Deobfuscate Junk Code (DOJ) is a simple IDA Pro plugin which tries to detect segments of junk code obfuscation.
It has two main parts:
- A heuristic for finding where junk code starts.
that code usually created using some 3rd party software, and contains varied long segments of instructions.
My heuristic was looking for multiple rare x86 assembly instructions which aren't common in normal compiled code.
The heuristic is independant of the next part, and could be easily expanded. - Running that code in
unicornemulator while making register/memory snapshot on each instruction. That state is being checked for finding similar state.
- IDA Pro 7.4
- Python 3
pip install unicorn