 Hello, DJ Stavens here. I have a file here open in the 010 editor, binary editor. This file contains a downloaded cobalt strike beacon. So you have a very small piece of staging shell code that did download this file here. And this contains a beacon that is encoded and we are going to do the decoding with my script that is specific for the 010 editor. It's written in the language of that editor. And that allows you to do all kinds of xor encodings and decodings. Now, this downloaded file also contains a small piece of shell code. It starts with a small piece of shell code. I can show you that with the network disassembly. So it's 32 bits. And here you have it. So this is shell code. You can see here a jump to 3a. Here we have 3a and in 3a you have a call to 07. So this piece here, this part is shell code that will do the decoding of the payload. And here after this call instruction starting 3f, here at 3f you have two pieces of data and then you have the encoded cobalt strike beacon. So we are going to do the decoding here in the 010 editor. So up till 3f you have the shell code. So this is the shell code. And then this piece here, these four bytes, that is the xor key. The xor key that is used to decode the payload and also to decode the next field. The next field that is the size of the cobalt strike beacon. So the payload. The first I'm going to copy here this xor key as hexadecimal text. And then I select the next field four bytes. That is the size of the cobalt strike beacon. And it is xor encoded with the key that we just copied here. So I'm going to scripts, binary, xor selection. I provide zero access prefix to indicate that the key that I provide is hexadecimal because otherwise it will just be interpreted as a string, an ASCII string and used like that. And so it will use this key to decode the value that I selected here. Like this. And now you can see the decoded value 0 0 14 0 4 0 0. This is the size of the beacon. And the beacon starts here directly after the size. It is a 32-bit integer and it is little engine. So it means that the size is 0 4 14 0 0. And we can verify this when I select here the beacon encoded beacon. Here you can see the size in hexadecimal 4 14 0 0. Next I'm going to do the decoding of this here. So script binary xor selection. It is encoded with the same key. So you need to use the key again to do the decoding. But it is not straightforward xor encoding because here the xor key changes while the decoding is going on. And we need to use an option, a new option that I introduced here in version 6 of my xor selection script. A new option that allows us to work with the dynamic key, a key that is changing while the decoding or the encoding is happening. To do that, to use an option you need to leave the field blank and press OK or press enter. And then you are presented with a second field, a second dialogue where you can enter options. If you don't remember the options you can type H for help, OK, and then you will see the different options. The new options here in version 6 are CB and CA. Change before and change after. Change the key with the value before the xor happens or change after. Change the key with the value after the xor. Now when we press OK the script stops. So we need to launch it again because now we are going to do the decoding. So xor selection, OK, without the value and now CB change before because this payload was encoded with that key, with the change after. So the key was changed dynamically each time after an xor operation was done. So now to do the opposite we need to do it before, change before like this 0x because it is an hexadecimal key. Here's the key, OK. And now here you have the decoded payload and you can see here mz pe. So this is a pe file. Here also you can see this program cannot be run in those mode. Now once you have decoded a cobalt strike beacon, you can also find its configuration inside that beacon. And the configuration is also xor encoded. But here it is just encoded with a single byte. And the byte, the key that is used to do the encoding and also the decoding of course depends on the version of cobalt strike. If it is version three, it is the letter i. So lower case i. And if it is version four, it is a dot. Here I have version three. And I can search for the text i, h, i, h. This is the start of the encoded configuration. And so it starts here. And I can select this complete configuration. Here I have it. And then run my script again, xor. So no hexadecimal value this time. It's just one byte. The key it's a letter i. So that's what I enter. Okay. And now here I have my decoded configuration. And if I scroll back, you can see things like get, post, run the ll32. So those are parameters like the user agent string that is being used, the part for the post. And here you have the IP address of the C2 and the part of the get. So this is how the decoding is done. So if you want to understand exactly how this works with a dynamic key and change before and change after, I have a presentation here with an animation that will make that clear. Okay. So how does this xor encoding and decoding with the dynamic key work? We are going to start first with the static key. A key that does not change. A simple xor encoding here. And we are also going to use in all the examples a key that is just one byte, one byte key 3f. This will make the explanation also easier to understand. But when you use multiple bytes as a key, then the principle remains the same. It's just that with the dynamic key for each step, one byte in that multi byte key will change, just like I will show it here. But we start here with a simple xor with a static key. So I have my clear text here. Hello. And here are the rskie values in the hexadecimal representation. You can see letters L, two letters L. Well, the hexadecimal representation is the same 6c. The key here is 3f and here the cipher text will appear. So let's get started. So 3f. This is my key. And this is the xor with the clear text. So 4, 8, xor 3f gives 7, 7. Next step again, key 3f. It's a static key. It doesn't change. It's a single byte. 6, 5 and 3f, 5a. Next 3f, 6c and 3f, 5, 3. Again 3f, 6c, 3f, 5, 3. 3f here the key, the key doesn't change. 6f, 3f, xor, 5, 0. So your remark here, when you use a simple xor with a key that is just one byte, then all your values are changed. It's not a 0 key, it's a 3f here. So all the values are changed. But when the input is the same, the output is the same. So the letter L here is encoded as 53. So that is a drawback of such a simple xor. That is, if your input doesn't change your output, it gets encoded. But it remains the same. And that is because we are working with a static key, a single byte simple xor that doesn't change. Next, let's see with a dynamic key. So here again, we have again our clear text, hello, hexadecimal, reputation, hierarchy, our cipher text will appear. It's again an xor with a one byte key 3f. But that is the starting value. The key will change each time we have done an xor operation. So let's get started. 3f, that is the key, the initial key, which we start, and then we xor this. So 48, 3f, xor, 7, 7. So that is just the same as the previous example. Next here, the key now is 7, 7. So we don't take key 3f, but it is a dynamic key. The key will change while the xor, the encoding is going on. Here it is 7, 7. Why is it 7, 7? Because we take the value after the xor, so the cipher text. After xor, we have 7, 7. So for the next operation, 7, 7 becomes our key. So now 6, 5 with 7, 7, that gives us 1, 2. So that's our key, our next key. 6c127e. Our next key now is 7e because that was our xor value. It's after the xor here. So we take the value after the xor as a key. So here the key is 7e. It is after the xor, that we take the value. So 7e, 7e in this example. 6c7e gives us 12. And now you can see that although we have the same input, we don't have the same output. And that is because our key is changing. It's a dynamic key. Next key here is 12, 1, 2. And that gives us 7d. So that is the dynamic key with a single byte key changing after the xor. Now let's see how it works when we do the change before the xor. So that is actually the opposite. So and when you use the change after that we saw as encoding, then you are going to use this one here change before as decoding. Well if you use this one here change before as encoding, then you are going to use the change after. And so the previous one as decoding. So again the same clear text hello asky, a one byte key xor 3f, but we are going to change that key, that dynamic key. So we start with 3f, 4, 8, 3f here, 7, 7, 4, 8, xor 3f, 7, 7. And now our key becomes 4, 8. Because now we are going to take the key before the xor. So the clear text as we have it here. So it's no longer 7, 7 that we take it's now 4, 8. And then we move on to the next xor operation. So 6, 5 and 4, 8, 2d. Next key is 6, 5. Because we take the key before the xor. 6c, 7, 5, 0, 9. Next key is 6c. Because we take it before the xor. 6c and 6c, 0, 0. So again here now you can see same input, but output differs that is because the key is changing. It's a dynamic key. 6c again here with 6f, 6c gives us 0, 3. So this is how encoding and decoding with the dynamic key does. We did hear the example with a 1 byte key. But if you have for example a 2 byte key, then it is here again the key that will change. But it is just 1 byte of the key that will change per operation. So first operation it's a first byte. Second operation it's a second byte that changes. Third operation again it is the first byte that changes. Fourth operation it's the second byte that changes. And so on.