Identification of Obfuscated Data After call Instruction in Disassembly Process

A number of obfuscation techniques are used to foil the static disassembly process by malware,in which embedding obfuscated data after call instruction is the most common style.This paper presents a detection arithmetic that can abstract the obfuscated data accurately after the call instruction.Based on improved recursive traversal disassembly arithmetic,this method can handle this style of obsfuscation in two phases.A test report is provided to prove the effect of this arithmetic.