A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about user-mode development.
 #13320  by former33t
 Sat May 19, 2012 10:15 pm
I have observed an uptick in disassembly obfuscation lately (the sort that breaks the analysis performed by IDA Pro). Particularly I see a lot of unconditional jumps one or two bytes ahead where the next opcode represents a 4 or 5 byte instruction. This of course breaks everything since the legitimate jump target is not disassembled. Based on the quantity, I'm quite sure this isn't being hand coded. Any ideas what the toolkit might be producing this effect?
 #13337  by former33t
 Sun May 20, 2012 11:17 pm
Sadly the samples I have (that I know about) were obtained at a client site so I can't share them per the terms of our agreement. I'm post a sample if I come across one in the public samples that I have.

The technique is well know and is even discussed in the IDA Pro book as well as 'Practical Malware Analysis'.