Instruction Substitution

Instruction substitution replaces simple instructions in your code with longer, functionally identical sequences that are far harder to analyze.

iOS

Start free

See it in ByteHide Shield

TL;DR

Instruction substitution rewrites individual operations in your compiled code as more complex equivalents. A simple addition becomes a sequence of operations that produce the same result. The program behaves identically, but the code an attacker reads no longer matches the simple logic behind it.

Definition

What is instruction substitution?

Instruction substitution is an obfuscation technique that replaces standard low-level instructions with alternative sequences that compute the same result in a more complicated way.

When an attacker reads decompiled or disassembled code, they rely on recognizing common patterns: a simple comparison, a basic arithmetic operation. Instruction substitution removes those recognizable patterns.

The result is functionally identical. The same inputs produce the same outputs. But the obvious shape of each operation is gone, so the code resists both manual reading and automated pattern matching.

Mechanism

How instruction substitution works

Instruction substitution applies equivalent transformations:

Arithmetic rewriting. Simple operations are replaced by longer sequences that reach the same value.
Logical rewriting. Boolean and bitwise operations are expressed through alternative combinations.
Comparison rewriting. Direct comparisons are replaced with constructs that yield the same outcome.

Each substitution is chosen so the result is provably identical while the instruction pattern is not.

Example

Instruction substitution example

The same Swift function, before and after instruction substitution. Both return identical results.

Original

A simple arithmetic operation appears in the disassembly exactly as written. An attacker recognizes it instantly.

Obfuscated

The same operation is now a sequence of equivalent bitwise steps. The result is identical, but the simple pattern is gone.

OriginalSum.swift

func sum(_ a: Int, _ b: Int) -> Int {
    return a + b
}

ObfuscatedSum.swift

func sum(_ a: Int, _ b: Int) -> Int {
    return (a ^ b) &+ ((a & b) << 1)
}

Use cases

When to use instruction substitution

Instruction substitution is most useful when your application:

Contains sensitive calculations or algorithms at the instruction level.
Needs to resist automated pattern-matching analysis.
Has already had higher-level protections applied and needs depth at the instruction level.

It pairs well with control flow obfuscation: one obscures the structure, the other obscures the individual operations.

Platform availability

Instruction substitution and the iOS platform

iOS
Instruction substitution applied during compilation of the binary. On other platforms, equivalent depth is provided by arithmetic obfuscation and control flow obfuscation.

Frequently asked questions

What is instruction substitution?

Instruction substitution is an obfuscation technique that replaces simple instructions with longer, functionally identical sequences, removing the recognizable patterns an attacker relies on when reading code.

Does instruction substitution affect performance?

It adds a small amount of overhead, since substituted operations use more instructions. The impact is kept low and is configurable.

Does instruction substitution change what my code does?

No. Every substitution is functionally equivalent, so the program produces exactly the same results.

How is instruction substitution different from arithmetic obfuscation?

Arithmetic obfuscation focuses on arithmetic expressions. Instruction substitution is broader, replacing arithmetic, logical, and comparison instructions alike.

Which platforms support instruction substitution?

ByteHide Shield provides instruction substitution for iOS.