Unpacking XorStringsNET

Since AgentTesla started using my XorStringsNET obfuscator to encrypt strings in their malware I decided to write a quick guide on how to decrypt the strings again.

Observed in unpacked child SHA256: d56f2852762f7f9fcb07eaf018e143ab1e4ad46e1f2e943faf13618388ef21a2

Original sample SHA256: e66ffcfe9fb0d0cd80d96dcfd96e4941d3c2389d227f2655391cfdbc3bcd637c

Using de4dot

Find the decryption method, its easily identified by the following indicators:

• It will be called a lot all over the binary, in places were you would expect strings.
• The method takes a large integer value as parameters and returns a string

• The class containing the decryption method has a nested private struct and a field referencing that struct
• The decryption method obtains the address of the struct field assigning it to a pointer type local
• The decryption method contains the unusual cpblk instruction

Once we have identified the decyption method, we need to copy its Token value, found in the comment above the method.

Next we will use de4dot to almost automaigcally decrypt the strings. We need to tell de4dot which method exactly it should use for string decryption which is what we need the Token for.

Run de4dot using the following commandline arguments:

de4dot.exe file --strtyp delegate --strtok 0x6000000

Replace 0x6000000 with the token of your decryption method.

Then simply let it run and you should get an output binary with fully decrypted strings.

Using de4dot_gui

Since I am lazy and dont like writing out commandline arguments everytime I want to manually decrypt some strings in de4dot, I wrote a simple GUI tool to invoke de4dot with the correct arguments.

• Place the tool in your de4dot installation folder
• Open it and Drag&Drop the protected executable or dll into the window
• Configure it as following with the Token you obtained with dnSpy

Then press deobfuscate and wait for de4dot to finish its work. The result should be an output binary with fully decrypted strings.