open-obfuscator / o-mvll

:electron: O-MVLL is a LLVM-based obfuscator for native code (Android & iOS)
https://obfuscator.re/omvll
Apache License 2.0
633 stars 68 forks source link

String decoding in StackLoop doesn't work #35

Closed andr-ggn closed 8 months ago

andr-ggn commented 9 months ago

Hello guys, thank You for your great repo! I m playing around string encoding and found interesting thing which I want to share with you:

You have a code for stack loop encryption: out[i] = in[i] ^ raw_key[i % sizeof(key)];

And decryption part is: out[i] = in[i] ^ raw_key[i % sizeof(key)] ^ i;

I believe that decryption part should not contain ^i in the end

Thanks

romainthomas commented 9 months ago

I think you misread two lines:

https://github.com/open-obfuscator/o-mvll/blob/2a07dab881308add733d3a25ca9d16e7eb3abbb8/src/passes/strings-encoding/StringEncoding.cpp#L54-L68

https://github.com/open-obfuscator/o-mvll/blob/2a07dab881308add733d3a25ca9d16e7eb3abbb8/src/passes/strings-encoding/StringEncoding.cpp#L39-L52

So it works as expected

andr-ggn commented 9 months ago

My bad. This part is correct.

I have a problem that only one of encode/decode pairs work StringRef R = ROUTINES[0] or StringRef R = ROUTINES[1]. If I try to apply both routines – it become strange behaviour. Maybe because I try to adopt this code to work with opt.

 Look up the specified function in the module symbol
 table.  If it does not exist, add a prototype for the function and return
 it.  This is nice because it allows most passes to get away with not handling
 the symbol table directly for this common task

`FunctionCallee DecodeCallee =
      M->getOrInsertFunction("__omvll_decode", FDecode->getFunctionType());`

https://github.com/open-obfuscator/o-mvll/blob/2a07dab881308add733d3a25ca9d16e7eb3abbb8/src/passes/strings-encoding/StringEncoding.cpp#L362 Could It be a problem with this? Example:

Which is incorrect.

THANKS!

antoniofrighetto commented 9 months ago

@andr-ggn, thanks for reporting this! I fixed this via bd1440f5ce8660781113d9ebb31d5852873b6e61, if you rebase to main it should work as expected. This is not really the best fix, but for now it should suffice. Feel free to let us know!