> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-3/obfuscation/xor-decryption/trick-0426.md).

# Recover Data via XOR Decryption Script

***

When reverse engineering reveals data obfuscated as an array of byte/integer values (e.g., `obf = [...]`) and a single-byte XOR key (e.g., `key = 125`), you can quickly recover the plaintext by writing a script. The script iterates through the obfuscated values, XORing each element with the identified key and converting the resulting integer back to its character representation.

For example, using Python:

```python
obf = [102, 108, 97, 103, 123, ...] # Array of decimal values from decompiled code
key = 125 # Single-byte XOR key identified

plaintext = ""
for byte_val in obf:
    decrypted_char = chr(byte_val ^ key)
    plaintext += decrypted_char

print(plaintext)
```

This process relies on the fundamental property of XOR where applying the same key twice recovers the original value. The operation is performed byte by byte. A common utility function for performing single-byte XOR on byte strings is shown below. The function `single_byte_xor` takes the input bytes and the key as arguments. It iterates through each byte in the input bytes and XORs it with the key. The result is then appended to the `output_bytes` byte string.

```python
def single_byte_xor(input_bytes, key):
    output_bytes = b''
    for byte in input_bytes:
        output_bytes += bytes([byte ^ key])
    return output_bytes
```

This function takes a `bytes` object and a single integer key, returning the resulting `bytes` after XORing each byte with the key.
