{"id":455,"date":"2013-08-26T02:46:14","date_gmt":"2013-08-26T02:46:14","guid":{"rendered":"http:\/\/www.gironsec.com\/blog\/?p=455"},"modified":"2013-08-26T02:46:14","modified_gmt":"2013-08-26T02:46:14","slug":"restoring-mcafee-bup-files","status":"publish","type":"post","link":"https:\/\/www.gironsec.com\/blog\/2013\/08\/restoring-mcafee-bup-files\/","title":{"rendered":"Restoring McAfee BUP Files"},"content":{"rendered":"<p>Hello fellow readers,<\/p>\n<p>Its been a while since I&#8217;ve posted. <\/p>\n<p>Today at work I was going over malware already flagged by McAfee and sent to the quarantined folder. <\/p>\n<p>The way McAfee encrypts \/ encodes its quarantined files is pretty basic &#8211; XOR (exclusive OR) on each byte by the value of 0x6a (106 in decimal). <\/p>\n<p>Once you know how this is done, writing an application to do this becomes stupid simple.<br \/>\n<a href=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2013\/08\/bup1.png\"><img decoding=\"async\" loading=\"lazy\" src=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2013\/08\/bup1.png\" alt=\"bup1\" width=\"307\" height=\"426\" class=\"alignnone size-full wp-image-457\" \/><\/a><\/p>\n<p>You can download the app here:<br \/>\n<a href=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2013\/08\/Restore_Mcafee_BUP_File.7z\">Restore_Mcafee_BUP_Files<\/a><\/p>\n<p>I am looking forward to ToorCon in the next couple of months. Was thinking of doing a talk on bypassing FireEye. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hello fellow readers, Its been a while since I&#8217;ve posted. Today at work I was going over malware already flagged by McAfee and sent to the quarantined folder. The way McAfee encrypts \/ encodes its quarantined files is pretty basic &#8211; XOR (exclusive OR) on each byte by the value of 0x6a (106 in decimal). [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[4,7],"tags":[],"_links":{"self":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/455"}],"collection":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/comments?post=455"}],"version-history":[{"count":1,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/455\/revisions"}],"predecessor-version":[{"id":458,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/455\/revisions\/458"}],"wp:attachment":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/media?parent=455"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/categories?post=455"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/tags?post=455"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}