Hello all,
I am implementing some simple obfuscation transformations in LLVM. One
of the obfuscations involves searching for particular constants, and
"unrolling" them throughout a procedure using arithmetic. In effect,
certain constants are broken up into smaller constants and recombined
as needed using the appropriate operators. I perform this on
intermediate LLVM instructions.
After I run opt on an un-obfuscated bitcode file to produce an
obfuscated bitcode file, I verify that my transformations were placed
in the file using llvm-dis. At this point, the changes appear to have
been made. However, if I run the obfuscated bitcode file through llc
to produce x86 assembly, the obfuscations vanish. I manually disabled
all of the suspicious transformation passes run by llc, and nothing
changes. The same things happens if I run llvm-ld -native
-disable-opt.
Does anybody know what pass is clobbering my obfuscations?
Thanks,
Matt Fredrikson
Matt,
The LLVMCore library provides constant folding automatically. So, when
your obfuscated module is read in and the assembler re-creates your
constants, the arithmetic is done automatically and the constants are
folded. To see where this is done, see lib/VMCore/ConstantFold.cpp
Reid.
The LLVMCore library provides constant folding automatically. So, when
your obfuscated module is read in and the assembler re-creates your
constants, the arithmetic is done automatically and the constants are
folded. To see where this is done, see lib/VMCore/ConstantFold.cpp
This only happens for constant exprs. If llvm-dis produces a .ll file, llvm-as will produce ir that corresponds directly to it.
-Chris
After I run opt on an un-obfuscated bitcode file to produce an
obfuscated bitcode file, I verify that my transformations were placed
ok
in the file using llvm-dis. At this point, the changes appear to have
been made. However, if I run the obfuscated bitcode file through llc
to produce x86 assembly, the obfuscations vanish. I manually disabled
llc does a lot of transformations implicitly, including constant folding, as anton says. There is no way to disable some of these, pieces of the code generator work under the assumption that it can generate "foldable" constants and that they will get folded.
all of the suspicious transformation passes run by llc, and nothing
changes. The same things happens if I run llvm-ld -native
-disable-opt.
Does anybody know what pass is clobbering my obfuscations?
If you really want to guarantee that they won't go away, the best thing to do is to make an alloca (stack memory) and use volatile load/store instructions to access it.
-Chris
Excellent. Thanks, everyone, for the helpful advice.
-Matt