YARA release candidate 1 for version 4.3.0 brings a new option for XOR strings: –print-xor-key
This option prints out the XOR key that matches an XOR string (0x41 in this example):
Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.