MacOS Python / XProtect Encryption Abuse

Author None
Platform Macos
Language Python
Technique XProtect Encryption Abuse

Description:

This decryption function, authored by Check Point Research, uses a bitwise right-shift and XOR operation with a provided encryption key to decrypt MacOS XProtect binaries and similar encrypted strings, terminating at the first null character.

Code

def macos_xprotect_string_decryption(encrypted: bytes, encr_key: int) -> str:
    """
    Author: @Check Point Research
    Decrypts MacOS Xprotect binaries & Banshee Stealer encrypted strings.
    """
    decrypted = "".join(
        chr(
            (encr_key >> ((i * 8) & 0x38) & 0xFF) ^ encrypted[i]
        )
        for i in range(len(encrypted))
    )
    return decrypted.partition("\\x00")[0]
Download Raw
Created

January 11, 2025

Last Revised

January 11, 2025