VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Analysis of the "Offensive Polymorphic Engine v2"

March 2010

[Back to index] [Comments]


Each layer decryptor begins by using PUSH EBP/MOV EBP,ESP to build a fake stack-frame. It is fake because stack-pointer is not moved forward to alloc space and there is no LEAVE or POP EBP, but there is RET that is reached depending on if the encrypted data can be moved or not. There are instructions to access the stack using the base-pointer to get values but not to write as memory access, for example: mov [ebp], randval/reg32.

[Read the article]

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka