LLVM Code Obfuscation Skill
This skill provides comprehensive knowledge of LLVM-based code obfuscation frameworks and techniques for software protection and anti-reverse engineering.
Core Obfuscation Techniques
Control Flow Obfuscation
-
Control Flow Flattening (CFF): Transform structured control flow into a single dispatcher loop with state machine
-
Bogus Control Flow (BCF): Insert opaque predicates and dead code paths
-
CFG Randomization: Randomize basic block ordering and add fake edges
Data Obfuscation
-
String Encryption: Encrypt string literals at compile-time, decrypt at runtime
-
Constant Substitution: Replace constants with complex expressions
-
Variable Splitting: Split variables into multiple components
Code Transformation
-
Instruction Substitution: Replace standard instructions with equivalent complex sequences
-
MBA (Mixed Boolean-Arithmetic): Use mixed boolean-arithmetic expressions for obfuscation
-
Virtualization (VMP): Convert code into custom bytecode executed by embedded VM
Major OLLVM Frameworks
Classic OLLVM
-
Original OLLVM: https://github.com/obfuscator-llvm/obfuscator
-
Features: BCF, CFF, Instruction Substitution, String Encryption
Modern Variants
-
Hikari: Advanced features including function wrapper, anti-class-dump
-
Pluto-Obfuscator: Well-maintained with MBA, indirect branch, global encryption
-
Arkari: Modern implementation with enhanced features
-
o-mvll: Mobile-focused obfuscator for iOS/Android
Specialized Tools
-
IR VMP: GANGE666/xVMP, NiTianErXing666/SmallVmp for virtualization
-
Warbird: Microsoft's commercial obfuscation technology
Implementation Guidelines
Creating Custom LLVM Obfuscation Pass
#include "llvm/Pass.h" #include "llvm/IR/Function.h" #include "llvm/IR/Instructions.h"
class MyObfuscationPass : public llvm::FunctionPass { public: static char ID; MyObfuscationPass() : FunctionPass(ID) {}
bool runOnFunction(llvm::Function &F) override {
// Implement obfuscation logic
for (auto &BB : F) {
for (auto &I : BB) {
// Transform instructions
}
}
return true;
}
};
Best Practices
-
Preserve Semantics: Ensure transformations don't break program correctness
-
Randomization: Use seeded random number generators for reproducible builds
-
Layered Approach: Combine multiple obfuscation techniques
-
Performance Balance: Consider runtime overhead vs protection level
-
Testing: Extensive testing across different inputs and platforms
Toolchain Integration
NDK Integration
-
OLLVM with Android NDK (r17-r23+)
-
Examples: android-ndk-aarch64-host-LLVM6.0-Ollvm-Armariris
Compiler Toolchains
-
ollvm-mingw: Windows cross-compilation
-
ollvm-rust: Rust toolchain integration
-
Swift integration: swift-Ollvm11
Anti-Deobfuscation Considerations
When implementing obfuscation:
-
Consider resistance to symbolic execution (SymCC, KLEE)
-
Add protection against pattern matching deobfuscators
-
Implement anti-debugging checks
-
Use dynamic dispatch to hinder static analysis
Resources
Refer to the main README.md for a comprehensive list of OLLVM implementations and related tools.
Getting Detailed Information
When you need detailed and up-to-date resource links, tool lists, or project references, fetch the latest data from:
https://raw.githubusercontent.com/gmh5225/awesome-llvm-security/refs/heads/main/README.md
This README contains comprehensive curated lists of:
-
80+ OLLVM implementations and forks (OLLVM section)
-
MSVC Warbird obfuscation tools (MSVC Warbird section)
-
IR-based VMP and virtualization projects
-
NDK integration examples for different versions