When I used MBA Obfuscator to run the mbedtls 3.4.0 benchmark, it actually crashed.
So I went through the assembly, only to find that each instruction substitution will raise the stack pointer.
If obfuscated opeartions are called many times in the same function, the stack will overflow, causing segmentation fault.
PoC:
#include <stdio.h>
#include <stdint.h>
uint64_t func(const uint64_t t, const uint64_t n){
uint64_t res = t;
/*
never mind, just a few casual calculations
*/
for(uint64_t i = 0; i < n; i++){
res = ((114514 + res) >> 1) + ((1919810 + res) << 1);
res = (res + 0x24) * 24;
}
return res;
}
int main(){
printf("result is: 0x%llx", func(1, 0x10000000));
}
bluesadi
commented
1 year ago
When I used MBA Obfuscator to run the mbedtls 3.4.0 benchmark, it actually crashed.
So I went through the assembly, only to find that each instruction substitution will raise the stack pointer. If obfuscated opeartions are called many times in the same function, the stack will overflow, causing segmentation fault.
PoC:
compilation args:
clang test.c -mllvm -mba -mllvm -mba-prob=50 -o test_obf