The goal of this obfuscation technique simply consists in replacing standard binary operators (like addition, subtraction or boolean operators) by functionally equivalent, but more complicated sequences of instructions. When several equivalent instructions sequence are available, one is chosen at random.
This kind of obfuscation is rather straightforward and does not add a lot of security, as it can easily be removed by re-optimizing the generated code. However, provided the pseudo-random generator is seeded with different values, instructions substitutions bring diversity in the produced binary.
Currently, only operators on integers are available, as substituting operators on floating-point values bring rounding errors and unnecessary numerical inaccuracy.
- -mllvm -sub: activate instructions substitution
- -mllvm -funcSUB="func1,func2,func3": if instructions substitution is activated, apply it only on functions func1, func2 and func3
- -mllvm -perSUB=20: if instructions substitution is activated, apply it with a probability of 20% on each function
The original basic block is also cloned and filled up with junk instructions chosen at random.
- -mllvm -bcf: activates the bogus control flow pass
- -mllvm -funcBCF="func1,func2,func3": if the pass is activated, applies it only on functions func1, func2, func3
- -mllvm -perBCF=20: if the pass is activated, applies it on all functions with a probability of 20%. Default: 100
- -mllvm -boguscf-loop=3: if the pass is activated, applies it 3 times on a function. Default: 1
- -mllvm -boguscf-prob=40: if the pass is activated, a basic bloc will be obfuscated with a probability of 40%. Default: 30
For a detailed explanation of the control flow flattening technique, see for instance the paper of T László and Á Kiss, Obfuscating C++ programs via control flow flattening, Annales Univ. Sci. Budapest., Sect. Comp. 30 (2009) 3-19.
Note however that our algorithm fully flattens the control flow, which is not the case of the one of László and Kiss.
- -mllvm -fla: activates control flow flattening
- -mllvm -funcFLA="func1,func2,func3": if control flow flattening is activated, apply it only on functions func1, func2 and func3
- -mllvm -perFLA=20: if control flow flattening is activated, apply it with a probability of 20% on each function
- $ git clone -b llvm-3.5 https://github.com/obfuscator-llvm/obfuscator.git
- $ mkdir build
- $ cd build
- $ cmake -DCMAKE_BUILD_TYPE:String=Release ../obfuscator/
- $ make -j5
2. NDK工具链toolchains组织结构
- cmake -DOS=ANDROID
- -DANDROID_ABI=armeabi
- -DANDROID_STANDALONE_TOOLCHAIN=standalon-toolchain
- -DCMAKE_TOOLCHAIN_FILE=android.toolchain.cmake .
- make -j8
-ld: library not found for –lSystem
-ld:no archive symbol table (run ranlib)
-“-soname” is not supported by LLVM/Clang
- LLVM_NAME := obfuscator-llvm-3.4
- TARGET_CC := $(LLVM_TOOLCHAIN_PREFIX)clang$(HOST_EXEEXT)
- TARGET_CXX := $(LLVM_TOOLCHAIN_PREFIX)clang++$(HOST_EXEEXT)
配置好NDK 的ToolChain之后,进行混淆编译只需要在Application.mk中指定编译器名字即可:
- NDK_TOOLCHAIN_VERSION := obfuscator
- LOCAL_CFLAGS += -mllvm -sub -mllvm -bcf -mllvm -fla
- $ ndk-build APP_ABI="armeabi armeabi-v7a mips”
-只能编译ARM,MIPS,无法编译x86,编译器编译报错
-__asm__ 内联汇编指令无法编译
-inline 函数无法编译
- @@ -1112,30 +1112,35 @@
- void Generic_GCC::GCCInstallationDetector::print(raw_ostream &OS) const {
- // lifetime or initialization issues.
- static const char *const AArch64LibDirs[] = { "/lib" };
- static const char *const AArch64Triples[] = { "aarch64-none-linux-gnu",
- - "aarch64-linux-gnu" };
- + "aarch64-linux-gnu",
- + "aarch64-linux-android"
- + };
- static const char *const ARMLibDirs[] = { "/lib" };
- static const char *const ARMTriples[] = { "arm-linux-gnueabi",
- "arm-linux-androideabi" };
- static const char *const ARMHFTriples[] = { "arm-linux-gnueabihf",
- + "arm-linux-androideabihf",
- "armv7hl-redhat-linux-gnueabi" };
- static const char *const X86_64LibDirs[] = { "/lib64", "/lib" };
- static const char *const X86_64Triples[] = {
- "x86_64-linux-gnu", "x86_64-unknown-linux-gnu", "x86_64-pc-linux-gnu",
- "x86_64-redhat-linux6E", "x86_64-redhat-linux", "x86_64-suse-linux",
- - "x86_64-manbo-linux-gnu", "x86_64-linux-gnu", "x86_64-slackware-linux"
- + "x86_64-manbo-linux-gnu", "x86_64-linux-gnu", "x86_64-slackware-linux",
- + "x86_64-linux-android"
- };
- static const char *const X86LibDirs[] = { "/lib32", "/lib" };
- static const char *const X86Triples[] = {
- "i686-linux-gnu", "i686-pc-linux-gnu", "i486-linux-gnu", "i386-linux-gnu",
- "i386-redhat-linux6E", "i686-redhat-linux", "i586-redhat-linux",
- "i386-redhat-linux", "i586-suse-linux", "i486-slackware-linux",
- - "i686-montavista-linux"
- + "i686-montavista-linux", "i686-linux-android"
- };
- static const char *const MIPSLibDirs[] = { "/lib" };
- static const char *const MIPSTriples[] = { "mips-linux-gnu",
- + "mips-linux-android",
- "mips-mti-linux-gnu" };
- static const char *const MIPSELLibDirs[] = { "/lib" };
- static const char *const MIPSELTriples[] = { "mipsel-linux-gnu",
- @@ -1143,23 +1148,28 @@ void Generic_GCC::GCCInstallationDetector::print(raw_ostream &OS) const {
- static const char *const MIPS64LibDirs[] = { "/lib64", "/lib" };
- static const char *const MIPS64Triples[] = { "mips64-linux-gnu",
- + "mips64-linux-android",
- "mips-mti-linux-gnu" };
- static const char *const MIPS64ELLibDirs[] = { "/lib64", "/lib" };
- static const char *const MIPS64ELTriples[] = { "mips64el-linux-gnu",
- - "mips-mti-linux-gnu" };
- + "mips-mti-linux-gnu",
- + "mips64el-linux-android"
- + };
- static const char *const PPCLibDirs[] = { "/lib32", "/lib" };
- static const char *const PPCTriples[] = {
- "powerpc-linux-gnu", "powerpc-unknown-linux-gnu", "powerpc-linux-gnuspe",
- - "powerpc-suse-linux", "powerpc-montavista-linuxspe"
- + "powerpc-suse-linux", "powerpc-montavista-linuxspe", "powerpc-linux-android"
- };
- static const char *const PPC64LibDirs[] = { "/lib64", "/lib" };
- static const char *const PPC64Triples[] = { "powerpc64-linux-gnu",
- + "powerpc64-linux-android",
- "powerpc64-unknown-linux-gnu",
- "powerpc64-suse-linux",
- "ppc64-redhat-linux" };
- static const char *const PPC64LELibDirs[] = { "/lib64", "/lib" };
- static const char *const PPC64LETriples[] = { "powerpc64le-linux-gnu",
- + "powerpc64le-linux-android",
- "powerpc64le-unknown-linux-gnu",
- "powerpc64le-suse-linux",
- "ppc64le-redhat-linux" };
- @@ -1167,7 +1177,7 @@ void Generic_GCC::GCCInstallationDetector::print(raw_ostream &OS) const {
- static const char *const SystemZLibDirs[] = { "/lib64", "/lib" };
- static const char *const SystemZTriples[] = {
- "s390x-linux-gnu", "s390x-unknown-linux-gnu", "s390x-ibm-linux-gnu",
- - "s390x-suse-linux", "s390x-redhat-linux"
- + "s390x-suse-linux", "s390x-redhat-linux", "s390x-linux-android"
- };