encode data using XOR

rule:
  meta:
    name: encode data using XOR
    namespace: data-manipulation/encoding/xor
    authors:
      - moritz.raabe@mandiant.com
    scopes:
      static: basic block
      dynamic: unsupported  # requires characteristic, Not features
    att&ck:
      - Defense Evasion::Obfuscated Files or Information [T1027]
    mbc:
      - Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm [E1027.m02]
      - Data::Encode Data::XOR [C0026.002]
    examples:
      - 2D3EDC218A90F03089CC01715A9F047F:0x403D7E
  features:
    - and:
      - characteristic: tight loop
      - characteristic: nzxor
      - not:
        - description: filter for potential false positives
        - or:
          - or:
            - description: unsigned bitwise negation operation (~i)
            - number: 0xFFFFFFFF = bitwise negation for unsigned 32 bits
            - number: 0xFFFFFFFFFFFFFFFF = bitwise negation for unsigned 64 bits
          - or:
            - description: signed bitwise negation operation (~i)
            - number: 0x0FFFFFFF = bitwise negation for signed 32 bits
            - number: 0x0FFFFFFFFFFFFFFF = bitwise negation for signed 64 bits
          - or:
            - description: Magic constants used in the implementation of strings functions.
            # such as `strlen` and `strcat` in the Windows standard library:
            # (((i - 0x81010101) ^ ~i) & 0x81010100)
            ## 32 bits
            - number: 0x7EFEFEFF = optimized string constant for 32 bits
            - number: 0x81010101 = -0x81010101 = 0x7EFEFEFF
            - number: 0x81010100 = 0x81010100 = ~0x7EFEFEFF
            ## 64 bits
            - number: 0x7EFEFEFEFEFEFEFF = optimized string constant for 64 bits
            - number: 0x8101010101010101 = -0x8101010101010101 = 0x7EFEFEFEFEFEFEFF
            - number: 0x8101010101010100 = 0x8101010101010100 = ~0x7EFEFEFEFEFEFEFF