mba pass itself

expend20 · Oct 6, 2024 · 340cb88 · 340cb88
1 parent 5f12a0a
commit 340cb88
Show file tree

Hide file tree

Showing 3 changed files with 170 additions and 0 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -22,6 +22,7 @@ add_library(passes MODULE
   lib/Pluto/GlobalEncryption.cpp
   lib/Pluto/IndirectCall.cpp
   lib/Pluto/MBAUtils.cpp
+  lib/Pluto/MBAObfuscation.cpp
   lib/PassRegistration.cpp
 )
 

diff --git a/include/Pluto/MBAObfuscation.h b/include/Pluto/MBAObfuscation.h
@@ -0,0 +1,37 @@
+// Credits to https://github.com/bluesadi/Pluto
+
+#pragma once
+
+#include "llvm/IR/PassManager.h"
+#include "llvm/IR/InstrTypes.h"
+
+using namespace llvm;
+
+namespace Pluto {
+
+struct MbaObfuscation : PassInfoMixin<MbaObfuscation> {
+    PreservedAnalyses run(Function &F, FunctionAnalysisManager &AM);
+
+    static bool isRequired() { return true; }
+
+    void substituteConstant(Instruction *I, int i);
+
+    void substitute(BinaryOperator *BI);
+
+    // 替换 Add 指令
+    Value *substituteAdd(BinaryOperator *BI);
+
+    // 替换 Sub 指令
+    Value *substituteSub(BinaryOperator *BI);
+
+    // 替换 And 指令
+    Value *substituteAnd(BinaryOperator *BI);
+
+    // 替换 Or 指令
+    Value *substituteOr(BinaryOperator *BI);
+
+    // 替换 Xor 指令
+    Value *substituteXor(BinaryOperator *BI);
+};
+
+}; // namespace Pluto
diff --git a/lib/Pluto/MBAObfuscation.cpp b/lib/Pluto/MBAObfuscation.cpp
@@ -0,0 +1,132 @@
+// Credits to https://github.com/bluesadi/Pluto
+#include "Pluto/MBAObfuscation.h"
+#include "Pluto/MBAUtils.h"
+
+#include "llvm/IR/Constants.h"
+
+#include <vector>
+
+using namespace std;
+using namespace llvm;
+using namespace Pluto::MBAUtils;
+
+#define NUM_COEFFS 5
+
+PreservedAnalyses Pluto::MbaObfuscation::run(Function &F, FunctionAnalysisManager &AM) {
+    for (BasicBlock &BB : F) {
+        std::vector<Instruction *> origInst;
+        for (Instruction &I : BB) {
+            origInst.push_back(&I);
+        }
+        for (Instruction *I : origInst) {
+            if (isa<BinaryOperator>(I)) {
+                BinaryOperator *BI = cast<BinaryOperator>(I);
+                if (BI->getOperand(0)->getType()->isIntegerTy()) {
+                    // Do not support 128-bit integers now
+                    if (BI->getOperand(0)->getType()->getIntegerBitWidth() > 64) {
+                        continue;
+                    }
+                    substitute(BI);
+                }
+            } else {
+                for (int i = 0; i < I->getNumOperands(); i++) {
+                    if (I->getOperand(0)->getType()->isIntegerTy()) {
+                        // error occurs for unknown reasons
+                        // if(isa<StoreInst>(I) || isa<CmpInst>(I) || isa<CallInst>(I)){
+                        if (isa<StoreInst>(I) || isa<CmpInst>(I)) {
+                            substituteConstant(I, i);
+                        }
+                    }
+                }
+            }
+        }
+    }
+    PreservedAnalyses PA;
+    PA.preserveSet<CFGAnalyses>();
+    return PA;
+}
+
+void Pluto::MbaObfuscation::substituteConstant(Instruction *I, int i) {
+    ConstantInt *val = dyn_cast<ConstantInt>(I->getOperand(i));
+    if (val && val->getBitWidth() <= 64) {
+        int64_t *coeffs = generateLinearMBA(NUM_COEFFS);
+        coeffs[14] -= val->getValue().getZExtValue();
+        Value *mbaExpr = insertLinearMBA(coeffs, I);
+        delete[] coeffs;
+        if (val->getBitWidth() <= 32) {
+            mbaExpr = insertPolynomialMBA(mbaExpr, I);
+        }
+        I->setOperand(i, mbaExpr);
+    }
+}
+
+void Pluto::MbaObfuscation::substitute(BinaryOperator *BI) {
+    Value *mbaExpr = nullptr;
+    switch (BI->getOpcode()) {
+    case BinaryOperator::Add:
+        mbaExpr = substituteAdd(BI);
+        break;
+    case BinaryOperator::Sub:
+        mbaExpr = substituteSub(BI);
+        break;
+    case BinaryOperator::And:
+        mbaExpr = substituteAnd(BI);
+        break;
+    case BinaryOperator::Or:
+        mbaExpr = substituteOr(BI);
+        break;
+    case BinaryOperator::Xor:
+        mbaExpr = substituteXor(BI);
+        break;
+    default:
+        break;
+    }
+    if (mbaExpr) {
+        if (BI->getOperand(0)->getType()->getIntegerBitWidth() <= 32) {
+            mbaExpr = insertPolynomialMBA(mbaExpr, BI);
+        }
+        BI->replaceAllUsesWith(mbaExpr);
+    }
+}
+
+Value *Pluto::MbaObfuscation::substituteAdd(BinaryOperator *BI) {
+    int64_t *coeffs = generateLinearMBA(NUM_COEFFS);
+    coeffs[2] += 1;
+    coeffs[4] += 1;
+    Value *mbaExpr = insertLinearMBA(coeffs, BI);
+    delete[] coeffs;
+    return mbaExpr;
+}
+
+Value *Pluto::MbaObfuscation::substituteSub(BinaryOperator *BI) {
+    int64_t *coeffs = generateLinearMBA(NUM_COEFFS);
+    coeffs[2] += 1;
+    coeffs[4] -= 1;
+    Value *mbaExpr = insertLinearMBA(coeffs, BI);
+    delete[] coeffs;
+    return mbaExpr;
+}
+
+Value *Pluto::MbaObfuscation::substituteXor(BinaryOperator *BI) {
+    int64_t *coeffs = generateLinearMBA(NUM_COEFFS);
+    coeffs[5] += 1;
+    Value *mbaExpr = insertLinearMBA(coeffs, BI);
+    delete[] coeffs;
+    return mbaExpr;
+}
+
+Value *Pluto::MbaObfuscation::substituteAnd(BinaryOperator *BI) {
+    int64_t *coeffs = generateLinearMBA(NUM_COEFFS);
+    coeffs[0] += 1;
+    Value *mbaExpr = insertLinearMBA(coeffs, BI);
+    delete[] coeffs;
+    return mbaExpr;
+}
+
+Value *Pluto::MbaObfuscation::substituteOr(BinaryOperator *BI) {
+    int64_t *coeffs = generateLinearMBA(NUM_COEFFS);
+    coeffs[6] += 1;
+    Value *mbaExpr = insertLinearMBA(coeffs, BI);
+    delete[] coeffs;
+    return mbaExpr;
+}