Review Article
Metamorphic Malware and Obfuscation: A Survey of Techniques, Variants, and Generation Kits
Table 3
Three versions of the E32/Evol virus following obfuscation through garbage code insertion and encryption. Retrieved from [
43].
| | Opcode | After obfuscation |
| Version 1 | C7060F000055 | mov dword ptr [esi], 5500000Fh | C746048BEC5151 | mov dword ptr [esi + 0004], 5151EC8Bh |
| Version 2 | BF0F000055 | mov edi, 5500000Fh | 893E | mov [esi], edi | 5F | pop edi | 52 | push edx | B640 | mov dh, 40 | BA8BEC5151 | mov edx, 5151EC8Bh | 53 | push ebx | 8BDA | mov ebx, edx | 895E04 | mov [esi + 0004], ebx |
| Version 3 | BB0F000055 | mov ebx, 5500000Fh | 891E | mov [esi], ebx | 5B | pop ebx | 51 | push ecx | B9CB00C05F | mov ecx, 5FC000CBh | 81C1C0EB91F1 | add ecx, F191EBC0h; ecx = 5151EC8Bh | 894E04 | mov [esi + 0004], ecx |
|
|