Idc Script to Perform Edit->Undefine Instruction

Jetplane · May 9, 2025, 2:02pm

I need to deal with obfuscation thru junk code inserted after a jmp e.g.

jmp     short 131F47557 
add     ecx, 96253516h  ;junk code following jmp
mov     bl, 0Dh
pop     rcx
call    near ptr loc_141F48AA6+4
db 11h, 90h
--------------------------------

The junk code after the jmp call some invalid addresses to obfuscate the code. My solution is simply to locate then undefine (just like pressing ‘U’ in disassembler) them in an Idc script.

I tried this to implement the undefine:

del_items(ea, DELIT_EXPAND, 1);

But after the script ended, the undefined code automatically redefined by the disassembler as if nothing happened. So, what is the exact way to implement the Edit->Undefine (U) feature in an idc script?

igor · May 13, 2025, 9:11am

It’s a little difficult to say without the sample, but probably autoanalysis considers that the call returns to the following location. To prevent recreation of instructions, you can try converting the bytes after the call to data, e.g. create_byte(ea).

Topic		Replies	Views
Is there an API for Apply patched bytes to input file? IDA General	5	115	May 11, 2025
Request for an integrated C compiler for binary patching IDA General	3	78	May 20, 2025
IDA decompiler's Control Flow Guard check ignore function has a bug IDA General	3	26	May 21, 2025
How do I stop IDA from turning function into variadic without a cleanup? IDA General	2	16	May 21, 2025
Change log ida 8.5 - 9.1 IDA General	3	112	March 13, 2025

Idc Script to Perform Edit->Undefine Instruction

Related topics