Skip to content
/ limba Public

compile-time control flow obfuscation using mba

License

Notifications You must be signed in to change notification settings

ThatLing/limba

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

limba

Compile-time control flow obfuscation using MBA (Mixed Boolean-Arithmetic). This project is derived from another project I am working on named limbo, which is why the project files use this name. Keep in mind that this is more of a proof-of-concept rather than something ready to use in production code.

Description

Control flow between function calls is fairly easy to trace in normal binaries.

Pre-obfuscation pictures

before_xref
before_call

limba will generate boilerplate code that obfuscates the actual jump address using MBA. The MBA rewrite rules and address offset is randomized each compilation to hinder analysis. It is important to note the actual function body is NOT obfuscated and is still present in the binary, only function calls will be obfuscated.

Post-obfuscation pictures

after_xref
after_call
after_mba

Support

  • The project has been developed using Clang(-CL) so this is the recommended compiler, GCC isn't actively supported and may (or may not) work. MSVC is not supported as I found no way to make it not emit a direct pointer to the original function
  • The codebase requires C++20 to compile. Compile time is a major constraint so I used a some C++20 features that reduced compilation time in my testing. The code can be modified to support C++17 (see emulation.h)

Usage

The included example uses premake for project configuration. You can generate the project files by running premake5 vs2022 in the root folder. Alternatively, the relevant header files can be copied into your own project.

Sample usage:

LIMBO_OBFUSCATED_FUNC(<ret_type>, <function_name>, <func_params>)
{
	// function body

	return <ret_value>
}

Limitations

  • Only a small set of MBA rules have been included
  • Opaque predicates are needed to avoid trivial optimization
  • Since a protected function will only have one "wrapper" function, it's easy to figure out and patch the protection with dynamic analysis and scripting
  • Compilation time may be negatively impacted if the protection is used on a large number of functions

Acknowledgements

Great open-source projects that were a great help during development

About

compile-time control flow obfuscation using mba

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published