EPO - entrypoint obscuring

September 2000

EPO is next of many ways to fuck AVs (at least a litle). The point is, that the entrypoint in PE header will not be overwritten by jump to virus body. This jump must be set somewhere in the 'CODE' section, in the jam of instructions after entrypoint. Problem is, we cant write our jump anywhere we can, coz we could fit in the 'middle' of instruction. Well, the 'we could' expression is not good, better is 'we will probably allways' fit in some instruction. So, we have to find address which wont destroy instruction. There's several ways of EPO now. I'll describe some.

