├── .gitattributes
├── .gitignore
├── LICENSE
├── README.md
├── assets
├── after_call.png
├── after_mba.png
├── after_xref.png
├── before_call.png
└── before_xref.png
├── premake5.lua
└── source
├── limbo.h
├── limbo
├── defines.h
├── emulation.h
├── helpers.h
├── mba.h
└── rng.h
└── main.cpp
/.gitattributes:
--------------------------------------------------------------------------------
1 | ###############################################################################
2 | # Set default behavior to automatically normalize line endings.
3 | ###############################################################################
4 | * text=auto
5 |
6 | ###############################################################################
7 | # Set default behavior for command prompt diff.
8 | #
9 | # This is need for earlier builds of msysgit that does not have it on by
10 | # default for csharp files.
11 | # Note: This is only used by command line
12 | ###############################################################################
13 | #*.cs diff=csharp
14 |
15 | ###############################################################################
16 | # Set the merge driver for project and solution files
17 | #
18 | # Merging from the command prompt will add diff markers to the files if there
19 | # are conflicts (Merging from VS is not affected by the settings below, in VS
20 | # the diff markers are never inserted). Diff markers may cause the following
21 | # file extensions to fail to load in VS. An alternative would be to treat
22 | # these files as binary and thus will always conflict and require user
23 | # intervention with every merge. To do so, just uncomment the entries below
24 | ###############################################################################
25 | #*.sln merge=binary
26 | #*.csproj merge=binary
27 | #*.vbproj merge=binary
28 | #*.vcxproj merge=binary
29 | #*.vcproj merge=binary
30 | #*.dbproj merge=binary
31 | #*.fsproj merge=binary
32 | #*.lsproj merge=binary
33 | #*.wixproj merge=binary
34 | #*.modelproj merge=binary
35 | #*.sqlproj merge=binary
36 | #*.wwaproj merge=binary
37 |
38 | ###############################################################################
39 | # behavior for image files
40 | #
41 | # image files are treated as binary by default.
42 | ###############################################################################
43 | #*.jpg binary
44 | #*.png binary
45 | #*.gif binary
46 |
47 | ###############################################################################
48 | # diff behavior for common document formats
49 | #
50 | # Convert binary document formats to text before diffing them. This feature
51 | # is only available from the command line. Turn it on by uncommenting the
52 | # entries below.
53 | ###############################################################################
54 | #*.doc diff=astextplain
55 | #*.DOC diff=astextplain
56 | #*.docx diff=astextplain
57 | #*.DOCX diff=astextplain
58 | #*.dot diff=astextplain
59 | #*.DOT diff=astextplain
60 | #*.pdf diff=astextplain
61 | #*.PDF diff=astextplain
62 | #*.rtf diff=astextplain
63 | #*.RTF diff=astextplain
64 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 |
4 | # User-specific files
5 | *.suo
6 | *.user
7 | *.userosscache
8 | *.sln.docstates
9 |
10 | # User-specific files (MonoDevelop/Xamarin Studio)
11 | *.userprefs
12 |
13 | # Build results
14 | [Dd]ebug/
15 | [Dd]ebugPublic/
16 | [Rr]elease/
17 | [Rr]eleases/
18 | x64/
19 | x86/
20 | bld/
21 | [Bb]in/
22 | [Oo]bj/
23 | [Ll]og/
24 |
25 | # Visual Studio 2015 cache/options directory
26 | .vs/
27 | # Uncomment if you have tasks that create the project's static files in wwwroot
28 | #wwwroot/
29 |
30 | # MSTest test Results
31 | [Tt]est[Rr]esult*/
32 | [Bb]uild[Ll]og.*
33 |
34 | # NUNIT
35 | *.VisualState.xml
36 | TestResult.xml
37 |
38 | # Build Results of an ATL Project
39 | [Dd]ebugPS/
40 | [Rr]eleasePS/
41 | dlldata.c
42 |
43 | # DNX
44 | project.lock.json
45 | project.fragment.lock.json
46 | artifacts/
47 |
48 | *_i.c
49 | *_p.c
50 | *_i.h
51 | *.ilk
52 | *.meta
53 | *.obj
54 | *.pch
55 | *.pdb
56 | *.pgc
57 | *.pgd
58 | *.rsp
59 | *.sbr
60 | *.tlb
61 | *.tli
62 | *.tlh
63 | *.tmp
64 | *.tmp_proj
65 | *.log
66 | *.vspscc
67 | *.vssscc
68 | .builds
69 | *.pidb
70 | *.svclog
71 | *.scc
72 |
73 | # Chutzpah Test files
74 | _Chutzpah*
75 |
76 | # Visual C++ cache files
77 | ipch/
78 | *.aps
79 | *.ncb
80 | *.opendb
81 | *.opensdf
82 | *.sdf
83 | *.cachefile
84 | *.VC.db
85 | *.VC.VC.opendb
86 |
87 | # Visual Studio profiler
88 | *.psess
89 | *.vsp
90 | *.vspx
91 | *.sap
92 |
93 | # TFS 2012 Local Workspace
94 | $tf/
95 |
96 | # Guidance Automation Toolkit
97 | *.gpState
98 |
99 | # ReSharper is a .NET coding add-in
100 | _ReSharper*/
101 | *.[Rr]e[Ss]harper
102 | *.DotSettings.user
103 |
104 | # JustCode is a .NET coding add-in
105 | .JustCode
106 |
107 | # TeamCity is a build add-in
108 | _TeamCity*
109 |
110 | # DotCover is a Code Coverage Tool
111 | *.dotCover
112 |
113 | # NCrunch
114 | _NCrunch_*
115 | .*crunch*.local.xml
116 | nCrunchTemp_*
117 |
118 | # MightyMoose
119 | *.mm.*
120 | AutoTest.Net/
121 |
122 | # Web workbench (sass)
123 | .sass-cache/
124 |
125 | # Installshield output folder
126 | [Ee]xpress/
127 |
128 | # DocProject is a documentation generator add-in
129 | DocProject/buildhelp/
130 | DocProject/Help/*.HxT
131 | DocProject/Help/*.HxC
132 | DocProject/Help/*.hhc
133 | DocProject/Help/*.hhk
134 | DocProject/Help/*.hhp
135 | DocProject/Help/Html2
136 | DocProject/Help/html
137 |
138 | # Click-Once directory
139 | publish/
140 |
141 | # Publish Web Output
142 | *.[Pp]ublish.xml
143 | *.azurePubxml
144 | # TODO: Comment the next line if you want to checkin your web deploy settings
145 | # but database connection strings (with potential passwords) will be unencrypted
146 | #*.pubxml
147 | *.publishproj
148 |
149 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
150 | # checkin your Azure Web App publish settings, but sensitive information contained
151 | # in these scripts will be unencrypted
152 | PublishScripts/
153 |
154 | # NuGet Packages
155 | *.nupkg
156 | # The packages folder can be ignored because of Package Restore
157 | **/packages/*
158 | # except build/, which is used as an MSBuild target.
159 | !**/packages/build/
160 | # Uncomment if necessary however generally it will be regenerated when needed
161 | #!**/packages/repositories.config
162 | # NuGet v3's project.json files produces more ignoreable files
163 | *.nuget.props
164 | *.nuget.targets
165 |
166 | # Microsoft Azure Build Output
167 | csx/
168 | *.build.csdef
169 |
170 | # Microsoft Azure Emulator
171 | ecf/
172 | rcf/
173 |
174 | # Windows Store app package directories and files
175 | AppPackages/
176 | BundleArtifacts/
177 | Package.StoreAssociation.xml
178 | _pkginfo.txt
179 |
180 | # Visual Studio cache files
181 | # files ending in .cache can be ignored
182 | *.[Cc]ache
183 | # but keep track of directories ending in .cache
184 | !*.[Cc]ache/
185 |
186 | # Others
187 | ClientBin/
188 | ~$*
189 | *~
190 | *.dbmdl
191 | *.dbproj.schemaview
192 | *.jfm
193 | *.pfx
194 | *.publishsettings
195 | node_modules/
196 | orleans.codegen.cs
197 |
198 | # Since there are multiple workflows, uncomment next line to ignore bower_components
199 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
200 | #bower_components/
201 |
202 | # RIA/Silverlight projects
203 | Generated_Code/
204 |
205 | # Backup & report files from converting an old project file
206 | # to a newer Visual Studio version. Backup files are not needed,
207 | # because we have git ;-)
208 | _UpgradeReport_Files/
209 | Backup*/
210 | UpgradeLog*.XML
211 | UpgradeLog*.htm
212 |
213 | # SQL Server files
214 | *.mdf
215 | *.ldf
216 |
217 | # Business Intelligence projects
218 | *.rdl.data
219 | *.bim.layout
220 | *.bim_*.settings
221 |
222 | # Microsoft Fakes
223 | FakesAssemblies/
224 |
225 | # GhostDoc plugin setting file
226 | *.GhostDoc.xml
227 |
228 | # Node.js Tools for Visual Studio
229 | .ntvs_analysis.dat
230 |
231 | # Visual Studio 6 build log
232 | *.plg
233 |
234 | # Visual Studio 6 workspace options file
235 | *.opt
236 |
237 | # Visual Studio LightSwitch build output
238 | **/*.HTMLClient/GeneratedArtifacts
239 | **/*.DesktopClient/GeneratedArtifacts
240 | **/*.DesktopClient/ModelManifest.xml
241 | **/*.Server/GeneratedArtifacts
242 | **/*.Server/ModelManifest.xml
243 | _Pvt_Extensions
244 |
245 | # Paket dependency manager
246 | .paket/paket.exe
247 | paket-files/
248 |
249 | # FAKE - F# Make
250 | .fake/
251 |
252 | # JetBrains Rider
253 | .idea/
254 | *.sln.iml
255 |
256 | # CodeRush
257 | .cr/
258 |
259 | # Python Tools for Visual Studio (PTVS)
260 | __pycache__/
261 | *.pyc
262 |
263 |
264 | /limbo/
265 | .cache/
266 |
267 | #Ignore compiled files and other files generated during compilation.
268 | *.mdme
269 | *.dmb
270 | *.rsc
271 | *.lk
272 | *.int
273 | *.backup
274 |
275 |
276 | # *.lib
277 | *.exp
278 | *.dll
279 | *.exe
280 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | Apache License
2 | Version 2.0, January 2004
3 | http://www.apache.org/licenses/
4 |
5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
6 |
7 | 1. Definitions.
8 |
9 | "License" shall mean the terms and conditions for use, reproduction,
10 | and distribution as defined by Sections 1 through 9 of this document.
11 |
12 | "Licensor" shall mean the copyright owner or entity authorized by
13 | the copyright owner that is granting the License.
14 |
15 | "Legal Entity" shall mean the union of the acting entity and all
16 | other entities that control, are controlled by, or are under common
17 | control with that entity. For the purposes of this definition,
18 | "control" means (i) the power, direct or indirect, to cause the
19 | direction or management of such entity, whether by contract or
20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the
21 | outstanding shares, or (iii) beneficial ownership of such entity.
22 |
23 | "You" (or "Your") shall mean an individual or Legal Entity
24 | exercising permissions granted by this License.
25 |
26 | "Source" form shall mean the preferred form for making modifications,
27 | including but not limited to software source code, documentation
28 | source, and configuration files.
29 |
30 | "Object" form shall mean any form resulting from mechanical
31 | transformation or translation of a Source form, including but
32 | not limited to compiled object code, generated documentation,
33 | and conversions to other media types.
34 |
35 | "Work" shall mean the work of authorship, whether in Source or
36 | Object form, made available under the License, as indicated by a
37 | copyright notice that is included in or attached to the work
38 | (an example is provided in the Appendix below).
39 |
40 | "Derivative Works" shall mean any work, whether in Source or Object
41 | form, that is based on (or derived from) the Work and for which the
42 | editorial revisions, annotations, elaborations, or other modifications
43 | represent, as a whole, an original work of authorship. For the purposes
44 | of this License, Derivative Works shall not include works that remain
45 | separable from, or merely link (or bind by name) to the interfaces of,
46 | the Work and Derivative Works thereof.
47 |
48 | "Contribution" shall mean any work of authorship, including
49 | the original version of the Work and any modifications or additions
50 | to that Work or Derivative Works thereof, that is intentionally
51 | submitted to Licensor for inclusion in the Work by the copyright owner
52 | or by an individual or Legal Entity authorized to submit on behalf of
53 | the copyright owner. For the purposes of this definition, "submitted"
54 | means any form of electronic, verbal, or written communication sent
55 | to the Licensor or its representatives, including but not limited to
56 | communication on electronic mailing lists, source code control systems,
57 | and issue tracking systems that are managed by, or on behalf of, the
58 | Licensor for the purpose of discussing and improving the Work, but
59 | excluding communication that is conspicuously marked or otherwise
60 | designated in writing by the copyright owner as "Not a Contribution."
61 |
62 | "Contributor" shall mean Licensor and any individual or Legal Entity
63 | on behalf of whom a Contribution has been received by Licensor and
64 | subsequently incorporated within the Work.
65 |
66 | 2. Grant of Copyright License. Subject to the terms and conditions of
67 | this License, each Contributor hereby grants to You a perpetual,
68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
69 | copyright license to reproduce, prepare Derivative Works of,
70 | publicly display, publicly perform, sublicense, and distribute the
71 | Work and such Derivative Works in Source or Object form.
72 |
73 | 3. Grant of Patent License. Subject to the terms and conditions of
74 | this License, each Contributor hereby grants to You a perpetual,
75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
76 | (except as stated in this section) patent license to make, have made,
77 | use, offer to sell, sell, import, and otherwise transfer the Work,
78 | where such license applies only to those patent claims licensable
79 | by such Contributor that are necessarily infringed by their
80 | Contribution(s) alone or by combination of their Contribution(s)
81 | with the Work to which such Contribution(s) was submitted. If You
82 | institute patent litigation against any entity (including a
83 | cross-claim or counterclaim in a lawsuit) alleging that the Work
84 | or a Contribution incorporated within the Work constitutes direct
85 | or contributory patent infringement, then any patent licenses
86 | granted to You under this License for that Work shall terminate
87 | as of the date such litigation is filed.
88 |
89 | 4. Redistribution. You may reproduce and distribute copies of the
90 | Work or Derivative Works thereof in any medium, with or without
91 | modifications, and in Source or Object form, provided that You
92 | meet the following conditions:
93 |
94 | (a) You must give any other recipients of the Work or
95 | Derivative Works a copy of this License; and
96 |
97 | (b) You must cause any modified files to carry prominent notices
98 | stating that You changed the files; and
99 |
100 | (c) You must retain, in the Source form of any Derivative Works
101 | that You distribute, all copyright, patent, trademark, and
102 | attribution notices from the Source form of the Work,
103 | excluding those notices that do not pertain to any part of
104 | the Derivative Works; and
105 |
106 | (d) If the Work includes a "NOTICE" text file as part of its
107 | distribution, then any Derivative Works that You distribute must
108 | include a readable copy of the attribution notices contained
109 | within such NOTICE file, excluding those notices that do not
110 | pertain to any part of the Derivative Works, in at least one
111 | of the following places: within a NOTICE text file distributed
112 | as part of the Derivative Works; within the Source form or
113 | documentation, if provided along with the Derivative Works; or,
114 | within a display generated by the Derivative Works, if and
115 | wherever such third-party notices normally appear. The contents
116 | of the NOTICE file are for informational purposes only and
117 | do not modify the License. You may add Your own attribution
118 | notices within Derivative Works that You distribute, alongside
119 | or as an addendum to the NOTICE text from the Work, provided
120 | that such additional attribution notices cannot be construed
121 | as modifying the License.
122 |
123 | You may add Your own copyright statement to Your modifications and
124 | may provide additional or different license terms and conditions
125 | for use, reproduction, or distribution of Your modifications, or
126 | for any such Derivative Works as a whole, provided Your use,
127 | reproduction, and distribution of the Work otherwise complies with
128 | the conditions stated in this License.
129 |
130 | 5. Submission of Contributions. Unless You explicitly state otherwise,
131 | any Contribution intentionally submitted for inclusion in the Work
132 | by You to the Licensor shall be under the terms and conditions of
133 | this License, without any additional terms or conditions.
134 | Notwithstanding the above, nothing herein shall supersede or modify
135 | the terms of any separate license agreement you may have executed
136 | with Licensor regarding such Contributions.
137 |
138 | 6. Trademarks. This License does not grant permission to use the trade
139 | names, trademarks, service marks, or product names of the Licensor,
140 | except as required for reasonable and customary use in describing the
141 | origin of the Work and reproducing the content of the NOTICE file.
142 |
143 | 7. Disclaimer of Warranty. Unless required by applicable law or
144 | agreed to in writing, Licensor provides the Work (and each
145 | Contributor provides its Contributions) on an "AS IS" BASIS,
146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 | implied, including, without limitation, any warranties or conditions
148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 | PARTICULAR PURPOSE. You are solely responsible for determining the
150 | appropriateness of using or redistributing the Work and assume any
151 | risks associated with Your exercise of permissions under this License.
152 |
153 | 8. Limitation of Liability. In no event and under no legal theory,
154 | whether in tort (including negligence), contract, or otherwise,
155 | unless required by applicable law (such as deliberate and grossly
156 | negligent acts) or agreed to in writing, shall any Contributor be
157 | liable to You for damages, including any direct, indirect, special,
158 | incidental, or consequential damages of any character arising as a
159 | result of this License or out of the use or inability to use the
160 | Work (including but not limited to damages for loss of goodwill,
161 | work stoppage, computer failure or malfunction, or any and all
162 | other commercial damages or losses), even if such Contributor
163 | has been advised of the possibility of such damages.
164 |
165 | 9. Accepting Warranty or Additional Liability. While redistributing
166 | the Work or Derivative Works thereof, You may choose to offer,
167 | and charge a fee for, acceptance of support, warranty, indemnity,
168 | or other liability obligations and/or rights consistent with this
169 | License. However, in accepting such obligations, You may act only
170 | on Your own behalf and on Your sole responsibility, not on behalf
171 | of any other Contributor, and only if You agree to indemnify,
172 | defend, and hold each Contributor harmless for any liability
173 | incurred by, or claims asserted against, such Contributor by reason
174 | of your accepting any such warranty or additional liability.
175 |
176 | END OF TERMS AND CONDITIONS
177 |
178 | APPENDIX: How to apply the Apache License to your work.
179 |
180 | To apply the Apache License to your work, attach the following
181 | boilerplate notice, with the fields enclosed by brackets "[]"
182 | replaced with your own identifying information. (Don't include
183 | the brackets!) The text should be enclosed in the appropriate
184 | comment syntax for the file format. We also recommend that a
185 | file or class name and description of purpose be included on the
186 | same "printed page" as the copyright notice for easier
187 | identification within third-party archives.
188 |
189 | Copyright [yyyy] [name of copyright owner]
190 |
191 | Licensed under the Apache License, Version 2.0 (the "License");
192 | you may not use this file except in compliance with the License.
193 | You may obtain a copy of the License at
194 |
195 | http://www.apache.org/licenses/LICENSE-2.0
196 |
197 | Unless required by applicable law or agreed to in writing, software
198 | distributed under the License is distributed on an "AS IS" BASIS,
199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 | See the License for the specific language governing permissions and
201 | limitations under the License.
202 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # limba
2 | Compile-time control flow obfuscation using MBA (Mixed Boolean-Arithmetic). This project is derived from another project I am working on named ``limbo``, which is why the project files use this name. Keep in mind that this is more of a proof-of-concept rather than something ready to use in production code.
3 |
4 | ## Description
5 | Control flow between function calls is fairly easy to trace in normal binaries.
6 |
7 | Pre-obfuscation pictures
8 |
9 | 
10 | 
11 |
12 |
13 |
14 | limba will generate boilerplate code that obfuscates the actual jump address using MBA. The MBA rewrite rules and address offset is randomized each compilation to hinder analysis. It is important to note the actual function body is **NOT** obfuscated and is still present in the binary, only function calls will be obfuscated.
15 |
16 | Post-obfuscation pictures
17 |
18 | 
19 | 
20 | 
21 |
22 |
23 |
24 |
25 | ## Support
26 | - The project has been developed using Clang(-CL) so this is the recommended compiler, GCC isn't actively supported and may (or may not) work. MSVC is **not** supported as I found no way to make it not emit a direct pointer to the original function
27 | - The codebase requires C++20 to compile. Compile time is a major constraint so I used a some C++20 features that reduced compilation time in my testing. The code can be modified to support C++17 (see ``emulation.h``)
28 |
29 | ## Usage
30 | The included example uses ``premake`` for project configuration. You can generate the project files by running ``premake5 vs2022`` in the root folder. Alternatively, the relevant header files can be copied into your own project.
31 |
32 | Sample usage:
33 | ```cpp
34 | LIMBO_OBFUSCATED_FUNC(, , )
35 | {
36 | // function body
37 |
38 | return
39 | }
40 | ```
41 |
42 | ## Limitations
43 | - Only a small set of MBA rules have been included
44 | - Opaque predicates are needed to avoid trivial optimization
45 | - Since a protected function will only have one "wrapper" function, it's easy to figure out and patch the protection with dynamic analysis and scripting
46 | - Compilation time may be negatively impacted if the protection is used on a large number of functions
47 |
48 | ## Acknowledgements
49 | Great open-source projects that were a great help during development
50 | - https://github.com/JustasMasiulis/xorstr
51 | - https://github.com/llxiaoyuan/oxorany
52 | - https://github.com/Deniskore/nand_nor
53 |
--------------------------------------------------------------------------------
/assets/after_call.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ThatLing/limba/0e94f3b9d02651826d4adbbe2a7adc9f7fb13536/assets/after_call.png
--------------------------------------------------------------------------------
/assets/after_mba.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ThatLing/limba/0e94f3b9d02651826d4adbbe2a7adc9f7fb13536/assets/after_mba.png
--------------------------------------------------------------------------------
/assets/after_xref.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ThatLing/limba/0e94f3b9d02651826d4adbbe2a7adc9f7fb13536/assets/after_xref.png
--------------------------------------------------------------------------------
/assets/before_call.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ThatLing/limba/0e94f3b9d02651826d4adbbe2a7adc9f7fb13536/assets/before_call.png
--------------------------------------------------------------------------------
/assets/before_xref.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ThatLing/limba/0e94f3b9d02651826d4adbbe2a7adc9f7fb13536/assets/before_xref.png
--------------------------------------------------------------------------------
/premake5.lua:
--------------------------------------------------------------------------------
1 | assert(_ACTION ~= nil, "no action (vs20**, gmake or xcode for example) provided!")
2 |
3 | -- Clean Function --
4 | newaction {
5 | trigger = "clean",
6 | description = "clean the software",
7 | execute = function()
8 | print("Cleaning project")
9 | os.rmdir("./limbo")
10 | end
11 | }
12 |
13 | if (_ACTION ~= "vs2022" and _ACTION ~= "clean") then
14 | error("The only supported compilation platform for this project (limbo) on Windows is Visual Studio 2022.")
15 | end
16 |
17 |
18 | workspace "limbo"
19 | language "C++"
20 | cppdialect "C++20"
21 | systemversion "latest"
22 | toolset "clang"
23 |
24 | kind "ConsoleApp"
25 | targetextension ".exe"
26 |
27 | location "limbo"
28 | objdir "limbo/intermediate"
29 |
30 | flags { "NoPCH", "MultiProcessorCompile", "NoManifest" }
31 | defines {
32 | "_CRT_NONSTDC_NO_WARNINGS",
33 | "_CRT_SECURE_NO_WARNINGS",
34 | "STRICT"
35 | }
36 | vectorextensions "AVX2"
37 | configurations { "Release", "Debug" }
38 | architecture "x86_64"
39 | exceptionhandling "SEH"
40 |
41 | filter "configurations:Release"
42 | symbols "Off"
43 | optimize "Speed"
44 | floatingpoint "Fast"
45 | omitframepointer "On"
46 | flags { "LinkTimeOptimization" }
47 |
48 | defines "NDEBUG"
49 | targetdir "limbo/release"
50 |
51 | filter "configurations:Debug"
52 | symbols "Full"
53 | optimize "Debug"
54 |
55 | defines { "DEBUG", "_DEBUG" }
56 | targetdir "limbo/debug"
57 |
58 | filter {}
59 |
60 | project "limbo"
61 | files { "source/**.h", "source/**.hpp", "source/**.c", "source/**.cpp" }
62 | vpaths {
63 | ["Header Files/*"] = { "source/**.h", "source/**.hpp" },
64 | ["Source Files/*"] = { "source/**.c", "source/**.cpp" }
65 | }
66 |
67 | includedirs {
68 | "source",
69 | "source/limbo",
70 | }
71 |
--------------------------------------------------------------------------------
/source/limbo.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | /*
4 | * Copyright 2023 Ling
5 | *
6 | * Licensed under the Apache License, Version 2.0 (the "License");
7 | * you may not use this file except in compliance with the License.
8 | * You may obtain a copy of the License at
9 | *
10 | * http://www.apache.org/licenses/LICENSE-2.0
11 | *
12 | * Unless required by applicable law or agreed to in writing, software
13 | * distributed under the License is distributed on an "AS IS" BASIS,
14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 | * See the License for the specific language governing permissions and
16 | * limitations under the License.
17 | */
18 |
19 | #include "limbo/defines.h"
20 |
21 | #include "limbo/rng.h"
22 | #include "limbo/helpers.h"
23 | #include "limbo/emulation.h"
24 | #include "limbo/mba.h"
25 |
--------------------------------------------------------------------------------
/source/limbo/defines.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | /*
4 | * Copyright 2023 Ling
5 | *
6 | * Licensed under the Apache License, Version 2.0 (the "License");
7 | * you may not use this file except in compliance with the License.
8 | * You may obtain a copy of the License at
9 | *
10 | * http://www.apache.org/licenses/LICENSE-2.0
11 | *
12 | * Unless required by applicable law or agreed to in writing, software
13 | * distributed under the License is distributed on an "AS IS" BASIS,
14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 | * See the License for the specific language governing permissions and
16 | * limitations under the License.
17 | */
18 |
19 | #define _LIMBO_CAT(a, b) a ## b
20 | #define LIMBO_CAT(a, b) _LIMBO_CAT(a, b)
21 |
22 | #define LIMBO_RAND limbo::rng::random_int<__COUNTER__>()
23 | #define LIMBO_RAND_FASTSEED(seed) seed * 0x101 /* yolo */
24 |
25 | #ifdef DEBUG
26 | #define LIMBO_FORCEINLINE
27 | #define LIMBO_NOINLINE
28 | #else
29 | #if defined(__clang__) || defined(__GNUC__)
30 | #define LIMBO_FORCEINLINE __attribute__((always_inline)) inline
31 | #define LIMBO_NOINLINE __attribute__((noinline))
32 | #else
33 | #error "Unsupported compiler"
34 | #endif
35 | #endif
36 |
--------------------------------------------------------------------------------
/source/limbo/emulation.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | /*
4 | * Copyright 2023 Ling
5 | *
6 | * Licensed under the Apache License, Version 2.0 (the "License");
7 | * you may not use this file except in compliance with the License.
8 | * You may obtain a copy of the License at
9 | *
10 | * http://www.apache.org/licenses/LICENSE-2.0
11 | *
12 | * Unless required by applicable law or agreed to in writing, software
13 | * distributed under the License is distributed on an "AS IS" BASIS,
14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 | * See the License for the specific language governing permissions and
16 | * limitations under the License.
17 | */
18 |
19 | namespace limbo
20 | {
21 | //
22 | // This namespace implements "emulation" of arithmetic expressions
23 | // NOTE: Using 'auto' in the function prototypes below requires C++20
24 | // but decreased compile time in my testing (also looks cleaner).
25 | // To enable C++17 support, replace the 'auto' with 'template '
26 | //
27 | namespace emulation
28 | {
29 | template
30 | LIMBO_FORCEINLINE auto AddR(auto rhs, auto lhs);
31 |
32 | template
33 | LIMBO_FORCEINLINE auto SubR(auto rhs, auto lhs);
34 |
35 | template
36 | LIMBO_FORCEINLINE auto OrR(auto rhs, auto lhs);
37 |
38 | template
39 | LIMBO_FORCEINLINE auto XorR(auto rhs, auto lhs);
40 |
41 | template
42 | LIMBO_FORCEINLINE auto AndR(auto rhs, auto lhs);
43 |
44 | // //
45 |
46 | LIMBO_FORCEINLINE auto Add(auto rhs, auto lhs)
47 | {
48 | auto tmp = limbo::helpers::load_from_reg(rhs);
49 | return tmp + lhs;
50 | }
51 |
52 | LIMBO_FORCEINLINE auto Sub(auto rhs, auto lhs)
53 | {
54 | auto tmp = limbo::helpers::load_from_reg(rhs);
55 | return tmp - lhs;
56 | }
57 |
58 | LIMBO_FORCEINLINE auto Mul(auto rhs, auto lhs)
59 | {
60 | auto tmp = limbo::helpers::load_from_reg(rhs);
61 | return tmp * lhs;
62 | }
63 |
64 | LIMBO_FORCEINLINE auto Div(auto rhs, auto lhs)
65 | {
66 | auto tmp = limbo::helpers::load_from_reg(rhs);
67 | return tmp / lhs;
68 | }
69 |
70 | LIMBO_FORCEINLINE auto And(auto rhs, auto lhs)
71 | {
72 | auto tmp = limbo::helpers::load_from_reg(rhs);
73 | return tmp & lhs;
74 | }
75 |
76 | LIMBO_FORCEINLINE auto Or(auto rhs, auto lhs)
77 | {
78 | auto tmp = limbo::helpers::load_from_reg(rhs);
79 | return tmp | lhs;
80 | }
81 |
82 | LIMBO_FORCEINLINE auto Not(auto rhs)
83 | {
84 | auto tmp = limbo::helpers::load_from_reg(rhs);
85 | return ~tmp;
86 | }
87 |
88 | LIMBO_FORCEINLINE auto Minus(auto rhs)
89 | {
90 | auto tmp = limbo::helpers::load_from_reg(rhs);
91 | return -tmp;
92 | }
93 |
94 | LIMBO_FORCEINLINE auto Xor(auto rhs, auto lhs)
95 | {
96 | auto tmp = limbo::helpers::load_from_reg(rhs);
97 | return tmp ^ lhs;
98 | }
99 |
100 | LIMBO_FORCEINLINE auto Shl(auto rhs, auto lhs)
101 | {
102 | auto tmp = limbo::helpers::load_from_reg(rhs);
103 | return tmp << lhs;
104 | }
105 |
106 | LIMBO_FORCEINLINE auto Shr(auto rhs, auto lhs)
107 | {
108 | auto tmp = limbo::helpers::load_from_reg(rhs);
109 | return tmp >> lhs;
110 | }
111 |
112 | // //
113 | // TODO: Add more/better rewrite rules
114 |
115 | template
116 | LIMBO_FORCEINLINE auto Add2(auto rhs, auto lhs)
117 | {
118 | // (rhs & lhs) + (rhs | lhs)
119 | return AddR(AndR(rhs, lhs), OrR(rhs, lhs));
120 | }
121 |
122 | template
123 | LIMBO_FORCEINLINE auto Add3(auto rhs, auto lhs)
124 | {
125 | // (rhs ^ lhs) + 2 * (rhs & lhs)
126 | return AddR(XorR(rhs, lhs), Mul(2, AndR(rhs, lhs)));
127 | }
128 |
129 |
130 | template
131 | LIMBO_FORCEINLINE auto Sub2(auto rhs, auto lhs)
132 | {
133 | // (rhs ^ -lhs) + 2 * (rhs & -lhs)
134 | return AddR(XorR(rhs, Minus(lhs)), Mul(2, AndR(rhs, Minus(lhs))));
135 | }
136 |
137 | template
138 | LIMBO_FORCEINLINE auto Sub3(auto rhs, auto lhs)
139 | {
140 | // (rhs + 1) + ~lhs
141 | return AddR(AddR(rhs, 1), Not(lhs));
142 | }
143 |
144 |
145 | template
146 | LIMBO_FORCEINLINE auto And2(auto rhs, auto lhs)
147 | {
148 | // (~rhs | lhs) - ~rhs
149 | return SubR(OrR(Not(rhs), lhs), Not(rhs));
150 | }
151 |
152 | template
153 | LIMBO_FORCEINLINE auto And3(auto rhs, auto lhs)
154 | {
155 | // ((~rhs | lhs) + rhs) + 1
156 | return AddR(AddR(OrR(Not(rhs), lhs), rhs), 1);
157 | }
158 |
159 |
160 | template
161 | LIMBO_FORCEINLINE auto Or2(auto rhs, auto lhs)
162 | {
163 | // (rhs & ~lhs) + lhs
164 | return AddR(AndR(rhs, Not(lhs)), lhs);
165 | }
166 |
167 | template
168 | LIMBO_FORCEINLINE auto Or3(auto rhs, auto lhs)
169 | {
170 | // ((rhs + lhs) + 1) + ((-rhs - 1) | (-lhs - 1))
171 | return AddR(AddR(AddR(rhs, lhs), 1), OrR(SubR(Minus(rhs), 1), SubR(Minus(lhs), 1)));
172 | }
173 |
174 |
175 | template
176 | LIMBO_FORCEINLINE auto Xor2(auto rhs, auto lhs)
177 | {
178 | // (~rhs & lhs) | (rhs & ~lhs)
179 | return OrR(AndR(Not(rhs), lhs), AndR(rhs, Not(lhs)));
180 | }
181 |
182 | template
183 | LIMBO_FORCEINLINE auto Xor3(auto rhs, auto lhs)
184 | {
185 | // (rhs | lhs) - (rhs & rhs)
186 | return SubR(OrR(rhs, lhs), AndR(rhs, lhs));
187 | }
188 |
189 | // //
190 |
191 | template
192 | LIMBO_FORCEINLINE auto AddR(auto rhs, auto lhs)
193 | {
194 | #ifdef DEBUG
195 | // Don't emulate on debug builds
196 | return Add(rhs, lhs);
197 | #else
198 | // Check how many iterations left
199 | if constexpr (N > 0)
200 | {
201 | constexpr auto i = R % 2;
202 |
203 | if constexpr (i == 0)
204 | {
205 | return Add2(rhs, lhs);
206 | }
207 | else
208 | {
209 | return Add3(rhs, lhs);
210 | }
211 | }
212 | else
213 | {
214 | return Add(rhs, lhs);
215 | }
216 | #endif
217 | }
218 |
219 | template
220 | LIMBO_FORCEINLINE auto SubR(auto rhs, auto lhs)
221 | {
222 | #ifdef DEBUG
223 | // Don't emulate on debug builds
224 | return Sub(rhs, lhs);
225 | #else
226 | if constexpr (N > 0)
227 | {
228 | constexpr auto i = R % 2;
229 |
230 | if constexpr (i == 0)
231 | {
232 | return Sub2(rhs, lhs);
233 | }
234 | else
235 | {
236 | return Sub3(rhs, lhs);
237 | }
238 | }
239 | else
240 | {
241 | return Sub(rhs, lhs);
242 | }
243 | #endif
244 | }
245 |
246 | template
247 | LIMBO_FORCEINLINE auto AndR(auto rhs, auto lhs)
248 | {
249 | #ifdef DEBUG
250 | // Don't emulate on debug builds
251 | return And(rhs, lhs);
252 | #else
253 | if constexpr (N > 0)
254 | {
255 | constexpr auto i = R % 2;
256 |
257 | if constexpr (i == 0)
258 | {
259 | return And2(rhs, lhs);
260 | }
261 | else
262 | {
263 | return And3(rhs, lhs);
264 | }
265 | }
266 | else
267 | {
268 | return And(rhs, lhs);
269 | }
270 | #endif
271 | }
272 |
273 | template
274 | LIMBO_FORCEINLINE auto OrR(auto rhs, auto lhs)
275 | {
276 | #ifdef DEBUG
277 | // Don't emulate on debug builds
278 | return Or(rhs, lhs);
279 | #else
280 | if constexpr (N > 0)
281 | {
282 | constexpr auto i = R % 3;
283 |
284 | if constexpr (i == 0)
285 | {
286 | return Or2(rhs, lhs);
287 | }
288 | else
289 | {
290 | return Or3(rhs, lhs);
291 | }
292 | }
293 | else
294 | {
295 | return Or(rhs, lhs);
296 | }
297 | #endif
298 | }
299 |
300 | template
301 | LIMBO_FORCEINLINE auto XorR(auto rhs, auto lhs)
302 | {
303 | #ifdef DEBUG
304 | // Don't emulate on debug builds
305 | return Xor(rhs, lhs);
306 | #else
307 | if constexpr (N > 0)
308 | {
309 | constexpr auto i = R % 5;
310 |
311 | if constexpr (i == 0)
312 | {
313 | return Xor2(rhs, lhs);
314 | }
315 | else
316 | {
317 | return Xor3(rhs, lhs);
318 | }
319 | }
320 | else
321 | {
322 | return Xor(rhs, lhs);
323 | }
324 | #endif
325 | }
326 | }
327 | }
328 |
--------------------------------------------------------------------------------
/source/limbo/helpers.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | /*
4 | * Copyright 2023 Ling
5 | *
6 | * Licensed under the Apache License, Version 2.0 (the "License");
7 | * you may not use this file except in compliance with the License.
8 | * You may obtain a copy of the License at
9 | *
10 | * http://www.apache.org/licenses/LICENSE-2.0
11 | *
12 | * Unless required by applicable law or agreed to in writing, software
13 | * distributed under the License is distributed on an "AS IS" BASIS,
14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 | * See the License for the specific language governing permissions and
16 | * limitations under the License.
17 | */
18 |
19 | #include
20 |
21 | namespace limbo
22 | {
23 | //
24 | // This namespace implements helper/utility functions that make our life easier
25 | //
26 | namespace helpers
27 | {
28 | //
29 | // Forces the compiler to generate code to load a value from a register instead of putting it into .data
30 | // Modified from xorstr (https://github.com/JustasMasiulis/xorstr/blob/master/include/xorstr.hpp#L88)
31 | //
32 | template
33 | LIMBO_FORCEINLINE constexpr T load_from_reg(T value) noexcept
34 | {
35 | #if defined(__clang__) || defined(__GNUC__)
36 | // Handles Clang(-CL) and GCC. This generates cleaner asm so we prefer this for Clang-CL
37 | asm(
38 | ""
39 | : "=r"(value)
40 | : "0"(value)
41 | :
42 | );
43 |
44 | return value;
45 | #else
46 | #error "Unsupported compiler"
47 | #endif
48 | }
49 | }
50 | }
51 |
--------------------------------------------------------------------------------
/source/limbo/mba.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | /*
4 | * Copyright 2023 Ling
5 | *
6 | * Licensed under the Apache License, Version 2.0 (the "License");
7 | * you may not use this file except in compliance with the License.
8 | * You may obtain a copy of the License at
9 | *
10 | * http://www.apache.org/licenses/LICENSE-2.0
11 | *
12 | * Unless required by applicable law or agreed to in writing, software
13 | * distributed under the License is distributed on an "AS IS" BASIS,
14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 | * See the License for the specific language governing permissions and
16 | * limitations under the License.
17 | */
18 |
19 | #ifdef DEBUG
20 | #define LIMBO_OBFUSCATED_FUNC(ret, name, ...) \
21 | ret name(__VA_ARGS__)
22 | #else
23 | // I don't really like this macro, but it's the only one I've found so far.
24 | // We rename the original function to something different and create a dispatcher function
25 | // with the correct name.
26 | #define LIMBO_OBFUSCATED_FUNC(ret, name, ...) \
27 | LIMBO_NOINLINE ret LIMBO_CAT(name, __LINE__)(__VA_ARGS__); \
28 | _LIMBO_OBFUSCATED_BODY(name) \
29 | LIMBO_NOINLINE ret LIMBO_CAT(name, __LINE__)(__VA_ARGS__)
30 |
31 | #define _LIMBO_OBFUSCATED_BODY(name) \
32 | template \
33 | LIMBO_NOINLINE decltype(auto) name(Args&&... args) { \
34 | /* NOTE: This will fail and emit the original target address if the address isn't valid. */ \
35 | constexpr std::uintptr_t key = limbo::rng::random_int<__COUNTER__>(-0x1000, 0x1000); \
36 | /* NOTE: Addition is the only operation that didn't break this from my testing */ \
37 | const std::uintptr_t shifted_addr = reinterpret_cast(&LIMBO_CAT(name, __LINE__)) + key; \
38 | \
39 | const auto loaded_addr = limbo::helpers::load_from_reg(shifted_addr); \
40 | \
41 | /* opaque predicate to hinder analysis TODO: better predicates */ \
42 | const auto ret_addr = reinterpret_cast(_ReturnAddress()); \
43 | \
44 | const std::uintptr_t opaque_zero = limbo::emulation::XorR<5, LIMBO_RAND>(ret_addr, ret_addr); \
45 | const std::uintptr_t opaque_key = limbo::emulation::AddR<5, LIMBO_RAND>(key, opaque_zero); \
46 | \
47 | /* calculate the correct target address */ \
48 | const std::uintptr_t fixed_addr = limbo::emulation::SubR<5, LIMBO_RAND>(loaded_addr, opaque_key); \
49 | \
50 | const auto func = (decltype(LIMBO_CAT(name, __LINE__))*)(fixed_addr); \
51 | return func(std::forward(args)...); \
52 | };
53 | #endif
54 |
--------------------------------------------------------------------------------
/source/limbo/rng.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | /*
4 | * Copyright 2023 Ling
5 | *
6 | * Licensed under the Apache License, Version 2.0 (the "License");
7 | * you may not use this file except in compliance with the License.
8 | * You may obtain a copy of the License at
9 | *
10 | * http://www.apache.org/licenses/LICENSE-2.0
11 | *
12 | * Unless required by applicable law or agreed to in writing, software
13 | * distributed under the License is distributed on an "AS IS" BASIS,
14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 | * See the License for the specific language governing permissions and
16 | * limitations under the License.
17 | */
18 |
19 | #include
20 | #include
21 |
22 | namespace limbo
23 | {
24 | //
25 | // This namespace implements compile-time random number generation.
26 | // We use the compilation timestamp as a seed for xorshift
27 | // https://en.wikipedia.org/wiki/Xorshift
28 | //
29 | namespace rng
30 | {
31 | // 512 is the max recursion depth
32 | constexpr auto max_depth = 448;
33 |
34 | constexpr auto time = __TIME__;
35 | constexpr auto seed = static_cast(time[7]) + static_cast(time[6]) * 10 + static_cast(time[4]) * 60 + static_cast(time[3]) * 600 + static_cast(time[1]) * 3600 + static_cast(time[0]) * 36000;
36 |
37 | template
38 | LIMBO_FORCEINLINE constexpr std::uint64_t xorshift()
39 | {
40 | constexpr std::uint64_t s = xorshift();
41 | constexpr std::uint64_t x1 = s ^ (s >> 12);
42 | constexpr std::uint64_t x2 = x1 ^ (x1 << 25);
43 | constexpr std::uint64_t x3 = x2 ^ (x2 >> 27);
44 |
45 | return x3 * 0x2545F4914F6CDD1DULL;
46 | }
47 |
48 | template <>
49 | LIMBO_FORCEINLINE constexpr std::uint64_t xorshift<0>()
50 | {
51 | constexpr std::uint64_t x1 = seed ^ (seed >> 12);
52 | constexpr std::uint64_t x2 = x1 ^ (x1 << 25);
53 | constexpr std::uint64_t x3 = x2 ^ (x2 >> 27);
54 |
55 | return x3 * 0x2545F4914F6CDD1DULL;
56 | }
57 |
58 | // Returns a random uint64_t in range of [0, max]
59 | template
60 | LIMBO_FORCEINLINE constexpr std::uint64_t random_int(std::uint64_t max = (std::numeric_limits::max)())
61 | {
62 | return xorshift() % max;
63 | }
64 |
65 | // Returns a random uint64_t in range of [min, max]
66 | template
67 | LIMBO_FORCEINLINE constexpr std::uint64_t random_int(std::uint64_t min, std::uint64_t max)
68 | {
69 | return min + random_int(max - min - 1);
70 | }
71 | }
72 | }
73 |
--------------------------------------------------------------------------------
/source/main.cpp:
--------------------------------------------------------------------------------
1 |
2 | #include
3 |
4 | #include "limbo.h"
5 |
6 |
7 | struct TestStruct
8 | {
9 | int a;
10 | };
11 |
12 | LIMBO_OBFUSCATED_FUNC(int, obf_test, TestStruct struct_)
13 | {
14 | printf("[obf_test] Argument: %d\n", struct_.a);
15 |
16 | return struct_.a + 5;
17 | }
18 |
19 |
20 | int main(int argc, char* argv[])
21 | {
22 | printf("[main] Starting...\n");
23 |
24 | TestStruct emu {};
25 | emu.a = 522;
26 |
27 | const auto ret = obf_test(emu);
28 | printf("[main] Received: %d\n", ret);
29 |
30 | return 0;
31 | }
32 |
--------------------------------------------------------------------------------