search

meme / hellscape

GIMPLE obfuscator for C, C++, Go, ... all supported GCC targets and front-ends that use GIMPLE.
GNU General Public License v3.0
390 stars 34 forks source link

fla problem #9

Open liufengwenyu opened 4 years ago

liufengwenyu commented 4 years ago

Hello, I try to fla process the following function,

void make_kn(unsigned char *k1, const unsigned char *l, int bl)
{
    int i;
    unsigned char c = l[0], carry = c >> 7, cnext;

    for (i = 0; i < bl - 1; i++, c = cnext)
        k1[i] = (c << 1) | ((cnext = l[i + 1]) >> 7);

    k1[i] = (c << 1) ^ ((0 - carry) & (bl == 16 ? 0x87 : 0x1b));
}

But the error is reported, the error information is as follows:

demo/test1.c: In function ‘make_kn’:
demo/test1.c:20:5: internal compiler error: Segmentation fault
 int make_kn(unsigned char *k1, const unsigned char *l, int bl)
     ^~~~~~~
Please submit a full bug report,
with preprocessed source if appropriate.
See <file:///usr/share/doc/gcc-7/README.Bugs> for instructions.

I tried to print out the cfg(test.dot), and it looks normal.

digraph cfg {
subgraph fun_0x7f260e938a50 {
bb_0x7f260e938a50_0[label="ENTRY: make_kn
demo/test1.c:21"];
bb_0x7f260e938a50_0 -> bb_0x7f260e938a50_9;
bb_0x7f260e938a50_9[label="switchVar.1 = 1181241669;
"];
bb_0x7f260e938a50_9 -> bb_0x7f260e938a50_10;
bb_0x7f260e938a50_10[label="GIMPLE_NOP
switch (switchVar.1) <default: <L7> [0.00%], case 262431419: <L9> [0.00%], case 381899955: <L12> [0.00%], case 517503240: <L14> [0.00%], case 1181241669: <L8> [0.00%], case 1186855106: <L10> [0.00%], case 1198866764: <L13> [0.00%], case 1477094765: <L11> [0.00%]>
"];
bb_0x7f260e938a50_10 -> bb_0x7f260e938a50_12;
bb_0x7f260e938a50_10 -> bb_0x7f260e938a50_2;
bb_0x7f260e938a50_10 -> bb_0x7f260e938a50_3;
bb_0x7f260e938a50_10 -> bb_0x7f260e938a50_4;
bb_0x7f260e938a50_10 -> bb_0x7f260e938a50_5;
bb_0x7f260e938a50_10 -> bb_0x7f260e938a50_6;
bb_0x7f260e938a50_10 -> bb_0x7f260e938a50_7;
bb_0x7f260e938a50_10 -> bb_0x7f260e938a50_8;
bb_0x7f260e938a50_12[label="<L7> [0.00%]:
GIMPLE_NOP
"];
bb_0x7f260e938a50_12 -> bb_0x7f260e938a50_11;
bb_0x7f260e938a50_11[label="GIMPLE_NOP
"];
bb_0x7f260e938a50_11 -> bb_0x7f260e938a50_10;
bb_0x7f260e938a50_2[label="<L8> [0.00%]:
c = *l;
carry = c >> 7;
i = 0;
switchVar.1 = 1186855106;
"];
bb_0x7f260e938a50_2 -> bb_0x7f260e938a50_11;
bb_0x7f260e938a50_3[label="<L9> [0.00%]:
_1 = (int) c;
_2 = _1 << 1;
_3 = (signed char) _2;
_4 = (sizetype) i;
_5 = _4 + 1;
_6 = l + _5;
cnext = *_6;
_7 = cnext >> 7;
_8 = (signed char) _7;
_9 = _3 | _8;
_10 = (sizetype) i;
_11 = k1 + _10;
_12 = (unsigned char) _9;
*_11 = _12;
i = i + 1;
c = cnext;
switchVar.1 = 1186855106;
"];
bb_0x7f260e938a50_3 -> bb_0x7f260e938a50_11;
bb_0x7f260e938a50_4[label="<L10> [0.00%]:
_13 = bl + -1;
switchVar.1 = i < _13 ? 262431419 : 1477094765;
"];
bb_0x7f260e938a50_4 -> bb_0x7f260e938a50_11;
bb_0x7f260e938a50_5[label="<L11> [0.00%]:
_14 = (int) c;
_15 = _14 << 1;
_16 = (signed char) _15;
_17 = -carry;
_18 = (signed char) _17;
switchVar.1 = bl == 16 ? 381899955 : 1198866764;
"];
bb_0x7f260e938a50_5 -> bb_0x7f260e938a50_11;
bb_0x7f260e938a50_6[label="<L12> [0.00%]:
iftmp.0 = -121;
switchVar.1 = 517503240;
"];
bb_0x7f260e938a50_6 -> bb_0x7f260e938a50_11;
bb_0x7f260e938a50_7[label="<L13> [0.00%]:
iftmp.0 = 27;
switchVar.1 = 517503240;
"];
bb_0x7f260e938a50_7 -> bb_0x7f260e938a50_11;
bb_0x7f260e938a50_8[label="<L14> [0.00%]:
_19 = iftmp.0 & _18;
_20 = _16 ^ _19;
_21 = (sizetype) i;
_22 = k1 + _21;
_23 = (unsigned char) _20;
*_22 = _23;
D.2716 = 0;
return D.2716;
"];
bb_0x7f260e938a50_8 -> bb_0x7f260e938a50_1;
bb_0x7f260e938a50_1[label="EXIT: make_kn
demo/test1.c:32"];
}
}

dot -Tpng test.dot > test.png Do you have any ideas?

meme commented 4 years ago

GCC 7 is not supported, please use >= 9.3.0.

liufengwenyu commented 4 years ago

I switched to GCC 9.3 and there was no problem with the above functions. But I think there are still some problems. For example, the following functions:

void* app_malloc(int sz, const char *what)
{
    void *vp = malloc(sz);

    if (vp == NULL) {
        printf("Could not allocate %d bytes for %s\n", sz, what);
        exit(1);
    }
    return vp;
}

gcc -fPIC -fplugin=./hellscape.so -fplugin-arg-hellscape-seed=deadbeef -fplugin-arg-hellscape-fla -c target.c -o target.o The error message is as follows:

*** WARNING *** there are active plugins, do not report this as a bug unless you can reproduce it without enabling any plugins.
Event                            | Plugins
PLUGIN_FINISH                    | hellscape
during GIMPLE pass: fla
target.c: In function ‘app_malloc’:
target.c:53:7: internal compiler error: Segmentation fault
   53 | void* app_malloc(int sz, const char *what)
      |       ^~~~~~~~~~
Please submit a full bug report,
with preprocessed source if appropriate.
See <file:///usr/share/doc/gcc-9/README.Bugs> for instructions.

By drawing CFG, I found that some blocks have no succs. So I added

if (last->code == GIMPLE_COND) {
    /**/
} else {
    if(!target->succs)
        continue;
    }
    /**/
}

It's working. But once the -O option is added, an inline error is reported: gcc -fPIC -fplugin=./hellscape.so -fplugin-arg-hellscape-seed=deadbeef -fplugin-arg-hellscape-fla -c target.c -o target.o -O1

*** WARNING *** there are active plugins, do not report this as a bug unless you can reproduce it without enabling any plugins.
Event                            | Plugins
PLUGIN_FINISH                    | hellscape
during GIMPLE pass: einline
target.c: In function ‘app_malloc’:
target.c:62:1: internal compiler error: Segmentation fault
   62 | }
      | ^
Please submit a full bug report,
with preprocessed source if appropriate.
See <file:///usr/share/doc/gcc-9/README.Bugs> for instructions.

I tried to add -fdisable-tree-einline, but it didn't work.

liufengwenyu commented 4 years ago

Well, need to add -fdisable-tree-einline and -fdisable-ipa-inline.