open-obfuscator / o-mvll

:electron: O-MVLL is a LLVM-based obfuscator for native code (Android & iOS)
https://obfuscator.re/omvll
Apache License 2.0
631 stars 68 forks source link

Stack underflow using obfuscate_constants #39

Closed matbrik closed 7 months ago

matbrik commented 8 months ago

Target: iOS arm64e OMVLL Version: 1.1.0-b5f1bee / 14.0.0git ( (c41f13252ed4b49f246729b4d91ff521d5a6bf9d)) Compilation of O-MVLL: CI

I've noticed that the stack grows until reaching the maximum size using obfuscate_constants on a function while in a loop:

if I try this function:

void testx(){
    int i=0;
    while(1){   
       i++;
    }
}

and the following config.py

""" class MyConfig(omvll.ObfuscationConfig): def init(self): super().init()

def obfuscate_constants(self, _, __):
    if "testx" in str(__.name):
        return True
    return False

"""
sp grows(decreases) by 0x20 for every iteration in the loop crashing the program

marcobrador commented 7 months ago

Thanks @matbrik for the report. We will look into this and come back to you as soon as possible.

antoniofrighetto commented 7 months ago

@matbrik, thanks for reporting, and please bear with us for coming back just now. I fixed the issue since we clearly cannot segfault when the original program did not, although be aware of how optimizers can pick their own choice in presence of UB in infinite loops in C++ (see: https://godbolt.org/z/1jv99es8P, https://github.com/llvm/llvm-project/issues/60622).

matbrik commented 7 months ago

@antoniofrighetto thanks for the fix, it effectively solves the problem in the case of while(1) but it segfaults in the same way if there is a for loop with a lot of iterations for(int i=0;i<100000;i++){} also I noticed in my tests that the flatten_cfg on a while(1) reaches the the top of the stack

Should I open a new issue or reopen this one?

antoniofrighetto commented 7 months ago

@matbrik, unfortunately this is a bit of expected by design, as this is how the pass works. I think we could try preventing opaque within loops, but you would likely have the same issue with recursive functions. Feel free to open a new issue, I'll think about what we can do here.