English | 中文介绍
Bypass detection from Flare-floss
The xorstr technique has been thoroughly compromised by several open-source tools, including Flare-floss and my own open-source tool AntiXorstr. These open-source detection tools efficiently and quickly recover the original strings from the binary samples. To address this issue, this project has been designed with a focus on effectively countering these detection methods, particularly Flare-floss.
There are two bypass techniques implemented in this project: xorstr_s and xorstr_h. These techniques are based on different principles.
| types | status |
|---|---|
| Flare-floss static strings | bypass |
| Flare-floss stack strings | bypass |
| Flare-floss tight strings | bypass |
| Flare-floss decoded strings | / |
testing demo
void test()
{
printf(Enc("Samsung\n"));
wprintf(Enc(L"Apple\n"));
printf(Enc("Xiaomi\n"));
wprintf(Enc(L"Oppo Group\n"));
printf(Enc("vivo\n"));
wprintf(Enc(L"Transsion\n"));
std::cout << Enc("Honor") << std::endl;
std::wcout << Enc(L"Realme") << std::endl;
std::cout << Enc("Motorola") << std::endl;
std::wcout << Enc(L"Huawei") << std::endl;
std::cout << Enc("Others") << std::endl;
}Test result: STACK & TIGHT bypass, DECODED mode restored part of it
─────────────────────
FLOSS STACK STRINGS
─────────────────────
─────────────────────
FLOSS TIGHT STRINGS
─────────────────────
───────────────────────
FLOSS DECODED STRINGS
───────────────────────
Samsung
Apple
Xiaomi
Oppo Group
vivo
Transsion
Honor| types | status |
|---|---|
| Flare-floss static strings | bypass |
| Flare-floss stack strings | bypass |
| Flare-floss tight strings | bypass |
| Flare-floss decoded strings | bypass |
Test result: demo is consistent with xorstr_s, bypassing in all modes
FLOSS STACK STRINGS
─────────────────────
o]QOIR[6<
}<L<L<P<Y<6<<<
dU]SQU6<
s<L<L<S<
<{<N<S<I<L<6<<<
JUJS6
h<N<]<R<O<O<U<S<R<6<<<
tSRSN
n<Y<]<P<Q<Y<<<
qSHSNSP]<
t<I<]<K<Y<U<<<
sHTYNO<
─────────────────────
FLOSS TIGHT STRINGS
─────────────────────
───────────────────────
FLOSS DECODED STRINGS
───────────────────────
o]QOIR[6<