w32evol -- an x86 obfuscation engine

Table of Contents

  1. Introduction
  2. Dependencies
  3. Installation
  4. Usage
  5. Development
  6. APPENDIX A: MASM32 and wine

1. Introduction

Does not contain a virus

w32evol is a command line interface to the obfuscation/metamorphic engine used by the Win32.Evol virus. It rewrites files containing x86 instructions encoded in binary.

The Win32.Evol virus appeared around July 2000 and was able to infect any major Win32 platform. It used this metamorphic engine to rewrite its code during replication. The purpose of its metamorphic engine was to create mutated copies of itself.Hence, some of the transformations or rewritings it applies to instructions do not necessarily obfuscate.

2. Dependencies


  • MAMS32
    • ml.exe: assembler
    • link.exe: linker

Linux (Tested on Ubuntu 11.10)

  • wine (1.3 or greater, may work with 1.2)

See APPENDIX A for more information about installing and running MASM32 in Linux.

3. Installation

The goal is to build w32evol.exe. Makefiles for Windows and Linux are included. The following instructions do not place w32evol.exe in your PATH.

Linux (Tested on Ubuntu 11.10)

$ make install

If you want to install this program, then you can then place this whole directory tree somewhere where you install non-packaged programs. The /opt/ folder is one example.


This batch file builds w32evol.exe. After w32evol.exe is built, you can place/install it wherever you please.

> make.bat

Note 1 This build process assumes that your Windows drive volume is labeled "C:". If your drive volume is labeled something else, for example, "Z:", then you have to update the include paths in the src/w32evol.asm file.

4. Usage

in.bin: input file; exists; contains x86 instructions encoded in raw binary code

out.bin: output file; create if does not exist; obfuscated x86 instructions encoded in raw binary code


$ wine path/to/w32evol.exe <in.bin> <out.bin>


>path/to/w32evol.exe <in.bin> <out.bin>

Usage: Example 1

In this example, we use w32evol.exe to obfuscate (or transform) an instruction to an equivalent instruction in the Intel x86 instruction set. Unfortunately, the obfuscation engines added three extra bytes (00 00 00), and changed the semantics. This demonstrates that some obfuscation engines have bugs.

$ ndisasm in.bin
00000000  83C00A            add ax,byte +0xa
$ wine w32evol.exe in.bin out.bin
$ ndisasm out.bin
00000000  81C00A00          add ax,0xa
00000004  0000              add [bx+si],al

5. Development


Bitbucket is hosting this code.


Provide feedback, get help, request features, and report bugs here:


  • Orr
    • wrote an article in which described how he disassembled the metamorphic engine used in the W32.Evol virus
    • He was kind enough to email his disassembled code.
  • VX Heavens
    • Disassembled source code obtained from Some of his functions contained errors which cause the program to fail. We obtained executabled code from, and disassembled it using IDA Pro. We found the mistakes in the disassembled source code and corrected them.

6. APPENDIX A: MASM32 and wine

It is possible to use MASM32 in Linux using wine. When you download MAMS32, you get an installer file, install.exe. Use wine to run that installer.

$ cd ~/Downloads
$ ls
$ wineconsole install.exe

I have installed MASM32 using wine in two different Ubuntu machines and the MASM32 libraries have not been built successfully in either machine. I had to build the libraries myself.

user@host:~/.wine/drive_c/masm32$ ls
gtstbd.qsc      dlgtmplt.qsc  licence       mnutoasm.exe   qetxt.bin     topgun.exe
bin           examples      m32lib        multitool.exe  qsc.dll       tproc.exe
bin2dbex.exe  fda32.exe     macros        plugins        script        tproc.txt
blankdlg.qsc  fda.exe       makecimp.exe  procmap.exe    se.dll        tutorial
bldmakit.qsc  fpulib        makecon.qsc   procs          shellex.exe   tview.exe
blockp.ini    getcolor.exe  makelibs.bat  prostart.exe   subclass.exe  ueint.bin
cg.exe        help          makerc.qsc    prostart.ini   testbed.qsc   uetxt.bin
cg.ini        include       maketbl.exe   prostart.set   testinst      uniedit.exe
cpicker.exe   intro.txt     mangle.exe    pths.ini       text          vkdebug
datetime      jtmake.exe    masm32ci.exe  qeditor.exe    tmp.qsc       wcsch.exe
dlgmake.exe   lib           menuedit.dll  qeint.bin      tools
dlgproc.qsc   libbat.qsc    menus.ini     qetb.exe       topgun.chm
user@host:~/.wine/drive_c/masm32$ wine cmd
CMD Version 1.3.28


In one machine, this proceeded without a problem. In another machine, I had to increase 'ulimit -n' from 1024 to 4096 because, apparently, wine was opening too many files.