Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Break ghidra constant folding through inline-never fns #46

Closed
wants to merge 1 commit into from

Conversation

roblabla
Copy link

Heyo,

I just updated my project to the obfstr 4, and overall the improvements are quite nice! However, there is one small downside compared to the previous version: Obfstr 4 generates a huge block of data that xrefs every code dealing with obfuscated string in the .data block:

image

This is not ideal, as it gives a reverser a simple way to find all the code offsets to obfuscated strings, making the creation of an automated deobfuscation tool a bit easier.

Digging into the code, I figured that this change came from the new xref code. After reading over #44, I eventually figured that this was done to break Ghidra's constant folding which defeated much of the obfuscation.

So I tried to take a different approach here: Instead of storing the xref offsets in the .data, I figured they could be stored in a dedicated function marked inline(never). In theory, ghidra will not be able to "see through" the call, and thus break the constant folding.

Here's the result:
image


This approach has the other benefits of not using the .data segment, which should make code integrity checks properly verify that the xref offsets aren't tampered with.

@CasualX
Copy link
Owner

CasualX commented Jul 28, 2022

Does the same problem not happen with the #[inline(never)] approach? There should be a ton of mov rax, OFFSET; retn funcs which you can easily enumerate as well.

@CasualX CasualX mentioned this pull request Mar 1, 2023
@CasualX CasualX closed this in #48 Mar 2, 2023
CasualX added a commit that referenced this pull request Mar 2, 2023
Also eliminates bound checks in murmur3.

Closes #46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants