Real-world malware families routinely combine XOR-encrypted strings, control-flow flattening, and API hashing to evade both signature-based antivirus and human analysts staring at Ghidra's decompiler output; commercial protectors like VMProtect and Themida sell these exact techniques as products. Recognizing a flattened-loop dispatcher or an opaque predicate is a core skill tested in malware-analysis certifications like GREM.