├── example.png ├── .gitattributes ├── LICENSE ├── examples ├── example.cpp └── benchmark.cpp ├── README.md └── include └── hidecall └── hidecall.h /example.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TomashuTTTT7/Hidecall/HEAD/example.png -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 Tomasz Karpiński 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /examples/example.cpp: -------------------------------------------------------------------------------- 1 | #define AFTER 1 2 | #define BEFORE !AFTER 3 | 4 | #include 5 | #include 6 | #include 7 | #include "hidecall.h" 8 | 9 | #if BEFORE 10 | 11 | static std::tuple __stdcall getTuple(); 12 | 13 | class Base 14 | { 15 | public: 16 | virtual int print(const char* str, int a) const = 0; 17 | }; 18 | 19 | class Derived : public Base 20 | { 21 | public: 22 | int print(const char* str, int a = 1) const override; 23 | static void __cdecl welcome() 24 | { 25 | std::cout << "HI!\n"; 26 | } 27 | virtual void virt() 28 | { 29 | std::cout << "Virtual\n"; 30 | } 31 | }; 32 | 33 | int Derived::print(const char* str, int a) const 34 | { 35 | std::cout << str << ' ' << a << std::endl; 36 | return 1; 37 | } 38 | 39 | static std::tuple __stdcall getTuple() 40 | { 41 | return std::make_tuple(-15, 'F'); 42 | } 43 | 44 | #endif 45 | 46 | #if AFTER 47 | 48 | HIDECALL_DECLARE(static, PACK(std::tuple __stdcall), getTuple, ()) 49 | 50 | class Base 51 | { 52 | public: 53 | virtual int print(const char* str, int a) const = 0; 54 | }; 55 | 56 | class Derived : public Base 57 | { 58 | public: 59 | HIDECALL_DECLARE(, int, print,(const char* str, int a = 1) const); // note you can't use "override" keyword 60 | HIDECALL_CLASS(static, void __cdecl, welcome, ()) 61 | { 62 | std::cout << "HI!\n"; 63 | } 64 | virtual HIDECALL_CLASS(, void, virt, ()) // note "virtual" is before macro, because "virtual" keyword applies only to one function. 65 | { 66 | std::cout << "Virtual\n"; 67 | } 68 | }; 69 | 70 | HIDECALL_CLASS(, int, Derived::print, (const char* str, int a) const) 71 | { 72 | std::cout << str << ' ' << a << std::endl; 73 | return 1; 74 | } 75 | 76 | HIDECALL(static, PACK(std::tuple __stdcall), getTuple, ()) 77 | { 78 | return std::make_tuple(-15, 'F'); 79 | } 80 | 81 | #endif 82 | 83 | // There is no need to modify calls in the code after using HIDECALL 84 | int main() 85 | { 86 | Derived d; 87 | Base* b = &d; 88 | Derived* pD = &d; 89 | 90 | b->print("Hello!", 7); 91 | Derived::welcome(); 92 | pD->virt(); 93 | 94 | auto [i, c] = getTuple(); 95 | 96 | std::cin.get(); 97 | 98 | return i + c; 99 | } 100 | -------------------------------------------------------------------------------- /examples/benchmark.cpp: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | #include 4 | #include 5 | 6 | #include "hidecall.h" 7 | 8 | #define rounds 10 9 | 10 | struct Measurement 11 | { 12 | std::chrono::duration bias; 13 | std::chrono::duration normal; 14 | std::chrono::duration hidecall; 15 | 16 | Measurement& operator/(size_t count) 17 | { 18 | this->bias /= count; 19 | this->normal /= count; 20 | this->hidecall /= count; 21 | 22 | return *this; 23 | } 24 | 25 | void operator+=(Measurement& other) 26 | { 27 | this->bias += other.bias; 28 | this->normal += other.normal; 29 | this->hidecall += other.hidecall; 30 | } 31 | }; 32 | 33 | Measurement getAverage(std::vector& measurements) 34 | { 35 | Measurement mRet = {}; 36 | size_t count = 0; 37 | 38 | for (auto m : measurements) 39 | mRet += m; 40 | 41 | return mRet / measurements.size(); 42 | } 43 | 44 | HIDECALL(__declspec(noinline), void, BM_HC, ()) 45 | { 46 | __asm nop; 47 | } 48 | 49 | __declspec(noinline) void BM_NORMAL() 50 | { 51 | __asm nop; 52 | } 53 | 54 | int main() 55 | { 56 | std::vector times; 57 | times.reserve(rounds); 58 | 59 | std::cout << "WARNING!\nBenchmark can take a long time, depending on the number of rounds. Please be patient!\n\n"; 60 | 61 | for (size_t r = 0; r < rounds; r++) 62 | { 63 | Measurement m; 64 | auto bias_start = std::chrono::steady_clock::now(); 65 | 66 | for (size_t i = 0; i < INT_MAX; i++) 67 | { 68 | __asm nop; 69 | } 70 | 71 | auto bias_end = std::chrono::steady_clock::now(); 72 | m.bias = bias_end - bias_start; 73 | 74 | auto start = std::chrono::steady_clock::now(); 75 | 76 | for (size_t i = 0; i < INT_MAX; i++) 77 | BM_NORMAL(); 78 | 79 | auto end = std::chrono::steady_clock::now(); 80 | m.normal = end - start - m.bias; 81 | 82 | 83 | auto hc_start = std::chrono::steady_clock::now(); 84 | 85 | for (size_t i = 0; i < INT_MAX; i++) 86 | BM_HC(); 87 | 88 | auto hc_end = std::chrono::steady_clock::now(); 89 | m.hidecall = hc_end - hc_start - m.bias; 90 | 91 | times.push_back(m); 92 | } 93 | 94 | Measurement avg = getAverage(times); 95 | 96 | std::cout << "Bias time: " << avg.bias.count() << "s\n"; 97 | std::cout << "Normal time: " << avg.normal.count() << "s\n"; 98 | std::cout << "Hidecall time: " << avg.hidecall.count() << "s\n"; 99 | std::cout << "Hidecall is " << avg.hidecall / avg.normal << " times slower.\n"; 100 | 101 | std::cin.get(); 102 | } 103 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Hidecall 2 | 3 | Hidecall is single-header C++ library that obfuscates function calls and 4 | hides them in decompilation, what makes reverse-engineering very ~~hard~~ annoying. 5 | 6 | It is developed and supported for MSVC compiler and x86 program architecture 7 | 8 | ## Usage 9 | 10 | In order to apply Hidecall, modify function definition signature as follows: 11 | ```cpp 12 | #include "hidecall.h" 13 | 14 | //Before 15 | static int foo(int a, char b) 16 | { 17 | //Your code 18 | } 19 | 20 | //After 21 | HIDECALL(static, int, foo, (int a, char b)) 22 | { 23 | //Your code 24 | } 25 | ``` 26 | Basically you wrap your function signature into a macro and split it using commas: 27 | - before return type 28 | - before name 29 | - after name 30 | 31 | Use PACK() macro if return type has comma inside. 32 | 33 | That's it! You don't have to modify any code other than that. 34 | You can even use it for main entry function as well, there are no restrictions about it. 35 | 36 | Your function should work exactly the same way as before applying hidecall. If something works differently, let me know by opening an issue. 37 | 38 | For explanation visit [hidecall.h](include/hidecall/hidecall.h) and for more examples see [example.cpp](examples/example.cpp) 39 | 40 | ### Configuration 41 | 42 | Before using, visit [hidecall.h](include/hidecall/hidecall.h) and change preprocessor definitions to your own preferences in *HC_CONFIG* region. 43 | 44 | ### Decompilation 45 | 46 | Using HIDECALL makes following changes in decompilation: 47 | - Removes function references 48 | - Cuts off call paths 49 | - Removes auto parameter deduction 50 | 51 | There is an example decompilation: 52 | ![Preview](example.png) 53 | 54 | I tested it on some decompilers, including Ghidra, JEB, Snowman, Retdec and they are all fooled. 55 | 56 | PS: I don't have IDA so i couldn't check it there. 57 | 58 | ### Types 59 | 60 | Types of HIDECALL: 61 | 62 | - __HIDECALL_DECLARE__ - hidecall function declaration 63 | - __HIDECALL__ - hidecall definition for functions 64 | - __HIDECALL_LEVEL__ - as above, but with external linenumber concatenation level 65 | - __HIDECALL_CLASS__ - hidecall definition for class member functions 66 | - __HIDECALL_CLASS_LEVEL__ - as above, but with external linenumber concatenation level 67 | 68 | ### Limitations 69 | 70 | - No support for lambdas 71 | - No support for x64 architecture, x86 only 72 | 73 | ### Consequences 74 | 75 | - __MESS__ inside a namespace, because hidecall defines two additional 76 | functions per one protected function. That's why i suggest 77 | switching to hidecall after writing the actual code 78 | - Increased compiled binary size 79 | - Disables automatic function inlining 80 | - A bit slower program execution (The call itself is over 2.5x slower, but the rest of the code is as fast as normal) 81 | 82 | ### Restrictions 83 | 84 | - Do not use __\_\_COUNTER\_\___ in your program, because it is a part of obfuscation randomization and changing its value can break your program. If you really need it, use it 5 times in a row. 85 | 86 | ## License 87 | Licensed under the [MIT License](LICENSE) 88 | -------------------------------------------------------------------------------- /include/hidecall/hidecall.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #pragma region HC_CONFIG 4 | 5 | // The highest number you can pass as a constant in asm instruction is 6 | // maximum value of uint64_t integer, so 18446744073709551615. 7 | // If concatenated number is higher than that, you'll get an error. 8 | // In such a case, use HIDECALL_LEVEL macro with lower level number 9 | // (6 by default) 10 | #define HC_DEFAULT_RNG_LEVEL 6 // integer in range [1, 9] 11 | 12 | // KEY. Change it to your own random 32-bit number 13 | // It's not used for real encryption, but splits pointer decoding in two parts 14 | #define HC_KEY 0x7D90A5F1 15 | 16 | // Segment names 17 | #define HC_DECODE_SEG ".ddata" // there will be function which decodes obfuscated pointer 18 | #define HC_HANDLER_SEG ".hdata" // there will be function which handles your call and contains obfuscated pointer 19 | 20 | #pragma endregion 21 | 22 | #define HC__JOIN1(a) a 23 | #define HC__JOIN2(a, b) a##b 24 | #define HC__JOIN3(a, b, c) a##b##c 25 | #define HC__JOIN4(a, b, c, d) a##b##c##d 26 | #define HC__JOIN5(a, b, c, d, e) a##b##c##d##e 27 | #define HC__JOIN6(a, b, c, d, e, f) a##b##c##d##e##f 28 | #define HC__JOIN7(a, b, c, d, e, f, g) a##b##c##d##e##f##g 29 | #define HC__JOIN8(a, b, c, d, e, f, g, h) a##b##c##d##e##f##g##h 30 | #define HC__JOIN9(a, b, c, d, e, f, g, h, i) a##b##c##d##e##f##g##h##i 31 | 32 | #define HC_JOIN1(a) HC__JOIN1(a) 33 | #define HC_JOIN2(a, b) HC__JOIN2(a, b) 34 | #define HC_JOIN3(a, b, c) HC__JOIN3(a, b, c) 35 | #define HC_JOIN4(a, b, c, d) HC__JOIN4(a, b, c, d) 36 | #define HC_JOIN5(a, b, c, d, e) HC__JOIN5(a, b, c, d, e) 37 | #define HC_JOIN6(a, b, c, d, e, f) HC__JOIN6(a, b, c, d, e, f) 38 | #define HC_JOIN7(a, b, c, d, e, f, g) HC__JOIN7(a, b, c, d, e, f, g) 39 | #define HC_JOIN8(a, b, c, d, e, f, g, h) HC__JOIN8(a, b, c, d, e, f, g, h) 40 | #define HC_JOIN9(a, b, c, d, e, f, g, h, i) HC__JOIN9(a, b, c, d, e, f, g, h, i) 41 | 42 | #define HC_PP_RNG1() HC_JOIN1(__COUNTER__) 43 | #define HC_PP_RNG2() HC_JOIN2(__LINE__, __COUNTER__) 44 | #define HC_PP_RNG3() HC_JOIN3(__LINE__, __LINE__, __COUNTER__) 45 | #define HC_PP_RNG4() HC_JOIN4(__LINE__, __LINE__, __LINE__, __COUNTER__) 46 | #define HC_PP_RNG5() HC_JOIN5(__LINE__, __LINE__, __LINE__, __LINE__, __COUNTER__) 47 | #define HC_PP_RNG6() HC_JOIN6(__LINE__, __LINE__, __LINE__, __LINE__, __LINE__, __COUNTER__) 48 | #define HC_PP_RNG7() HC_JOIN7(__LINE__, __LINE__, __LINE__, __LINE__, __LINE__, __LINE__, __COUNTER__) 49 | #define HC_PP_RNG8() HC_JOIN8(__LINE__, __LINE__, __LINE__, __LINE__, __LINE__, __LINE__, __LINE__, __COUNTER__) 50 | #define HC_PP_RNG9() HC_JOIN9(__LINE__, __LINE__, __LINE__, __LINE__, __LINE__, __LINE__, __LINE__, __LINE__, __COUNTER__) 51 | 52 | #define HC_PP_RNG_LEVEL(level) HC_PP_RNG##level() 53 | 54 | /* 55 | * You can barely name this RNG, but this is the only thing i could think of. 56 | * This macro concatenates linenumber a few times with counter at the end. 57 | * This way it makes a huge decimal number, which then is converted to binary 58 | * in assembly instruction. Only 32 bits are saved, what makes this 59 | * number kinda unpredictable. 60 | */ 61 | 62 | #define PACK(...) __VA_ARGS__ 63 | 64 | /* 65 | * USAGE: 66 | * 67 | * @level level of linenumber concatenation. If the linenumber is too high, 68 | * you can get an error. Lower this value in such a case (6 by default) 69 | * 70 | * @modifiers modifiers of your function, eg.: 71 | * __declspec(noinline) static 72 | * If for any reason it has a comma inside, use PACK() 73 | * If you don't have any modifiers, skip this part and proceed to next one 74 | * 75 | * @ret return type of your function. If you specify a calling convention, pass it here 76 | * int __cdecl 77 | * If it has a comma inside, use PACK macro, eg.: 78 | * PACK(std::map) 79 | * 80 | * @fname your function's name 81 | * 82 | * @... your function's arguments. Don't use PACK() macro, but keep the parenthesis, eg: 83 | * (int a, unsigned long b, std::string& str) 84 | * 85 | * At the end macro can look like this: 86 | * HIDECALL(, int, main, (int argc, char* argv[])) 87 | * 88 | * Basically you wrap your function signature into a macro and split it using commas: 89 | * - before return type 90 | * - before name 91 | * - after name 92 | * And use PACK() macro if return type has comma. 93 | * 94 | * See example.cpp for more examples with different function signatures. 95 | */ 96 | 97 | //change to 1 if you really want to try x64 - if your compiler supports x64 inline assembly 98 | #define HC_IGNORE 0 99 | 100 | // PP_RNG_LEVEL has to be "called" in this macro 2, 5, 10 or 20 times etc. 101 | // I use additional code segments, because otherwise the real 102 | // function is right after the obfuscated one (that's not secure for sure) 103 | 104 | 105 | #pragma warning(disable:4731) 106 | 107 | #if defined(__LP64__) || defined(_LP64) || defined(_WIN64) 108 | 109 | #if HC_IGNORE 110 | 111 | #define HIDECALL_CLASS_LEVEL(level, modifiers, ret, fname, ...) \ 112 | __pragma(code_seg(push, seg1, HC_HANDLER_SEG)) \ 113 | __declspec(noinline) modifiers ret fname __VA_ARGS__ { \ 114 | __asm { \ 115 | __asm mov rsp, rbp \ 116 | __asm mov rbp, fname##_HC + HC_PP_RNG_LEVEL(level) + 1 + \ 117 | (((HC_PP_RNG_LEVEL(level) & 0x7fffffff) % 17) / 4) \ 118 | __asm call fname##_HC_sub \ 119 | __asm pop rax \ 120 | __asm xor rbp, rax \ 121 | __asm xor rax, rbp \ 122 | __asm xor rbp, rax \ 123 | __asm jmp rdx \ 124 | } \ 125 | } \ 126 | __pragma(code_seg(pop, seg1)) \ 127 | __pragma(code_seg(push, seg2, HC_DECODE_SEG)) \ 128 | __declspec(noinline) void fname##_HC_sub() { \ 129 | __asm { \ 130 | __asm add rbp, ((-HC_PP_RNG_LEVEL(level) + 1) & HC_KEY) + HC_KEY + 1 \ 131 | __asm add rbp, ((-HC_PP_RNG_LEVEL(level) + 2) & ~HC_KEY) + \ 132 | (((HC_PP_RNG_LEVEL(level) & 0x7fffffff) % 23) / 2) + ~HC_KEY \ 133 | __asm and rbp, 0x7ffffffffffffff0 \ 134 | __asm xor rbp, rdx \ 135 | __asm xor rdx, rbp \ 136 | __asm xor rbp, rdx \ 137 | } \ 138 | } \ 139 | __pragma(code_seg(pop, seg2)) \ 140 | modifiers ret fname##_HC __VA_ARGS__ 141 | 142 | #else 143 | 144 | #define HIDECALL_CLASS_LEVEL(level, modifiers, ret, fname, ...) 145 | #error HIDECALL: x64 architecture is not supported (at least for msvc) 146 | 147 | #endif 148 | 149 | #else 150 | 151 | #define HIDECALL_CLASS_LEVEL(level, modifiers, ret, fname, ...) \ 152 | __pragma(code_seg(push, seg1, HC_HANDLER_SEG)) \ 153 | __declspec(noinline) modifiers ret fname __VA_ARGS__ { \ 154 | __asm { \ 155 | __asm mov esp, ebp \ 156 | __asm mov ebp, fname##_HC + HC_PP_RNG_LEVEL(level) + 1 + \ 157 | (((HC_PP_RNG_LEVEL(level) & 0x7fffffff) % 17) / 4) \ 158 | __asm call fname##_HC_sub \ 159 | __asm pop eax \ 160 | __asm xor ebp, eax \ 161 | __asm xor eax, ebp \ 162 | __asm xor ebp, eax \ 163 | __asm jmp edx \ 164 | } \ 165 | } \ 166 | __pragma(code_seg(pop, seg1)) \ 167 | __pragma(code_seg(push, seg2, HC_DECODE_SEG)) \ 168 | __declspec(noinline) void fname##_HC_sub() { \ 169 | __asm { \ 170 | __asm add ebp, ((-HC_PP_RNG_LEVEL(level) + 1) & HC_KEY) + HC_KEY + 1 \ 171 | __asm add ebp, ((-HC_PP_RNG_LEVEL(level) + 2) & ~HC_KEY) + \ 172 | (((HC_PP_RNG_LEVEL(level) & 0x7fffffff) % 23) / 2) + ~HC_KEY \ 173 | __asm and ebp, 0x7ffffff0 \ 174 | __asm xor ebp, edx \ 175 | __asm xor edx, ebp \ 176 | __asm xor ebp, edx \ 177 | } \ 178 | } \ 179 | __pragma(code_seg(pop, seg2)) \ 180 | modifiers ret fname##_HC __VA_ARGS__ 181 | 182 | #endif 183 | 184 | /* 185 | * Types of HIDECALL: 186 | * 187 | * HIDECALL_DECLARE - hidecall function declaration 188 | * HIDECALL - hidecall definition for functions 189 | * HIDECALL_LEVEL - as above, but with external linenumber concatenation level 190 | * HIDECALL_CLASS - hidecall definition for class member functions 191 | * HIDECALL_CLASS_LEVEL - as above, but with external linenumber concatenation level 192 | */ 193 | #define HIDECALL_DECLARE(modifiers, ret, fname, ...) void fname##_HC_sub(); modifiers ret fname __VA_ARGS__; modifiers ret fname##_HC __VA_ARGS__; 194 | #define HIDECALL_LEVEL(level, modifiers, ret, fname, ...) HIDECALL_DECLARE(modifiers, ret, fname, __VA_ARGS__) HIDECALL_CLASS_LEVEL(level, modifiers, ret, fname, __VA_ARGS__) 195 | #define HIDECALL(modifiers, ret, fname, ...) HIDECALL_LEVEL(HC_DEFAULT_RNG_LEVEL, modifiers, ret, fname, __VA_ARGS__) 196 | #define HIDECALL_CLASS(modifiers, ret, fname, ...) HIDECALL_CLASS_LEVEL(HC_DEFAULT_RNG_LEVEL, modifiers, ret, fname, __VA_ARGS__) 197 | --------------------------------------------------------------------------------