Just a quick follow-up of an in-depth article from Denis Laskov which you can read here. Denis kindly provided me with the pack and I noticed that this strange text file was getting downloaded:
This sort of looks like an EXE file structure so I imported the file as hex, truncated it so I could do an XOR search for “MZ” quickly. Found the key!
Now I can load up the entire file then XOR it with the key, 0xA2, but something doesn’t look right.
All the 0xA2 values should actually be 0x00s. The KaiXin author(s) only encoded non-0x00 values. Clever. So I check this box then convert it again.
Okay, that looks better. Now let’s write it out to a binary file and check it against VirusTotal. Here are the results:
VT: 25 / 43
I updated this Data Converter tool to incorporate some new ideas like the one above. It can also enumerate all the keys to an external file because sometimes you don’t know what you are looking for.
I also included the ability to add or subtract a decimal value before and after performing the action. This suggestion came from Kafeine (thanks!) when trying to extract an encrypted class file from a JAR.
If there are no major bugs then I’ll be adding this to the Converter tool later. You can download this and other programs directly from this site now on the Tools page.