Dead Code Injection

Dead code injection adds blocks of meaningless code to your application that look legitimate, so an attacker cannot tell real logic from decoy.

JavaScript
Android
iOS

Start free

See it in ByteHide Shield

TL;DR

Dead code injection inserts code that never executes, or executes without effect, into your application. The injected code is built to look exactly like real logic. A decompiler reproduces all of it, and an attacker has to analyze every block to discover that most of it does nothing.

Definition

What is dead code injection?

Dead code injection is an obfuscation technique that adds meaningless code to an application without changing its behavior. The injected code is either unreachable or has no observable effect.

When an attacker decompiles your application, they want to find the few methods that matter. Dead code injection buries those methods in a much larger volume of code that looks equally plausible.

The application runs exactly the same, because the injected code is inert. What changes is the cost of analysis: an attacker can no longer skim the code, they have to evaluate every block to learn which ones are real.

Mechanism

How dead code injection works

Dead code injection applies several techniques:

Unreachable blocks. Code paths that can never be reached are added, guarded by conditions that always evaluate the same way.
Effect-free code. Operations that compute values which are never used are inserted between real statements.
Plausible decoys. The injected code is shaped to resemble real business logic, so it cannot be filtered out by pattern.

The injected code is designed to survive decompilation looking legitimate, which is what makes it effective.

Example

Dead code injection example

The same method, before and after dead code injection. The behavior is identical. The amount of code an attacker has to triage is not.

Original

A decompiled method is short and focused. An attacker identifies the logic that matters in seconds.

With injected decoys

The same method is surrounded by blocks of plausible but inert code. The real logic is still there, but finding it means analyzing everything.

OriginalPricing.cs

public decimal Discount(int years)
{
    if (years > 5) return 0.30m;
    return 0m;
}

With injected decoysPricing.cs

public decimal Discount(int years)
{
    int k = years * 7919;
    if (k < 0 && k >= 0) return -1m;
    if (years > 5) return 0.30m;
    var _ = (k ^ 0x4F2A) + 17;
    return 0m;
}

Use cases

When to use dead code injection

Dead code injection is most useful when your application:

Contains a small amount of high-value logic worth hiding in volume.
Has already been renamed and string-encrypted, dead code adds another layer.
Needs to slow down manual analysis specifically.

It works best combined with control flow obfuscation: one adds decoy code, the other scrambles the structure of the real code.

Platform availability

Dead code injection across platforms

JavaScript
Dead code injection into client-side bundles.
Android
Decoy code paths inserted into bytecode.
iOS
Dead code insertion in the compiled binary.

Frequently asked questions

What is dead code injection?

Dead code injection is an obfuscation technique that adds meaningless, inert code to an application. The code never affects behavior, but it looks legitimate and forces an attacker to analyze it to discover it does nothing.

Does dead code injection affect performance?

The impact is small. Unreachable code never executes, and effect-free code is kept lightweight, so users see no meaningful difference.

Does dead code injection increase application size?

It adds some size, since the injected code is real code. The amount is configurable, so you can balance protection against footprint.

Can dead code be removed by an attacker?

Removing it requires first identifying it, which is the work the technique is designed to impose. Combined with control flow obfuscation, telling real code from decoy becomes much harder.

Which platforms support dead code injection?

ByteHide Shield provides dead code injection for JavaScript, Android, and iOS.