EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
Educationxorcryptographyaes

Cryptographic Identification

How to identify XOR encoding, standard cryptographic algorithms (AES, RC4, MD5), and custom Base64 alphabets in malware binaries using constant detection, signsrch, and FindCrypt2.

Ashish Revar12 May 202616 min read2 views

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Listen

Spotting Forensic Gold in Malware Strings

Discover how malware analysts extract hidden intelligence from embedded strings — URLs, registry paths, API call sequences, and C2 artefacts that reveal attacker behaviour and seed your IOC list.

Reference material

eBook
REMA eBook 2026
v1.0
Open resource
Cheatsheet
REMA Cheatsheet 2026
v1.0
Open resource
MCQ Bank
REMA MCQ Bank 2026
v1.0
Open resource
Question Bank
REMA Question Bank 2026
v1.0
Open resource

External references

FindCrypt2 — IDA Pro Crypto Constant Scanner

IDA Pro plugin that scans for cryptographic constants and annotates matches. Install in IDA plugins directory.

tool
CyberChef — From Base64 with Custom Alphabet

Use the From Base64 operation with a custom alphabet field. Paste the 64-character alphabet found in the binary to decode non-standard encodings.

tool
REMA eBook 2026 — Chapter 5, Cryptographic Identification

Full cryptographic constant reference table and XOR decryption examples in the REMA eBook Chapter 5.

ebook
More articlesTest your knowledge

Why Malware Uses Cryptography

Malware protects its configuration (C2 addresses, encryption keys, campaign identifiers) and secondary payloads by encrypting them and decrypting only at runtime. The analyst needs to:

  1. Identify which algorithm is used
  2. Locate the key
  3. Decrypt the protected data statically (without running the malware)

Think of cryptographic constants as a chef''s secret recipe written on a napkin left on the counter. The algorithm tries to hide what it''s cooking, but the ingredients list gives it away.

XOR Encoding

XOR is the most common obfuscation method in malware. It is symmetric: applying the same key twice recovers the original data.

Plaintext  XOR  Key  =  Ciphertext
Ciphertext XOR  Key  =  Plaintext

XOR is like a light switch. Flip it once, the light turns on. Flip it again with the same switch, it turns off. The key is knowing which switch to flip — and malware authors often leave that switch in plain sight in the code.

Single-byte XOR

The key is a single hardcoded byte visible directly in disassembly:

    xor  ecx, ecx            ; counter = 0
decrypt_loop:
    mov  al, [esi+ecx]       ; load encrypted byte
    xor  al, 0x55            ; XOR with key 0x55  ← KEY IS HERE
    mov  [esi+ecx], al       ; store decrypted byte
    inc  ecx
    cmp  ecx, edx
    jl   decrypt_loop

Static decryption in Python:

key = 0x55
encrypted = bytes([0xA3, 0x7F, 0x12, 0xE8, ...])  # from binary
decrypted = bytes([b ^ key for b in encrypted])
print(decrypted)

Multi-byte (rolling) XOR

The key is a multi-byte sequence applied cyclically. More resistant to frequency analysis than single-byte XOR:

    lea  esi, [encrypted_buf]
    lea  edi, [key_buf]        ; 4-byte key: DE AD BE EF
decrypt:
    mov  al, [esi+ecx]
    mov  ebx, ecx
    and  ebx, 3                ; ebx = ecx mod 4 (cycles key)
    xor  al, [edi+ebx]         ; XOR with cycling key byte
    mov  [esi+ecx], al
    inc  ecx
    cmp  ecx, edx
    jl   decrypt

Python decryption:

key = bytes([0xDE, 0xAD, 0xBE, 0xEF])
decrypted = bytes([b ^ key[i % len(key)] for i, b in enumerate(encrypted)])

XOR brute-force for single-byte keys

If the key is not visible in disassembly (e.g., derived at runtime), brute-force all 256 possibilities. A valid key produces readable ASCII or a recognisable binary header:

for key in range(256):
    result = bytes([b ^ key for b in encrypted])
    if b'http' in result or b'MZ' in result:
        print(f"Key: {key:#04x} → {result[:50]}")

Identifying Standard Algorithms via Constants

When malware uses real cryptographic algorithms (AES, RC4, MD5), reverse-engineering the implementation is impractical. Instead, search for characteristic constants — every algorithm has a fingerprint.

AlgorithmFingerprintIdentifying Constants
MD5Initialisation vector0x67452301, 0xEFCDAB89, 0x98BADCFE, 0x10325476
SHA-1Initialisation vectorMD5 constants + 0xC3D2E1F0
AESS-Box256-byte substitution table starting 0x63, 0x7C, 0x77, 0x7B...
RC4KSA loop256-iteration loop filling S[i] = i (no fixed constants — recognise by loop pattern)
Base64Alphabet stringStandard 64-char alphabet ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
CRC32Polynomial0xEDB88320 or lookup table of 256 DWORD values
BlowfishP-arrayStarts with 0x243F6A88, 0x85A308D3... (fractional digits of π)

Cryptographic Scanning Tools

FindCrypt2 (IDA Pro plugin)

Scans loaded binary for cryptographic constants and annotates matching addresses automatically:

FindCrypt2 results:
  0x00403050: AES_Te0 (AES encryption S-Box)
  0x00404050: MD5_IV (MD5 initialisation vector)
  0x00405000: CRC32_table (CRC32 lookup table)

Navigate to the annotated address to find the function that uses the algorithm.

signsrch (standalone)

signsrch suspicious.exe

Example output:

offset    signature
0x004050  AES S-Box
0x004150  AES inverse S-Box
0x004250  AES Rcon

Detect-It-Easy (DIE)

DIE also detects cryptographic primitives in its analysis output alongside packer identification.

Custom Base64 Alphabets

Malware sometimes uses a non-standard Base64 alphabet to defeat standard decoders:

Standard: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Custom:   ZYXWVUTSRQPONMLKJIHGFEDCBAzyxwvutsrqponmlkjihgfedcba9876543210-_

Standard Base64 decoders fail on custom alphabets. The approach:

  1. Find the alphabet string in the binary (it will be a 64-character sequence in .data or .rdata)
  2. Build a translation table from custom → standard alphabet
  3. Translate the encoded string, then apply standard Base64 decoding

CyberChef supports custom alphabets: use "From Base64" operation → click alphabet field → paste the custom alphabet found in the binary.

Practical Workflow

1. Run FindCrypt2 or signsrch on the binary
   → identifies algorithm immediately if standard constants are present

2. If no constants found, search for XOR loops:
   → look for tight loops with XOR [reg+counter], imm8
   → extract key byte from the immediate value

3. If multi-byte key: extract key array from .data section

4. Decrypt statically in Python using extracted key + ciphertext

5. Verify decryption: decrypted content should contain readable strings,
   a PE header (MZ), or recognisable network protocol

6. If algorithm is AES or RC4:
   → find the key schedule or KSA function
   → set breakpoint after key initialisation in x64dbg
   → read the key from memory at runtime