June 2018
Beginner
510 pages
13h 7m
English
Content preview from Learning Malware Analysis
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
1.3 XOR Encoding
Apart from Base64 encoding, another common encoding algorithm used by the malware authors is the XOR encoding algorithm. XOR is a bitwise operation (like AND, OR, and NOT), and it is performed on the corresponding bits of the operands. The following table depicts the properties of the XOR operation. In the XOR operation, when both the bits are the same, the result is 0; otherwise, the result is 1:
| A | B | A^B |
| 0 | 0 | 0 |
| 1 | 0 | 1 |
| 0 | 1 | 1 |
| 1 | 1 | 0 |
For example, when you XOR 2 and 4, that is, 2 ^ 4, the result is 6. The way it works is shown here:
2: 0000 0010 4: 0000 0100---------------------------Result After XOR : 0000 0110 (6)