From 340cb8885877cc87a1a1d7c36988eda778c51730 Mon Sep 17 00:00:00 2001 From: expy Date: Sun, 6 Oct 2024 12:38:44 -0400 Subject: [PATCH] mba pass itself --- CMakeLists.txt | 1 + include/Pluto/MBAObfuscation.h | 37 +++++++++ lib/Pluto/MBAObfuscation.cpp | 132 +++++++++++++++++++++++++++++++++ 3 files changed, 170 insertions(+) create mode 100644 include/Pluto/MBAObfuscation.h create mode 100644 lib/Pluto/MBAObfuscation.cpp diff --git a/CMakeLists.txt b/CMakeLists.txt index 1cd509e..db4639b 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -22,6 +22,7 @@ add_library(passes MODULE lib/Pluto/GlobalEncryption.cpp lib/Pluto/IndirectCall.cpp lib/Pluto/MBAUtils.cpp + lib/Pluto/MBAObfuscation.cpp lib/PassRegistration.cpp ) diff --git a/include/Pluto/MBAObfuscation.h b/include/Pluto/MBAObfuscation.h new file mode 100644 index 0000000..4a51085 --- /dev/null +++ b/include/Pluto/MBAObfuscation.h @@ -0,0 +1,37 @@ +// Credits to https://github.com/bluesadi/Pluto + +#pragma once + +#include "llvm/IR/PassManager.h" +#include "llvm/IR/InstrTypes.h" + +using namespace llvm; + +namespace Pluto { + +struct MbaObfuscation : PassInfoMixin { + PreservedAnalyses run(Function &F, FunctionAnalysisManager &AM); + + static bool isRequired() { return true; } + + void substituteConstant(Instruction *I, int i); + + void substitute(BinaryOperator *BI); + + // 替换 Add 指令 + Value *substituteAdd(BinaryOperator *BI); + + // 替换 Sub 指令 + Value *substituteSub(BinaryOperator *BI); + + // 替换 And 指令 + Value *substituteAnd(BinaryOperator *BI); + + // 替换 Or 指令 + Value *substituteOr(BinaryOperator *BI); + + // 替换 Xor 指令 + Value *substituteXor(BinaryOperator *BI); +}; + +}; // namespace Pluto \ No newline at end of file diff --git a/lib/Pluto/MBAObfuscation.cpp b/lib/Pluto/MBAObfuscation.cpp new file mode 100644 index 0000000..670f0b1 --- /dev/null +++ b/lib/Pluto/MBAObfuscation.cpp @@ -0,0 +1,132 @@ +// Credits to https://github.com/bluesadi/Pluto +#include "Pluto/MBAObfuscation.h" +#include "Pluto/MBAUtils.h" + +#include "llvm/IR/Constants.h" + +#include + +using namespace std; +using namespace llvm; +using namespace Pluto::MBAUtils; + +#define NUM_COEFFS 5 + +PreservedAnalyses Pluto::MbaObfuscation::run(Function &F, FunctionAnalysisManager &AM) { + for (BasicBlock &BB : F) { + std::vector origInst; + for (Instruction &I : BB) { + origInst.push_back(&I); + } + for (Instruction *I : origInst) { + if (isa(I)) { + BinaryOperator *BI = cast(I); + if (BI->getOperand(0)->getType()->isIntegerTy()) { + // Do not support 128-bit integers now + if (BI->getOperand(0)->getType()->getIntegerBitWidth() > 64) { + continue; + } + substitute(BI); + } + } else { + for (int i = 0; i < I->getNumOperands(); i++) { + if (I->getOperand(0)->getType()->isIntegerTy()) { + // error occurs for unknown reasons + // if(isa(I) || isa(I) || isa(I)){ + if (isa(I) || isa(I)) { + substituteConstant(I, i); + } + } + } + } + } + } + PreservedAnalyses PA; + PA.preserveSet(); + return PA; +} + +void Pluto::MbaObfuscation::substituteConstant(Instruction *I, int i) { + ConstantInt *val = dyn_cast(I->getOperand(i)); + if (val && val->getBitWidth() <= 64) { + int64_t *coeffs = generateLinearMBA(NUM_COEFFS); + coeffs[14] -= val->getValue().getZExtValue(); + Value *mbaExpr = insertLinearMBA(coeffs, I); + delete[] coeffs; + if (val->getBitWidth() <= 32) { + mbaExpr = insertPolynomialMBA(mbaExpr, I); + } + I->setOperand(i, mbaExpr); + } +} + +void Pluto::MbaObfuscation::substitute(BinaryOperator *BI) { + Value *mbaExpr = nullptr; + switch (BI->getOpcode()) { + case BinaryOperator::Add: + mbaExpr = substituteAdd(BI); + break; + case BinaryOperator::Sub: + mbaExpr = substituteSub(BI); + break; + case BinaryOperator::And: + mbaExpr = substituteAnd(BI); + break; + case BinaryOperator::Or: + mbaExpr = substituteOr(BI); + break; + case BinaryOperator::Xor: + mbaExpr = substituteXor(BI); + break; + default: + break; + } + if (mbaExpr) { + if (BI->getOperand(0)->getType()->getIntegerBitWidth() <= 32) { + mbaExpr = insertPolynomialMBA(mbaExpr, BI); + } + BI->replaceAllUsesWith(mbaExpr); + } +} + +Value *Pluto::MbaObfuscation::substituteAdd(BinaryOperator *BI) { + int64_t *coeffs = generateLinearMBA(NUM_COEFFS); + coeffs[2] += 1; + coeffs[4] += 1; + Value *mbaExpr = insertLinearMBA(coeffs, BI); + delete[] coeffs; + return mbaExpr; +} + +Value *Pluto::MbaObfuscation::substituteSub(BinaryOperator *BI) { + int64_t *coeffs = generateLinearMBA(NUM_COEFFS); + coeffs[2] += 1; + coeffs[4] -= 1; + Value *mbaExpr = insertLinearMBA(coeffs, BI); + delete[] coeffs; + return mbaExpr; +} + +Value *Pluto::MbaObfuscation::substituteXor(BinaryOperator *BI) { + int64_t *coeffs = generateLinearMBA(NUM_COEFFS); + coeffs[5] += 1; + Value *mbaExpr = insertLinearMBA(coeffs, BI); + delete[] coeffs; + return mbaExpr; +} + +Value *Pluto::MbaObfuscation::substituteAnd(BinaryOperator *BI) { + int64_t *coeffs = generateLinearMBA(NUM_COEFFS); + coeffs[0] += 1; + Value *mbaExpr = insertLinearMBA(coeffs, BI); + delete[] coeffs; + return mbaExpr; +} + +Value *Pluto::MbaObfuscation::substituteOr(BinaryOperator *BI) { + int64_t *coeffs = generateLinearMBA(NUM_COEFFS); + coeffs[6] += 1; + Value *mbaExpr = insertLinearMBA(coeffs, BI); + delete[] coeffs; + return mbaExpr; +} \ No newline at end of file