"Shadow" wrote:
> On Thu, 6 Jun 2019 01:19:56 +0100, "Apd" wrote:
>>XOR the base64 with 0xEF and you have plain text with a single
>>linefeed terminating each line. It's an XML report. Here's a line from
>>your second example, krdeicar.txt (wrapped for ease of reading):
>>
>>>
Object="@Filesystem[65ba0377-31a7-52e4-8e5b-5415b3a73f12]/Downloads/EICARAntiVi
rusTestFile.com"
>> Info="EICAR-Test-File" />
>
> Thanks for that. You must dream in hex, as I did 2 decades
> ago. Alas, all I dream about now is staying alive.

I know what you mean.

> Simple XORing. Who would have guessed?

A few years of malware analysis (and hex dreaming!) has got me used to
seeing those kind of patterns.

> Too hard for me to figure out without your help. I will now
> write a little program in free Pascal or maybe 16 bit assembler to
> automate the process, unless you can recommend freeware (no online
> datamining stuff) that does it automatically ?

McAfee made a Windows GUI tool called FileInsight which could do
base64 and XOR decode among other things but I can't find it on their
website now. I see Paul has posted some C code which does the job and
is similar to one of the several utilities I wrote myself for such
things.


--- NewsGate v1.0 gamma 2