I am very excited by StringMatch and StringMatchInstance objects in yara-python version 4.3 release candidate and also the XOR key property.

I needed to support the new objects and also wanted to implement the XOR property in some of my code.

Out of curiosity, I created this Mach-O test file using CodeRunner for example:

#import <Foundation/Foundation.h>

int main(int argc, char *argv[]) {
    @autoreleasepool {
        NSString *a = @"123";
        NSString *b = @"abc";
    }
}

and this YARA test rule:

rule oneTwoThree {
    strings:
        $ = "123" xor
    condition:
        any of them
}

The string 123 should match the NSString a C string with XOR key 0 and the NSString b C string with XOR key P:

>>> from Crypto.Cipher import XOR
>>> XOR.new(b"P").encrypt(b"123")
b'abc'

On compiling the rule file and looking for matches in the compiled Mach-O file, I am getting the two instances as expected:

>>> matches[0]
oneTwoThree
>>> matches[0].strings[0]
$
>>> matches[0].strings[0].is_xor()
True
>>> matches[0].strings[0].instances
[123, abc]

But the XOR key value is 0 in both cases:

>>> matches[0].strings[0].instances[0].xor_key
0 / 0x0  # expected
>>> matches[0].strings[0].instances[1].xor_key
0 / 0x0  # not expected: this should be the ordinal value of P i.e. 80 / 0x50

Would you please be so kind to consider this as a problem to fix for version 4.3 final candidate?

Many thanks for this new feature that will be very interesting to work with in a near future!

EDIT:
This actually is a YARA problem as the CLI won't print the XOR key either:

yara -X rule.yara $TMPDIR/CodeRunner/Untitled 
oneTwoThree /var/folders/4n/4cnph2ps2t77b9xms19fsqrc0000gn/T//CodeRunner/Untitled
0x3fb0:$:xor(0x00)
0x3fb4:$:xor(0x00)

Closing as it actually is a YARA problem: VirusTotal/yara#1851

Sorry as I didn't realize earlier.