Crypters

Obfuscation by encryption is done by crypters. Packers compress the sections while crypters encrypt the sections. Similar to packers, crypters have a stub used to decrypt encrypted code and data. As a result, crypters may instead increase the file size of the host. 

The following image shows a file crypted by Yoda Crypter:  

The section offsets and sizes have been retained but encrypted. The stub was placed in a newly added section named yC. If we compare how the original opcode bytes look with the encrypted bytes, we'll notice that opcode bytes have zero bytes spread out. This is a trait that can be used to identify encrypted bytes. ...

Get Mastering Reverse Engineering now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.