Last Updated: 2019-09-23 06:31:51 UTC
by Didier Stevens (Version: 1)
Almost a year ago, I reported on a new feature in YARA version 3.8.0: YARA XOR Strings. The new YARA xor keyword allows for the search of strings that are XOR-encoded with a one-byte key.
In that diary entry, I pointed out that using the xor modifier would result in not matching strings that are not xor-encoded (or encoded with key 0x00). Assuming this was the intended behavior, I did not report this as a bug.
With version 3.8.0, XOR key 0x00 is not detected:
And with version 3.10.0, it is: