2 min read Malware

XOR in Go – Locking, Unlocking, and Malware Mischief

XOR in Go – Locking, Unlocking, and Malware Mischief

Hey snowpack! Yeti’s back stomping through the icebox with another coding project. Today, we’re tackling a deceptively simple but powerful concept: XOR (exclusive OR) — the snow shovel of cryptography. Basic, rugged, and everywhere.

What is XOR?

XOR (exclusive OR) is a bitwise operation that compares two values:

  • If the bits are different → outputs 1
  • If the bits are the same → outputs 0

This simple trick is one of the oldest tools in the crypto and malware toolbox. Why? Because it’s:

Reversible – The same operation encrypts and decrypts
Lightweight – Works on small data, strings, or entire files
Flexible – Can use any key length

But beware: its Weak – brute-forcing XOR keys is like throwing snowballs at a cabin window. Given enough tries, you’ll smash through. That’s why it’s often used by malware developers to obfuscate, not secure. Ransomware, droppers, and loaders? All cozy with XOR.

“It’s not about building Fort Knox — it’s about throwing off the analyst’s scent trail.” – Yeti 🐾

Building XOR in Go

Sure, XOR is usually demo’d in C/C++ (low-level land), but I iced it up in Go. Here’s the code:

func xorEncryptDecrypt(input string, key byte) string {
    output := make([]byte, len(input))
    for i := range input {
        output[i] = input[i] ^ key
    }
    return string(output)
}

Breaking it down:

  • ^ = XOR operator in Go
  • Loop goes through each byte of input
  • XORs each byte with key
  • Returns scrambled (or unscrambled) string

If the key is 44 bits, it cycles through 44 comparisons per input bit. That’s why brute forcing XOR is easy-peasy — attackers can try short keys quickly.

Demo

0:00
/0:31

Using CLI flags like -in (input file), -out (output file), -mode lock|unlock, and -key, you can lock or unlock text:

  • Locked output → unreadable, scrambled string of bits
  • Unlocked output → original message restored

This mirrors what malware does: lock payloads so analysts see gibberish until the XOR key is applied.

Why this matters

Threat actors love XOR because:

  • Obfuscation – Strings like C2 addresses or file paths get scrambled
  • Anti-analysis – Analysts can’t grep plain-text strings
  • Payload hiding – Droppers unpack themselves only at runtime

But as defenders, understanding XOR means:

  • You can reverse engineer samples faster
  • You’ll recognize patterns like repeated keys
  • You’ll know when ransomware uses XOR vs. stronger ciphers

Final Thoughts

XOR is like the duct tape of cryptography. Simple, not bulletproof, but wildly effective for quick obfuscation — which is why both blue teamers and malware authors should know it inside-out.

Want to see the frozen footprints?
👉 Check out my code and demo on GitHub

Until next time — stay frosty, stay curious.
Yeti out. 🐾