 Hello, in this video I want to show the latest version of my XOR known plain text attack tool. So XOR KPA, it's version 005 and I've mainly changed the output and also added features to help us generate our own plain text. So I have an encoded executable, Windows executable, and we are going to search for this string. This program cannot be run in DOS mode, that is a predefined plain text in XOR KPA. So XOR KPA expects an input file that contains the plain text and another input file that contains the encoded file, so the cipher text. And here we are not going to provide a plain text file, we are going to provide a predefined text, the DOS text, and we are going to search in our encoded executable. So here we have our output, it's more or less the same as in previous versions, except that the order has changed. So we still have the key, here password, and hexadecimal representation of the key, and here the key stream that was recovered with that plain text, the XOR in the plain text and the cipher text. So we have the key stream here and from the key stream, XOR KPA extracted the repeating key here, password. And then we have a couple of numbers, so extra is the number of extra characters to the password. So this is actually the difference in length between the key stream and the password. And the longer this value is, the more likely it is that we have found the correct key. For example an extra value of 1 is most likely not a valid key. It is number of times that password, the key appears in the key stream, this is 4 times here, and then counts is number of times that we find the key stream here, this key stream here at different locations in the cipher text. And that this is only one, which is normal because that text, this program cannot be run in DOS mode and this text is only present once in the executable. So in the older versions, the output was ordered on the value of extra and the highest values were printed first and the lowest last, so in descending order. And now I've changed the order, it's ascending order. Now you have lower values first like 1 here and then 2, 2 and then 30, so the most likely keys are printed last. We can filter on extra, we can say that the extra for example needs to be at least 2 so that we don't want to see once like this. Okay, so and here we have 3 potential keys and this one here is the most likely because of the values here compared to these values. So this is when we know the plain text, like DOS, this plain text here, we can see it in help and this program cannot be run in DOS mode. Now there are variants to this text and it actually needs exactly to be this text. If it is a variant, we will not find it. So we need to know about the variants or else we can search for other sequences. PE files and executables will often contain sequences of 0 bytes, null bytes, 0, 0, 0, 0, 0 and so on. And we can also search for that because 0 XOR with the value will give us the value and it becomes, it's the identity function. So if you have null bytes that are XORed with the key, you will actually see the key in the executable. So with XOR KPA, we can also recover that key. So what we would need to do is to create a file, a plain text file that contains null bytes. But there's a notation for that, that we don't have to create that file. We can pass the null bytes as hexadecimal values via an argument on the command line, like this. So hash, h, hash, this indicates that we are going to provide hexadecimal values and here I'm going to provide 10 null bytes. So 1, 2, 3, 4, 5, 6, 7, 8, 9, 10. And we are going to search for that in the cipher text. Okay and we get here different potential keys. Here is a password key. It happens, it appears a lot of times, so this is probably the correct key. But we can make this more reliable by searching for longer sequences. Now typing all these zeros can be quite tedious and error prone. So we can also pass an expression to say that we want to repeat a number of times that value. And that is done with E for expression. And we repeat, here I'm going to search for 256 null bytes. So 256, 0x, 0, 0, like this. And now we are going to search for a byte sequence of 256 bytes all having value 0. And because this is a long sequence, this will take some time. Okay and here we have our output and from the values here it is clear and the key stream it is clear that our key is password.