I need to deal with obfuscation thru junk code inserted after a jmp e.g.
jmp short 131F47557
add ecx, 96253516h ;junk code following jmp
mov bl, 0Dh
pop rcx
call near ptr loc_141F48AA6+4
db 11h, 90h
--------------------------------
The junk code after the jmp call some invalid addresses to obfuscate the code. My solution is simply to locate then undefine (just like pressing ‘U’ in disassembler) them in an Idc script.
I tried this to implement the undefine:
del_items(ea, DELIT_EXPAND, 1);
But after the script ended, the undefined code automatically redefined by the disassembler as if nothing happened. So, what is the exact way to implement the Edit->Undefine (U) feature in an idc script?