I spent all day trying to reverse a brutal protection, but was not succeed. well, I drank a cup of rasta-tea ("http://zen-way.org/blog/?p=54") (it’s legal here) and wrote 5 lines IDA Script (2 lines were mines, 3 lines were stolen). it highlighted what I was looking for, it took less than a minute! this is the point! if something goes wrong - the approach is not good. there is a better way. somewhere. the only problem is to understand what we’re really want to get. in my case I just wrote an extreme simple profiler show how many times instructions are executed. this helped me to defeat obfuscated code almost immediately. it was a forth-like virtual machine. knowing frequency distribution it was easy to recognize the most popular and most unpopular constructions, like mov, cmp, etc. the code became readable even without decompiler



http://nezumi-lab.org/blog/?p=30