ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β ____ ____ _ ____ ____ _ ____ _____ ____ ____ ___ _ ____ β β/ / _ / \ /|/ / _ / _/|/ _ / _// / __\ /// \β β| /|| / || |\ ||| | / || |/||| | || \ | / | /| \ / | /|β β| /| |-||| | ||_ || _/|| | ||| |/|| / | _| / / / | __/ β β_/_\/ |_/ |_/_/_/ |_/_\_/_/_// _/ β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Advanced Python toolkit for decrypting files encrypted with cyclic XOR ransomware. Designed for:
- Incident responders π¨
- Forensic analysts π
- Security researchers π‘οΈ
- CTF players π΄ββ οΈ
- Decrypt: Bulk file restoration with known keys
- Recover: Advanced key extraction techniques
- Analyze: File fingerprinting and entropy analysis
| Method | Icon | Success Rate | Speed | Requirements |
|---|---|---|---|---|
| Known Plaintext | π | 98% | Instant | Original file fragment |
| Header Analysis | π | 85% | Fast | Known file type |
| Memory Forensics | π§ | 65% | Moderate | RAM dump |
| Brute Force | πͺ | 100% (4 bytes) | Hours | Partial key |
FILE_SIGNATURES = {
'png': bytes.fromhex("89 50 4E 47 0D 0A 1A 0A"),
'zip': bytes.fromhex("50 4B 03 04"),
'pdf': bytes.fromhex("25 50 44 46"),
'jpg': bytes.fromhex("FF D8 FF E0"),
'gif': bytes.fromhex("47 49 46 38"),
'exe': bytes.fromhex("4D 5A"),
'docx': bytes.fromhex("50 4B 03 04 14 00 06 00"),
'txt': None # Special text handling
}
### INSTALLATION
git clone https://github.com/xyzoptooo/xor-decryptor.git
cd xor-decryptor
pip install -r requirements.txt # Only requires standard libraries
chmod +x decryptor.py
### Usage Examples
Basic Decryption
./decryptor.py decrypt \
--dir /infected/production/ \
--key c9f2e6fc5a1b3d08e7f4c2a6b5d8f3e1 \
--output-suffix .restored
### Memory Forensics
# First capture memory
volatility -f memory.dmp --profile=Win10x64_19041 memdump -p 4412 -D ./
# Then scan for keys
./decryptor.py recover --memory pid_4412.dmp --filter c9f2e6fc
### File Analysis
./decryptor.py analyze \
--encrypted suspicious.enc \
--detect-type
### Legal & Ethical Notice
Authorized Use Cases:
Legitimate incident response
Forensic investigations
CTF competitions
Academic research
============================================================================================
- Unauthorized use against active ransomware operations
- Violates CFAA/Computer Misuse laws in many jurisdictions
+ Always obtain proper authorization before real-world use
============================================================================================