Recently came across a number of stager payloads that are not using the standard (0x69, 0x2e) XOR configuration key. Given that it's a single byte key a simple brute force check works. Not sure if you want to consider implementing that into your code.
At the same time, also came across one version that along with changing the key, also changed the type markers in the configuration by multiplying them by two. So SHORT moves from 0x01 to 0x02, INT from 0x02 to 0x04 and STR from 0x03 to 0x06, I don't think this will be as easier a fix or option to factor in. Sample currently at https://8[.]218[.]28[.]246:8443/
Recently came across a number of stager payloads that are not using the standard (0x69, 0x2e) XOR configuration key. Given that it's a single byte key a simple brute force check works. Not sure if you want to consider implementing that into your code.
At the same time, also came across one version that along with changing the key, also changed the type markers in the configuration by multiplying them by two. So SHORT moves from 0x01 to 0x02, INT from 0x02 to 0x04 and STR from 0x03 to 0x06, I don't think this will be as easier a fix or option to factor in. Sample currently at https://8[.]218[.]28[.]246:8443/