Back to Details

llvm-obfuscation

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

LLVM Code Obfuscation Skill

LLVM代码混淆技能

This skill provides comprehensive knowledge of LLVM-based code obfuscation frameworks and techniques for software protection and anti-reverse engineering.
本技能提供了基于LLVM的代码混淆框架与技术的全面知识,用于软件保护和反逆向工程。

Core Obfuscation Techniques

核心混淆技术

Control Flow Obfuscation

控制流混淆

  • Control Flow Flattening (CFF): Transform structured control flow into a single dispatcher loop with state machine
  • Bogus Control Flow (BCF): Insert opaque predicates and dead code paths
  • CFG Randomization: Randomize basic block ordering and add fake edges
  • Control Flow Flattening (CFF): 将结构化控制流转换为带有状态机的单一调度循环
  • Bogus Control Flow (BCF): 插入不透明谓词和无效代码路径
  • CFG Randomization: 随机化基本块顺序并添加虚假边

Data Obfuscation

数据混淆

  • String Encryption: Encrypt string literals at compile-time, decrypt at runtime
  • Constant Substitution: Replace constants with complex expressions
  • Variable Splitting: Split variables into multiple components
  • String Encryption: 在编译时加密字符串字面量,运行时解密
  • Constant Substitution: 用复杂表达式替换常量
  • Variable Splitting: 将变量拆分为多个组件

Code Transformation

代码转换

  • Instruction Substitution: Replace standard instructions with equivalent complex sequences
  • MBA (Mixed Boolean-Arithmetic): Use mixed boolean-arithmetic expressions for obfuscation
  • Virtualization (VMP): Convert code into custom bytecode executed by embedded VM
  • Instruction Substitution: 用等效的复杂指令序列替换标准指令
  • MBA (Mixed Boolean-Arithmetic): 使用混合布尔算术表达式进行混淆
  • Virtualization (VMP): 将代码转换为嵌入式VM执行的自定义字节码

Major OLLVM Frameworks

主流OLLVM框架

Classic OLLVM

经典OLLVM

Modern Variants

现代变体

  • Hikari: Advanced features including function wrapper, anti-class-dump
  • Pluto-Obfuscator: Well-maintained with MBA, indirect branch, global encryption
  • Arkari: Modern implementation with enhanced features
  • o-mvll: Mobile-focused obfuscator for iOS/Android
  • Hikari: 高级功能包括函数包装、反类转储
  • Pluto-Obfuscator: 维护良好,支持MBA、间接分支、全局加密
  • Arkari: 增强功能的现代实现
  • o-mvll: 面向iOS/Android的移动端专用混淆器

Specialized Tools

专用工具

  • IR VMP: GANGE666/xVMP, NiTianErXing666/SmallVmp for virtualization
  • Warbird: Microsoft's commercial obfuscation technology
  • IR VMP: GANGE666/xVMP、NiTianErXing666/SmallVmp等虚拟化工具
  • Warbird: 微软的商业混淆技术

Implementation Guidelines

实施指南

Creating Custom LLVM Obfuscation Pass

创建自定义LLVM混淆Pass

cpp
#include "llvm/Pass.h"
#include "llvm/IR/Function.h"
#include "llvm/IR/Instructions.h"

class MyObfuscationPass : public llvm::FunctionPass {
public:
    static char ID;
    MyObfuscationPass() : FunctionPass(ID) {}
    
    bool runOnFunction(llvm::Function &F) override {
        // Implement obfuscation logic
        for (auto &BB : F) {
            for (auto &I : BB) {
                // Transform instructions
            }
        }
        return true;
    }
};
cpp
#include "llvm/Pass.h"
#include "llvm/IR/Function.h"
#include "llvm/IR/Instructions.h"

class MyObfuscationPass : public llvm::FunctionPass {
public:
    static char ID;
    MyObfuscationPass() : FunctionPass(ID) {}
    
    bool runOnFunction(llvm::Function &F) override {
        // Implement obfuscation logic
        for (auto &BB : F) {
            for (auto &I : BB) {
                // Transform instructions
            }
        }
        return true;
    }
};

Best Practices

最佳实践

  1. Preserve Semantics: Ensure transformations don't break program correctness
  2. Randomization: Use seeded random number generators for reproducible builds
  3. Layered Approach: Combine multiple obfuscation techniques
  4. Performance Balance: Consider runtime overhead vs protection level
  5. Testing: Extensive testing across different inputs and platforms
  1. 保留语义: 确保转换不会破坏程序正确性
  2. 随机化: 使用带种子的随机数生成器以实现可复现构建
  3. 分层方法: 组合多种混淆技术
  4. 性能平衡: 考虑运行时开销与保护级别
  5. 测试: 针对不同输入和平台进行全面测试

Toolchain Integration

工具链集成

NDK Integration

NDK集成

  • OLLVM with Android NDK (r17-r23+)
  • Examples: android-ndk-aarch64-host-LLVM6.0-Ollvm-Armariris
  • OLLVM与Android NDK(r17-r23+)集成
  • 示例:android-ndk-aarch64-host-LLVM6.0-Ollvm-Armariris

Compiler Toolchains

编译器工具链

  • ollvm-mingw: Windows cross-compilation
  • ollvm-rust: Rust toolchain integration
  • Swift integration: swift-Ollvm11
  • ollvm-mingw: Windows交叉编译
  • ollvm-rust: Rust工具链集成
  • Swift集成: swift-Ollvm11

Anti-Deobfuscation Considerations

反反混淆考量

When implementing obfuscation:
  • Consider resistance to symbolic execution (SymCC, KLEE)
  • Add protection against pattern matching deobfuscators
  • Implement anti-debugging checks
  • Use dynamic dispatch to hinder static analysis
在实现混淆时:
  • 考虑对符号执行(SymCC、KLEE)的抗性
  • 添加针对模式匹配反混淆器的防护
  • 实现反调试检查
  • 使用动态调度阻碍静态分析

Resources

资源

Refer to the main README.md for a comprehensive list of OLLVM implementations and related tools.
请参考主README.md获取OLLVM实现及相关工具的完整列表。

Getting Detailed Information

获取详细信息

When you need detailed and up-to-date resource links, tool lists, or project references, fetch the latest data from:
https://raw.githubusercontent.com/gmh5225/awesome-llvm-security/refs/heads/main/README.md
This README contains comprehensive curated lists of:
  • 80+ OLLVM implementations and forks (OLLVM section)
  • MSVC Warbird obfuscation tools (MSVC Warbird section)
  • IR-based VMP and virtualization projects
  • NDK integration examples for different versions
当你需要详细且最新的资源链接、工具列表或项目参考时,可从以下地址获取最新数据:
https://raw.githubusercontent.com/gmh5225/awesome-llvm-security/refs/heads/main/README.md
该README包含以下精心整理的完整列表:
  • 80+个OLLVM实现与分支(OLLVM章节)
  • MSVC Warbird混淆工具(MSVC Warbird章节)
  • 基于IR的VMP与虚拟化项目
  • 不同版本的NDK集成示例