Some questions about the tool?
Is the tool robust against ‘instruction re-ordering’?.
Does it care about the order of instructions?
Is it also robust against ‘junk-instruction insertion’ and against "instruction replacement?"
Does this also count when ‘most frequently used’ instructions are being replaced )
for example by other instructions.
Is it also robust against 'register-renaming and memory re-ordering,location"?
Are these being considered or not?. Are these locations readable or not?
Can they be inserted by junk-code?, Wat locations are reachable at run-time?
Does the disassembly algorithm apply recursive traversal, which is robust to this
kind of obfuscation?
Some proposed methods:
http://www.stanford.edu/~stinson/paper_notes/stat_anal/obfus_bins.txt (link article by By: Linn, Debray (AZ) In: CCS 2003)
If we can have some positive answers here to the above questions,
we could have landed at a tool that can detect almost all exploit code...
polonus