Excalibra
/
XORPHER
XORPHER - Advanced XOR encryption tool for antivirus/EDR evasion. Features 5 algorithms (Simple, Rotating, Polymorphic, Custom, Legacy), configurable key lengths (1-64 bytes), garbage insertion, and auto-verification. Educational tool for security research.
đ XORPHER v2.5
Advanced XOR Encryption Tool for Evasion
Stealth Edition - Bypass AV/EDR with 5 Configurable Encryption Algorithms
đ Overview
XORPHER is a cutting-edge XOR encryption tool designed specifically for penetration testers, red teamers, and security researchers. It implements advanced obfuscation techniques to evade Antivirus (AV) and Endpoint Detection & Response (EDR) solutions by making static analysis and signature detection significantly more difficult.
Unlike traditional XOR tools, XORPHER offers 5 distinct encryption algorithms, configurable key lengths, garbage byte insertion, and custom parameter configuration to ensure your payloads and strings remain undetected.
đ¯ Key Capabilities
| Feature | Description |
|---|---|
| đ 5 Encryption Algorithms | Simple, Rotating, Polymorphic, Custom, and Legacy modes |
| đ Configurable Key Lengths | Choose from 1-64 bytes to match your decryption code |
| đĄī¸ Evasion Levels | None, Low, Medium, High, Extreme (0-80% garbage bytes) |
| â Auto-Verification | Automatically decrypts to confirm integrity |
| đ Multiple Output Formats | String literals, byte arrays, |
XORPHER: A Multi-Algorithm XOR Encryption Tool for Red Teaming
I've been working on a Python-based XOR encryption tool called XORPHER that's designed specifically for penetration testers and red teamers who need to evade AV/EDR solutions. Today I want to share what it does and how you can use it.
What is XORPHER?
XORPHER is a multi-algorithm XOR encryption tool with 5 distinct encryption methods, configurable key lengths, and intelligent garbage byte insertion for evading signature-based detection.
Key Features:
- 5 encryption algorithms (Simple, Rotating, Polymorphic, Custom, Legacy)
- Configurable key lengths (1-64 bytes or auto)
- 5 evasion levels with garbage byte insertion (0-80%)
- Auto-verification of encrypted data
- Multiple output formats (C strings, byte arrays, Python)
- Cyberpunk-styled terminal UI
Installation
# Clone the repository
git clone https://github.com/Excalibra/xorpher.git
cd xorpher
# Install dependencies (colorama for colors, pyperclip for clipboard)
pip install -r requirements.txt
# Run XORPHER
python xorpher.py
How to Use XORPHER
Interactive Mode (Recommended)
Simply run the tool without arguments to enter the interactive menu:
python xorpher.py
You'll be greeted with the main menu:
MAIN MENU
1. đ Encrypt a string
2. đ Encryption guide
3. âšī¸ About
4. đĒ Exit
⥠Select option (1-4):
Step-by-Step Encryption Walkthrough
Step 1: Select "Encrypt a string" and enter your target string:
Enter the string to encrypt:
>>> api.example.com
Step 2: Choose an algorithm:
SELECT ALGORITHM
1. simple - Single key XOR
2. rotating - Key repeats every N bytes
3. poly - Polymorphic (hash-based)
4. custom - Configure your own parameters
5. legacy - 3-key with rolling modifier
Choice (1-5) [default: 2]:
Step 3: Configure key length:
KEY LENGTH
1. auto - Key length = data length
2. 1 byte - Single key
3. 3 bytes - 3-byte key
4. 4 bytes - 4-byte key
5. 8 bytes - 8-byte key
6. 16 bytes - 16-byte key
7. 32 bytes - 32-byte key
8. custom - Specify length (1-64)
Choice (1-8) [default: 3]:
Step 4: Set evasion level:
EVASION LEVEL
1. none - 0% garbage
2. low - 20% garbage
3. medium - 40% garbage
4. high - 60% garbage
5. extreme - 80% garbage
Choice (1-5) [default: 1]:
Step 5: Review and confirm:
ENCRYPTION SUMMARY
ââââââââââââââââââââââââââââââââââââââââââââââââââ
String: api.example.com
Algorithm: rotating
Key Length: 3 bytes
Evasion: medium
ââââââââââââââââââââââââââââââââââââââââââââââââââ
Proceed? (y/n) [default: y]:
Step 6: Get your results:
ENCRYPTION RESULTS
ââââââââââââââââââââââââââââââââââââââââââââââââââ
SUMMARY
Original: api.example.com
Algorithm: rotating
Key Length: 3 bytes
Evasion: medium
Size: 25 bytes
Key preview: 0x3f 0x1a 0x7c ...
C ARRAY
ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
â ROTATING ALGORITHM - Multiple Formats â
ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
// Option 1: String literal
unsigned char encrypted[] = "\xe9\xff\xc2\x83\xba\xa1\x89...";
unsigned char key[] = {0x3f, 0x1a, 0x7c};
// Decryption function
void decrypt(unsigned char *data, int data_len, unsigned char *key, int key_len) {
for(int i = 0; i < data_len; i++) {
data[i] ^= key[i % key_len];
}
}
Full details saved to: xorpher_output/
Press Enter to return to main menu...
Advanced Usage Examples
Example 1: Legacy Mode for Dropper Compatibility
Perfect when working with existing malware or dropper code:
# Run XORPHER and select:
Algorithm: legacy
Keys: Generate random 3-byte keys
Output format ready for C droppers:
{(BYTE*)"\xe9\xff\xc2\x83\xba\xa1\x89\x61\x71\x5d\x57\x25\x13\x07\xb7\xe7\xca\xae", 18, {0xc1, 0xac, 0xf5}}
Decryption code for your C project:
void decrypt_str(unsigned char* data, int size, unsigned char k1, unsigned char k2, unsigned char k3) {
unsigned char combined = k1 ^ k2 ^ k3;
for(int i = 0; i < size; i++) {
unsigned char r = ((i * 19) ^ (i >> 3) ^ (size - i)) & 0xFF;
data[i] ^= combined ^ r ^ (i & 0xFF);
}
}
Example 2: Custom Mode for Full Control
Fine-tune every aspect of the encryption:
CUSTOM CONFIGURATION
Key options:
1. Single key
2. Multiple keys (rotating)
3. 3-key legacy style
Rolling modifier:
1. No rolling (standard XOR)
2. Simple rolling (position only)
3. Legacy rolling (with multiplier and shift)
Example configuration:
- Key type: Multiple keys (rotating)
- Number of keys: 4
- Rolling: Legacy rolling with multiplier 19, shift 3
- Position XOR: Enabled
Example 3: Maximum Evasion
When you need to avoid detection at all costs:
Algorithm: poly (polymorphic)
Key Length: 32 bytes
Evasion Level: extreme (80% garbage)
The result will have 80% random bytes interleaved with your real data, making pattern matching nearly impossible.
Output Formats Explained
XORPHER generates ready-to-use code in multiple formats:
C String Literal
unsigned char encrypted[] = "\x4a\x6f\x68\x6e";
unsigned char key[] = {0x3f, 0x1a, 0x7c};
C Byte Array
unsigned char encrypted[] = {0x4a, 0x6f, 0x68, 0x6e};
unsigned char key[] = {0x3f, 0x1a, 0x7c};
Python Implementation
encrypted = [0x4a, 0x6f, 0x68, 0x6e]
key = [0x3f, 0x1a, 0x7c]
decrypted = bytes([b ^ key[i % len(key)] for i, b in enumerate(encrypted)])
Legacy Dropper Format
{(BYTE*)"\x4a\x6f\x68\x6e", 4, {0x3f, 0x1a, 0x7c}}
Use Cases
- String obfuscation in malware development
- Payload encryption for C2 frameworks
- Evading signature-based detection in AV/EDR
- Learning about encryption algorithms for research
- Testing detection capabilities of security solutions
Pro Tips
- Always verify - XORPHER auto-verifies, but test your decryption code
- Match key lengths - Ensure your decryption code uses the same key length
- Start with low evasion - Test with none/low first, then increase
-
Save outputs - All results are timestamped in
xorpher_output/ - Use clipboard - Results are automatically copied (if pyperclip installed)
â ī¸ Disclaimer
This tool is for educational purposes and authorized security testing only. Only use on systems you own or have explicit permission to test.
đ Quick Reference
| Algorithm | Best For | Key Length |
|---|---|---|
| Simple | Basic obfuscation | 1 byte |
| Rotating | General purpose | 3-8 bytes |
| Poly | Maximum stealth | 16-32 bytes |
| Custom | Advanced users | Configurable |
| Legacy | Old droppers | 3 bytes |
| Evasion | Garbage | Use Case |
|---|---|---|
| none | 0% | Testing |
| low | 20% | Basic evasion |
| medium | 40% | General purpose |
| high | 60% | Aggressive |
| extreme | 80% | Maximum stealth |
đ¤ Get Involved
GitHub: https://github.com/Excalibra/XORPHER
git clone https://github.com/Excalibra/xorpher.git
cd xorpher
pip install -r requirements.txt
python xorpher.py
â Star the repo if you find it useful!
Top comments (0)