[ACM Press the 50th Annual Southeast Regional Conference - Tuscaloosa, Alabama (2012.03.29-2012.03.31)] Proceedings of the 50th Annual Southeast Regional Conference on - ACM-SE '12 - Instruction embedding for improved obfuscation

Disassemblers generally assume that assembly language instructions do not overlap, therefore, an obvious obfuscation against such disassemblers is to overlap instructions. This is difficult to implement, however, as the number of instructions existing in a program which can be overlapped are typically very few. We propose a modification of instruction overlapping which instead embeds the hexadecimal representation of an instruction in the memory offset and immediate operand of an inserted instruction. We implement a obfuscator which is capable of embedding a limited number of instructions and find that it is able to hide 23% of an X86 assembly program's total instructions on average. This is significantly higher than results reported by past works using standard instruction overlapping obfuscations which were only able to hide 1% of instructions.