/Pluto-Obfuscator

Obfuscator based on LLVM 12.0.1

Primary LanguageLLVMMIT LicenseMIT

Pluto-Obfuscator

Pluto-Obfuscator is a code obfuscator based on LLVM 12.0.1 and its LLVM Pass framework. Briefly speaking, Pluto-Obfuscator converts the source code into a functionally equivalent but much less understandable version at compile-time, protecting your software from reverse engineering.

The documentation of Pluto-Obfuscator is still lacking. I will work on it when I am available.

Features

Pluto-Obfuscator implements multiple algorithms for obfuscation. The first three bold ones are the most recommended as they are relatively stabler and more effective compared to the other:

Name Identifier Documentation Authors
Control Flow Flattening Enhanced fla-ex - English Documentation
- Chinese Blog
@za233
Globals Encryption gle English Documentation @34r7hm4n
MBA Obfuscation mba - English Documentation
- Chinese Blog
@34r7hm4n
Control Flow Flattening fla Ref: obfuscator-llvm/obfuscator @34r7hm4n
Bogus Control Flow bcf Ref: obfuscator-llvm/obfuscator @34r7hm4n
Instruction Substitution sub Ref: obfuscator-llvm/obfuscator @34r7hm4n
Random Control Flow rcf English Documentation @34r7hm4n
Variable Substitution vsb English Documentation @34r7hm4n
Trap Angr trap-angr English Documentation @34r7hm4n

Issues and pull requests about the most recommended three algorithms will be handled with priority.

Installation

The first step is always to clone this repository:

$ git clone https://github.com/bluesadi/Pluto-Obfuscator.git
$ cd Pluto-Obfuscator

No matter which OS you are using, make sure you include all the following commands in the PATH environment variable:

gcc g++ cmake ninja

If you are using Ubuntu, you may install all the required packages by:

$ sudo apt install gcc g++ cmake ninja-build

The final step is to execute ./build.sh, which is a shell script that automatically compiles this project and install it in the /install directory. Such script for MacOS are also available at build_macos.sh. As of Windows, you may execute ./build.sh on Git Bash (you must have installed it if you get this project by git clone).

By default the script utilizes all CPU cores of your machine to compile as fast as possible. If you don't want the compilation occupies all the CPU cores, making your computer laggy, you may specify the maximum cores you want to allocate. Let's say your computer has 16 CPU cores, you can use ./build.sh 12 to tell the script only to use 8 cores for compilation.

TROUBLE SHOOTING: LLVM is a rather large project, so please allocate enough memory (at least 8GB) for your virtual machine or WSL during compilation, otherwise you will probably encounter an error message g++: fatal error: Killed signal terminated program cc1plus caused by insufficient memory.

Usage

Now all compiled binaries reside in /install/bin directory including clang and clang++ with obfuscation functionalities. You can enable specific obfuscation algorithms by commands in the following format:

$ ./install/bin/clang[++] [-mllvm -<identifier/options>] [...] <source files> [-o <output file>]

For example, say you want to have a try at the most recommended combination (I would like to call it FullProtection), you may execute:

$ ./install/bin/clang++ -mllvm -mba -mllvm -mba-prob=50 -mllvm -fla-ex -mllvm -gle test/aes/aes.cpp test/aes/test.cpp -o test/aes/test
$ ./test/aes/test flag{s1mpl3_11vm_d3m0} 
Welcome to LLVM world...
Your flag is: flag{s1mpl3_11vm_d3m0}
Congratulations~

Testing

IMPORTANT: I would really appreciate you would like to contribute to Pluto-Obfuscator by creating pull requests. Please test your modified code on the test cases as follows.

Quick Test on AES

Usage: ./fast-check.sh [identifiers/options] (e.g., ./fast-check.sh mba mba-prob=50 fla-ex gle).

See fast-check.sh and test/aes.

Test on libsecp256k1

Usage: ./check.sh [identifiers/options] (e.g., ./check.sh mba mba-prob=50 fla-ex gle)

Generally, it will cost several minutes to be done, much slower compared to the AES test.

Passed Parameters:

  • Flattening: fla
  • FlatteningEnhanced: fla-ex
  • Substitution: sub
  • GlobalsEncryption: gle
  • MBAObfuscation: mba mba-prob=100
  • FullProtection: mba mba-prob=50 fla-ex gle

See check.sh and test/secp256k1.