LLVM Code Obfuscation Skill

This skill provides comprehensive knowledge of LLVM-based code obfuscation frameworks and techniques for software protection and anti-reverse engineering.

Core Obfuscation Techniques

Control Flow Obfuscation

• Control Flow Flattening (CFF): Transform structured control flow into a single dispatcher loop with state machine
• Bogus Control Flow (BCF): Insert opaque predicates and dead code paths
• CFG Randomization: Randomize basic block ordering and add fake edges

Data Obfuscation

• String Encryption: Encrypt string literals at compile-time, decrypt at runtime
• Constant Substitution: Replace constants with complex expressions
• Variable Splitting: Split variables into multiple components

Code Transformation

• Instruction Substitution: Replace standard instructions with equivalent complex sequences
• MBA (Mixed Boolean-Arithmetic): Use mixed boolean-arithmetic expressions for obfuscation
• Virtualization (VMP): Convert code into custom bytecode executed by embedded VM

Major OLLVM Frameworks

Classic OLLVM

• Original OLLVM: https://github.com/obfuscator-llvm/obfuscator
• Features: BCF, CFF, Instruction Substitution, String Encryption

Modern Variants

• Hikari: Advanced features including function wrapper, anti-class-dump
• Pluto-Obfuscator: Well-maintained with MBA, indirect branch, global encryption
• Arkari: Modern implementation with enhanced features
• o-mvll: Mobile-focused obfuscator for iOS/Android

Specialized Tools

• IR VMP: GANGE666/xVMP, NiTianErXing666/SmallVmp for virtualization
• Warbird: Microsoft's commercial obfuscation technology

Implementation Guidelines

Creating Custom LLVM Obfuscation Pass

#include "llvm/Pass.h"
#include "llvm/IR/Function.h"
#include "llvm/IR/Instructions.h"

class MyObfuscationPass : public llvm::FunctionPass {
public:
    static char ID;
    MyObfuscationPass() : FunctionPass(ID) {}
    
    bool runOnFunction(llvm::Function &F) override {
        // Implement obfuscation logic
        for (auto &BB : F) {
            for (auto &I : BB) {
                // Transform instructions
            }
        }
        return true;
    }
};

Best Practices

1. Preserve Semantics: Ensure transformations don't break program correctness
2. Randomization: Use seeded random number generators for reproducible builds
3. Layered Approach: Combine multiple obfuscation techniques
4. Performance Balance: Consider runtime overhead vs protection level
5. Testing: Extensive testing across different inputs and platforms

Toolchain Integration

NDK Integration

• OLLVM with Android NDK (r17-r23+)
• Examples: android-ndk-aarch64-host-LLVM6.0-Ollvm-Armariris

Compiler Toolchains

• ollvm-mingw: Windows cross-compilation
• ollvm-rust: Rust toolchain integration
• Swift integration: swift-Ollvm11

Anti-Deobfuscation Considerations

When implementing obfuscation:

• Consider resistance to symbolic execution (SymCC, KLEE)
• Add protection against pattern matching deobfuscators
• Implement anti-debugging checks
• Use dynamic dispatch to hinder static analysis

Resources

Refer to the main README.md for a comprehensive list of OLLVM implementations and related tools.

Getting Detailed Information

When you need detailed and up-to-date resource links, tool lists, or project references, fetch the latest data from:

https://raw.githubusercontent.com/gmh5225/awesome-llvm-security/refs/heads/main/README.md

This README contains comprehensive curated lists of:

• 80+ OLLVM implementations and forks (OLLVM section)
• MSVC Warbird obfuscation tools (MSVC Warbird section)
• IR-based VMP and virtualization projects
• NDK integration examples for different versions