I have observed an uptick in disassembly obfuscation lately (the sort that breaks the analysis performed by IDA Pro). Particularly I see a lot of unconditional jumps one or two bytes ahead where the next opcode represents a 4 or 5 byte instruction. This of course breaks everything since the legitimate jump target is not disassembled. Based on the quantity, I'm quite sure this isn't being hand coded. Any ideas what the toolkit might be producing this effect?
A forum for reverse engineering, OS internals and malware analysis
do you have any examples you can upload along with the vendor information?
Sadly the samples I have (that I know about) were obtained at a client site so I can't share them per the terms of our agreement. I'm post a sample if I come across one in the public samples that I have.
The technique is well know and is even discussed in the IDA Pro book as well as 'Practical Malware Analysis'.
The technique is well know and is even discussed in the IDA Pro book as well as 'Practical Malware Analysis'.
Hash?
Ring0 - the source of inspiration
some screenshots of typical code fragments would help spotting the engine maybe as well.
