i;
	}
	return -1;
	}

	//
	//////// EXAMPLE
	//

	let buff = generateBuffer('hello'); // a buffer with 'hello' and some random padding bytes
	let delts = buildMatchDelta('hello'); // a "magical" matcher which finds "encrypted" keys
	let matchPos = scanFor(buff, delts);

	if (matchPos !== -1) {
	console.log('matched at position:', matchPos);
	}

	// arbitrary encryption of buffer

	// choose a static key
	const xorKey = ~~(Math.random() * 256);
	// encrypt our buffer
	for (let i=0; i<buff.length; i++) {
	buff[i] ^= xorKey;
	}

	// should find the data at the same position, regardless of the random key
	if (matchPos !== -1) {
	console.log('matched at position:', matchPos);
	}