 I had a couple of questions about my moving XOR script that I wrote for the 010 editor and the reason that I wrote this is because I encountered the malware sample that used that type of encoding. So let me show you how this works in a video. So we do the moving XOR encoding. We can do it from left to right or from right to left. So here default is from left to right and then the offset. So here default is minus 1 and this is here the encoding. So how does this work? Well let's undo this and let me show you with another version of the script which does this step by step. This is the version that does it step by step. So again we go from left to right. So that means that we will XOR this byte and this byte and this byte here from left to right. And also the byte that we XOR together is defined by the offset and the offset here by default is minus 1. So here we are going to XOR this byte and this byte and store the result here. And then we will XOR this byte and this byte and store the result here and so on. So first of all here let's do this step by step. We have 41 and 42. This will be XOR together and stored here at this position. So let's do this. The result is 3. So now next step 3 and 43 are XOR together and the result is stored here. So that's 40. Next step 40 and 44 are XOR together and this is stored here. Like this. This is 4. Next step 4 and 45 are XOR together and the result is stored here. This becomes 41, 41. Last step 41 and 46 are XOR together and then stored here. This is 07. So this is how this encoding works. We can also decode this by running the same script but then instead of going from left to right we go from right to left. We can type R. It's not case sensitive and also the offset is minus 1 and this is the decoding. So here we have again ABCDEF. So this is how the script works. It can also work on a selection like here. We have XML. This is a message and you can run the script moving XOR selection. And now let's just go from right to left just to have a different encoding. Say that the offset is 1 and then here you have the decoded, the encoded message which you can decode by running this again now from left to right. Offset 1 and we have the original again.