Ok thanks, I managed it in winhex - my other hex editor didn't have that feature:
How did you figure that out?
it has been ages since I used them but there were some programs that would do data analysis and search using several techniques like enthropy, statistical, transpositions and easy/linear transformations and such over a given plaintext into data file. Anyway, for this case, you could write a small program to look for any 4, 8, 16 or 32 bytes that would check for them with any xor value.
Just a small idea how to do this a bit faster: just scan the buffer incrementing the pointer byte by byte but checking 1, 2, 4 or 8 dwords. Also, I would check like this ( this example is for scanning for 16 byte targets ):
unsigned int TargetDwordA = ReadHex(argv[1]); // Provide target 16 byte value by giving four 32bit hex parameters
unsigned int TargetDwordB = ReadHex(argv[2]);
unsigned int TargetDwordC = ReadHex(argv[3]);
unsigned int TargetDwordD = ReadHex(argv[4]);
unsigned int TestDwordA;
unsigned int TestDwordB;
unsigned int TestDwordC;
unsigned int TestDwordD;
int InBufferIndex;
unsigned char* pBuffer; // read file contents here...
int BufferSize; // set file size or read bytes number here...
for(InBufferIndex = 0; InBufferIndex < (BufferSize - 16); InBufferIndex++)
{
TestDwordA = ((unsigned int*)&(pBuffer[InBufferIndex]))[0] ^ TargetDwordA;
TestDwordB = ((unsigned int*)&(pBuffer[InBufferIndex]))[1] ^ TargetDwordB;
TestDwordC = ((unsigned int*)&(pBuffer[InBufferIndex]))[2] ^ TargetDwordC;
TestDwordD = ((unsigned int*)&(pBuffer[InBufferIndex]))[3] ^ TargetDwordD;
if ((TestDwordA == TestDwordB) && (TestDwordA == TestDwordC) && (TestDwordA == TestDwordD))
{
printf("Target found at offset %d (%X) using xor key %08X.\n", InBufferIndex, InBufferIndex, TestDwordA); // Note that key may be 32bits, 16bits or 8bits but printed as 32bits, so if its four bytes are equal it would be an 8bit xor, if it has two 16bit parts that are equal it would be a 16bit xor key and if four bytes are different it would be a 32bit xor key
}
}
This is a way to look for any xored value by looking for the target and obtaining the xor key without trying all keys.