Get full access to Learning Malware Analysis and 60K+ other titles, with a free 10-day trial of O'Reilly.

There are also live events, courses curated by job role, and more.

1.3 XOR Encoding

Apart from Base64 encoding, another common encoding algorithm used by the malware authors is the XOR encoding algorithm. XOR is a bitwise operation (like AND, OR, and NOT), and it is performed on the corresponding bits of the operands. The following table depicts the properties of the XOR operation. In the XOR operation, when both the bits are the same, the result is 0; otherwise, the result is 1:

A	B	A^B
`0`	`0`	`0`
`1`	`0`	`1`
`0`	`1`	`1`
`1`	`1`	`0`

For example, when you XOR 2 and 4, that is, 2 ^ 4, the result is 6. The way it works is shown here:

                2: 0000 0010                4: 0000 0100---------------------------Result After XOR : 0000 0110 (6)

Get Learning Malware Analysis now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Don’t leave empty-handed

Get Mark Richards’s Software Architecture Patterns ebook to better understand how to design components—and how they should interact.

It’s yours, free.

Get it now

Check it out now on O’Reilly

Dive in for free with a 10-day trial of the O’Reilly learning platform—then explore all the other resources our members count on to build skills and solve problems every day.

Start your free trial Become a member now