Anti-Disassembly

Uses push/ret and call-to-pop sequences as obfuscated control transfers so branches do not appear as calls or jumps, defeating call-graph recovery.

Dense chains of unconditional jumps shatter a function into scattered fragments, defeating linear flow and inflating the control-flow graph.

Encoded or computed switch tables hide branch targets behind arithmetic, defeating automatic control-flow recovery and leaving dead-end indirect jumps.

Position-independent code recovers its own runtime address with a call/pop pair, spawning a phantom call xref that confuses static analysis.

A single byte is part of two valid, both-reachable instructions, so no flat linear listing can be correct — only a path-sensitive view recovers it.

An always-taken conditional jump is followed by a garbage opcode byte that a linear-sweep disassembler wrongly consumes, derailing the listing.

Malware recovers its own runtime address through the FPU's saved instruction pointer via fnstenv, hiding the GetPC step from static xref analysis.

Branch instructions are replaced with INT3 traps that a debugger-parent resolves from a hidden table at runtime, erasing control flow from the binary.

A jump lands inside a multi-byte instruction so the same bytes decode two ways, desynchronising linear-sweep disassemblers and hiding real code.

Data bytes embedded mid-function are wrongly decoded as instructions by a linear sweep, desynchronising the listing and hiding the real code.

A conditional jump whose taken and fall-through paths reach the same address, planting a junk byte in the gap that derails a linear-sweep disassembler.