Break ghidra constant folding through inline-never fns #46
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Heyo,
I just updated my project to the obfstr 4, and overall the improvements are quite nice! However, there is one small downside compared to the previous version: Obfstr 4 generates a huge block of data that xrefs every code dealing with obfuscated string in the .data block:
This is not ideal, as it gives a reverser a simple way to find all the code offsets to obfuscated strings, making the creation of an automated deobfuscation tool a bit easier.
Digging into the code, I figured that this change came from the new xref code. After reading over #44, I eventually figured that this was done to break Ghidra's constant folding which defeated much of the obfuscation.
So I tried to take a different approach here: Instead of storing the xref offsets in the .data, I figured they could be stored in a dedicated function marked
inline(never)
. In theory, ghidra will not be able to "see through" the call, and thus break the constant folding.Here's the result:
This approach has the other benefits of not using the
.data
segment, which should make code integrity checks properly verify that the xref offsets aren't tampered with.