From 98e0b5c7f1277be725f8150102b88a992f65d196 Mon Sep 17 00:00:00 2001 From: linchaolong Date: Wed, 11 Dec 2024 11:14:02 +0800 Subject: [PATCH] ollvm support llvm 18.1.8 --- llvm/lib/Passes/CMakeLists.txt | 13 + .../Passes/Obfuscation/BogusControlFlow.cpp | 682 +++++++++ .../lib/Passes/Obfuscation/BogusControlFlow.h | 50 + llvm/lib/Passes/Obfuscation/CryptoUtils.cpp | 1254 +++++++++++++++++ llvm/lib/Passes/Obfuscation/CryptoUtils.h | 147 ++ llvm/lib/Passes/Obfuscation/Flattening.cpp | 130 ++ llvm/lib/Passes/Obfuscation/Flattening.h | 30 + .../Obfuscation/IPObfuscationContext.cpp | 331 +++++ .../Passes/Obfuscation/IPObfuscationContext.h | 60 + .../lib/Passes/Obfuscation/IndirectBranch.cpp | 153 ++ llvm/lib/Passes/Obfuscation/IndirectBranch.h | 41 + llvm/lib/Passes/Obfuscation/IndirectCall.cpp | 159 +++ llvm/lib/Passes/Obfuscation/IndirectCall.h | 39 + .../Obfuscation/IndirectGlobalVariable.cpp | 168 +++ .../Obfuscation/IndirectGlobalVariable.h | 42 + .../Passes/Obfuscation/ObfuscationOptions.cpp | 114 ++ .../Passes/Obfuscation/ObfuscationOptions.h | 26 + .../Passes/Obfuscation/SplitBasicBlock.cpp | 143 ++ llvm/lib/Passes/Obfuscation/SplitBasicBlock.h | 33 + .../Passes/Obfuscation/StringEncryption.cpp | 487 +++++++ .../lib/Passes/Obfuscation/StringEncryption.h | 109 ++ llvm/lib/Passes/Obfuscation/Substitution.cpp | 507 +++++++ llvm/lib/Passes/Obfuscation/Substitution.h | 96 ++ llvm/lib/Passes/Obfuscation/Utils.cpp | 350 +++++ llvm/lib/Passes/Obfuscation/Utils.h | 39 + llvm/lib/Passes/Obfuscation/compat/CallSite.h | 767 ++++++++++ llvm/lib/Passes/PassBuilder.cpp | 49 + 27 files changed, 6019 insertions(+) create mode 100644 llvm/lib/Passes/Obfuscation/BogusControlFlow.cpp create mode 100644 llvm/lib/Passes/Obfuscation/BogusControlFlow.h create mode 100644 llvm/lib/Passes/Obfuscation/CryptoUtils.cpp create mode 100644 llvm/lib/Passes/Obfuscation/CryptoUtils.h create mode 100644 llvm/lib/Passes/Obfuscation/Flattening.cpp create mode 100644 llvm/lib/Passes/Obfuscation/Flattening.h create mode 100644 llvm/lib/Passes/Obfuscation/IPObfuscationContext.cpp create mode 100644 llvm/lib/Passes/Obfuscation/IPObfuscationContext.h create mode 100644 llvm/lib/Passes/Obfuscation/IndirectBranch.cpp create mode 100644 llvm/lib/Passes/Obfuscation/IndirectBranch.h create mode 100644 llvm/lib/Passes/Obfuscation/IndirectCall.cpp create mode 100644 llvm/lib/Passes/Obfuscation/IndirectCall.h create mode 100644 llvm/lib/Passes/Obfuscation/IndirectGlobalVariable.cpp create mode 100644 llvm/lib/Passes/Obfuscation/IndirectGlobalVariable.h create mode 100644 llvm/lib/Passes/Obfuscation/ObfuscationOptions.cpp create mode 100644 llvm/lib/Passes/Obfuscation/ObfuscationOptions.h create mode 100644 llvm/lib/Passes/Obfuscation/SplitBasicBlock.cpp create mode 100644 llvm/lib/Passes/Obfuscation/SplitBasicBlock.h create mode 100644 llvm/lib/Passes/Obfuscation/StringEncryption.cpp create mode 100644 llvm/lib/Passes/Obfuscation/StringEncryption.h create mode 100644 llvm/lib/Passes/Obfuscation/Substitution.cpp create mode 100644 llvm/lib/Passes/Obfuscation/Substitution.h create mode 100644 llvm/lib/Passes/Obfuscation/Utils.cpp create mode 100644 llvm/lib/Passes/Obfuscation/Utils.h create mode 100644 llvm/lib/Passes/Obfuscation/compat/CallSite.h diff --git a/llvm/lib/Passes/CMakeLists.txt b/llvm/lib/Passes/CMakeLists.txt index 98d2de76c0..956e62820a 100644 --- a/llvm/lib/Passes/CMakeLists.txt +++ b/llvm/lib/Passes/CMakeLists.txt @@ -6,6 +6,19 @@ add_llvm_component_library(LLVMPasses PassPlugin.cpp StandardInstrumentations.cpp + Obfuscation/Utils.cpp + Obfuscation/CryptoUtils.cpp + Obfuscation/ObfuscationOptions.cpp + Obfuscation/BogusControlFlow.cpp + Obfuscation/IPObfuscationContext.cpp + Obfuscation/Flattening.cpp + Obfuscation/StringEncryption.cpp + Obfuscation/SplitBasicBlock.cpp + Obfuscation/Substitution.cpp + Obfuscation/IndirectBranch.cpp + Obfuscation/IndirectCall.cpp + Obfuscation/IndirectGlobalVariable.cpp + ADDITIONAL_HEADER_DIRS ${LLVM_MAIN_INCLUDE_DIR}/llvm ${LLVM_MAIN_INCLUDE_DIR}/llvm/Passes diff --git a/llvm/lib/Passes/Obfuscation/BogusControlFlow.cpp b/llvm/lib/Passes/Obfuscation/BogusControlFlow.cpp new file mode 100644 index 0000000000..51756491d4 --- /dev/null +++ b/llvm/lib/Passes/Obfuscation/BogusControlFlow.cpp @@ -0,0 +1,682 @@ +//===- BogusControlFlow.h - BogusControlFlow Obfuscation pass-------------------------===// +// +// The LLVM Compiler Infrastructure +// +// This file is distributed under the University of Illinois Open Source +// License. See LICENSE.TXT for details. +// +//===--------------------------------------------------------------------------------===// +// +// This file contains includes and defines for the bogusControlFlow pass +// +//===--------------------------------------------------------------------------------===// +/* + LLVM BogusControlFlow Pass + The main modification is the branching condition is calculated on-the-fly + Instead of hard-code the always true condition. Relicensed from NCSA license + to AGPL Copyright (C) 2017 Zhang(https://github.com/Naville/) + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published + by the Free Software Foundation, either version 3 of the License, or + any later version. + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . + */ + +//===- BogusControlFlow.cpp - BogusControlFlow Obfuscation +// pass-------------------------===// +// +// This file implements BogusControlFlow's pass, inserting bogus control flow. +// It adds bogus flow to a given basic block this way: +// +// Before : +// entry +// | +// ______v______ +// | Original | +// |_____________| +// | +// v +// return +// +// After : +// entry +// | +// ____v_____ +// |condition*| (false) +// |__________|----+ +// (true)| | +// | | +// ______v______ | +// +-->| Original* | | +// | |_____________| (true) +// | (false)| !-----------> return +// | ______v______ | +// | | Altered |<--! +// | |_____________| +// |__________| +// +// * The results of these terminator's branch's conditions are always true, but +// these predicates are +// opacificated. For this, we declare two global values: x and y, and replace +// the FCMP_TRUE predicate with (y < 10 || x * (x + 1) % 2 == 0) (this could +// be improved, as the global values give a hint on where are the opaque +// predicates) +// +// The altered bloc is a copy of the original's one with junk instructions +// added accordingly to the type of instructions we found in the bloc +// +// Each basic block of the function is choosen if a random number in the range +// [0,100] is smaller than the choosen probability rate. The default value +// is 30. This value can be modify using the option -boguscf-prob=[value]. +// Value must be an integer in the range [0, 100], otherwise the default value +// is taken. Exemple: -boguscf -boguscf-prob=60 +// +// The pass can also be loop many times on a function, including on the basic +// blocks added in a previous loop. Be careful if you use a big probability +// number and choose to run the loop many times wich may cause the pass to run +// for a very long time. The default value is one loop, but you can change it +// with -boguscf-loop=[value]. Value must be an integer greater than 1, +// otherwise the default value is taken. Exemple: -boguscf -boguscf-loop=2 +// +// +// Defined debug types: +// - "gen" : general informations +// - "opt" : concerning the given options (parameter) +// - "cfg" : printing the various function's cfg before transformation +// and after transformation if it has been modified, and all +// the functions at end of the pass, after doFinalization. +// +// To use them all, simply use the -debug option. +// To use only one of them, follow the pass' command by -debug-only=name. +// Exemple, -boguscf -debug-only=cfg +// +// +// Stats: +// The following statistics will be printed if you use +// the -stats command: +// +// a. Number of functions in this module +// b. Number of times we run on each function +// c. Initial number of basic blocks in this module +// d. Number of modified basic blocks +// e. Number of added basic blocks in this module +// f. Final number of basic blocks in this module +// +// file : lib/Transforms/Obfuscation/BogusControlFlow.cpp +// date : june 2012 +// version: 1.0 +// author : julie.michielin@gmail.com +// modifications: pjunod, Rinaldini Julien +// project: Obfuscator +// option : -boguscf +// +//===----------------------------------------------------------------------------------===// +#include "BogusControlFlow.h" +#include "llvm/IR/IntrinsicInst.h" + +#define DEBUG_TYPE "BogusControlFlow" + +STATISTIC(NumFunction, "a. Number of functions in this module"); +STATISTIC(NumTimesOnFunctions, "b. Number of times we run on each function"); +STATISTIC(InitNumBasicBlocks, "c. Initial number of basic blocks in this module"); +STATISTIC(NumModifiedBasicBlocks, "d. Number of modified basic blocks"); +STATISTIC(NumAddedBasicBlocks, "e. Number of added basic blocks in this module"); +STATISTIC(FinalNumBasicBlocks, "f. Final number of basic blocks in this module"); + +// Options for the pass +const int defaultObfRate = 70, defaultObfTime = 2; + +static cl::opt ObfProbRate("bcf_prob", cl::desc("Choose the probability [%] each basic blocks will be obfuscated by the -bcf pass"), cl::value_desc("probability rate"), cl::init(defaultObfRate), cl::Optional); + +static cl::opt ObfTimes("bcf_loop", cl::desc("Choose how many time the -bcf pass loop on a function"), cl::value_desc("number of times"), cl::init(defaultObfTime), cl::Optional); + + +BasicBlock *createAlteredBasicBlock(BasicBlock *basicBlock, const Twine &Name = "gen", Function *F = 0); + +PreservedAnalyses BogusControlFlowPass::run(Function& F, FunctionAnalysisManager& AM) { + // Check if the percentage is correct + if (ObfTimes <= 0){ + errs() << "BogusControlFlow application number -bcf_loop=x must be x > 0"; + return PreservedAnalyses::all(); + } + // Check if the number of applications is correct + if (!((ObfProbRate > 0) && (ObfProbRate <= 100))) { + errs() << "BogusControlFlow application basic blocks percentage " + "-bcf_prob=x must be 0 < x <= 100"; + return PreservedAnalyses::all(); + } + // If fla annotations + if (toObfuscate(flag, &F, "bcf")){ + bogus(F); + doF(*F.getParent(), F); + return PreservedAnalyses::none(); + } + return PreservedAnalyses::all(); +} + + +void BogusControlFlowPass::bogus(Function &F) { + // For statistics and debug + ++NumFunction; + int NumBasicBlocks = 0; + bool firstTime = true; // First time we do the loop in this function + bool hasBeenModified = false; + DEBUG_WITH_TYPE("opt", + errs() << "bcf: Started on function " << F.getName() << "\n"); + DEBUG_WITH_TYPE("opt", + errs() << "bcf: Probability rate: " << ObfProbRate << "\n"); + if (ObfProbRate < 0 || ObfProbRate > 100) { + DEBUG_WITH_TYPE("opt", errs() << "bcf: Incorrect value," + << " probability rate set to default value: " + << defaultObfRate << " \n"); + ObfProbRate = defaultObfRate; + } + DEBUG_WITH_TYPE("opt", errs() << "bcf: How many times: " << ObfTimes << "\n"); + if (ObfTimes <= 0) { + DEBUG_WITH_TYPE("opt", errs() << "bcf: Incorrect value," + << " must be greater than 1. Set to default: " + << defaultObfTime << " \n"); + ObfTimes = defaultObfTime; + } + NumTimesOnFunctions = ObfTimes; + int NumObfTimes = ObfTimes; + + // Real begining of the pass + // Loop for the number of time we run the pass on the function + do { + DEBUG_WITH_TYPE("cfg", errs() << "bcf: Function " << F.getName() + << ", before the pass:\n"); + DEBUG_WITH_TYPE("cfg", F.viewCFG()); + // Put all the function's block in a list + std::list basicBlocks; + for (Function::iterator i = F.begin(); i != F.end(); ++i) { + basicBlocks.push_back(&*i); + } + DEBUG_WITH_TYPE( + "gen", errs() << "bcf: Iterating on the Function's Basic Blocks\n"); + + while (!basicBlocks.empty()) { + NumBasicBlocks++; + // Basic Blocks' selection + if ((int)llvm::cryptoutils->get_range(100) <= ObfProbRate) { + DEBUG_WITH_TYPE("opt", errs() << "bcf: Block " << NumBasicBlocks + << " selected. \n"); + hasBeenModified = true; + ++NumModifiedBasicBlocks; + NumAddedBasicBlocks += 3; + FinalNumBasicBlocks += 3; + // Add bogus flow to the given Basic Block (see description) + BasicBlock *basicBlock = basicBlocks.front(); + addBogusFlow(basicBlock, F); + } else { + DEBUG_WITH_TYPE("opt", errs() << "bcf: Block " << NumBasicBlocks + << " not selected.\n"); + } + // remove the block from the list + basicBlocks.pop_front(); + + if (firstTime) { // first time we iterate on this function + ++InitNumBasicBlocks; + ++FinalNumBasicBlocks; + } + } // end of while(!basicBlocks.empty()) + DEBUG_WITH_TYPE("gen", + errs() << "bcf: End of function " << F.getName() << "\n"); + if (hasBeenModified) { // if the function has been modified + DEBUG_WITH_TYPE("cfg", errs() << "bcf: Function " << F.getName() + << ", after the pass: \n"); + DEBUG_WITH_TYPE("cfg", F.viewCFG()); + } else { + DEBUG_WITH_TYPE("cfg", errs() << "bcf: Function's not been modified \n"); + } + firstTime = false; + } while (--NumObfTimes > 0); +} + +/* addBogusFlow + * + * Add bogus flow to a given basic block, according to the header's + * description + */ +void BogusControlFlowPass::addBogusFlow(BasicBlock *basicBlock, Function &F) { + // Split the block: first part with only the phi nodes and debug info and + // terminator + // created by splitBasicBlock. (-> No instruction) + // Second part with every instructions from the original + // block + // We do this way, so we don't have to adjust all the phi nodes, metadatas + // and so on for the first block. We have to let the phi nodes in the first + // part, because they actually are updated in the second part according to + // them. + BasicBlock::iterator i1 = basicBlock->begin(); + if (basicBlock->getFirstNonPHIOrDbgOrLifetime()) + i1 = (BasicBlock::iterator)basicBlock->getFirstNonPHIOrDbgOrLifetime(); + if (basicBlock->getFirstNonPHI()->isEHPad()) + return; + // Fix Verifier.cpp: "CatchPadInst not the first non-PHI instruction in the + // block.", "The unwind destination does not have an exception handling + // instruction!" + Twine *var; + var = new Twine("originalBB"); + BasicBlock *originalBB = basicBlock->splitBasicBlock(i1, *var); + DEBUG_WITH_TYPE("gen", errs() + << "bcf: First and original basic blocks: ok\n"); + + // Creating the altered basic block on which the first basicBlock will jump + Twine *var3 = new Twine("alteredBB"); + BasicBlock *alteredBB = createAlteredBasicBlock(originalBB, *var3, &F); + DEBUG_WITH_TYPE("gen", errs() << "bcf: Altered basic block: ok\n"); + + // Now that all the blocks are created, + // we modify the terminators to adjust the control flow. + + alteredBB->getTerminator()->eraseFromParent(); + basicBlock->getTerminator()->eraseFromParent(); + DEBUG_WITH_TYPE("gen", errs() << "bcf: Terminator removed from the altered" + << " and first basic blocks\n"); + + // Preparing a condition.. + // For now, the condition is an always true comparaison between 2 float + // This will be complicated after the pass (in doFinalization()) + Value *LHS = ConstantFP::get(Type::getFloatTy(F.getContext()), 1.0); + Value *RHS = ConstantFP::get(Type::getFloatTy(F.getContext()), 1.0); + DEBUG_WITH_TYPE("gen", errs() << "bcf: Value LHS and RHS created\n"); + + // The always true condition. End of the first block + Twine *var4 = new Twine("condition"); + FCmpInst *condition = new FCmpInst(InsertPosition(basicBlock), + FCmpInst::FCMP_TRUE, LHS, RHS, *var4); //fix for llvm 19 + DEBUG_WITH_TYPE("gen", errs() << "bcf: Always true condition created\n"); + + // Jump to the original basic block if the condition is true or + // to the altered block if false. + BranchInst::Create(originalBB, alteredBB, (Value *)condition, basicBlock); + DEBUG_WITH_TYPE( + "gen", + errs() << "bcf: Terminator instruction in first basic block: ok\n"); + + // The altered block loop back on the original one. + BranchInst::Create(originalBB, alteredBB); + DEBUG_WITH_TYPE( + "gen", errs() << "bcf: Terminator instruction in altered block: ok\n"); + + // The end of the originalBB is modified to give the impression that + // sometimes it continues in the loop, and sometimes it return the desired + // value (of course it's always true, so it always use the original + // terminator.. + // but this will be obfuscated too;) ) + + // iterate on instruction just before the terminator of the originalBB + BasicBlock::iterator i = originalBB->end(); + + // Split at this point (we only want the terminator in the second part) + Twine *var5 = new Twine("originalBBpart2"); + BasicBlock *originalBBpart2 = originalBB->splitBasicBlock(--i, *var5); + DEBUG_WITH_TYPE("gen", + errs() << "bcf: Terminator part of the original basic block" + << " is isolated\n"); + // the first part go either on the return statement or on the begining + // of the altered block.. So we erase the terminator created when splitting. + originalBB->getTerminator()->eraseFromParent(); + // We add at the end a new always true condition + Twine *var6 = new Twine("condition2"); + + FCmpInst *condition2 = new FCmpInst(InsertPosition (originalBB), + CmpInst::FCMP_TRUE, LHS, RHS, *var6); //fix for llvm 19 + BranchInst::Create(originalBBpart2, alteredBB, (Value *)condition2, + originalBB); + DEBUG_WITH_TYPE("gen", errs() + << "bcf: Terminator original basic block: ok\n"); + DEBUG_WITH_TYPE("gen", errs() << "bcf: End of addBogusFlow().\n"); + +} // end of addBogusFlow() + +/* createAlteredBasicBlock + * + * This function return a basic block similar to a given one. + * It's inserted just after the given basic block. + * The instructions are similar but junk instructions are added between + * the cloned one. The cloned instructions' phi nodes, metadatas, uses and + * debug locations are adjusted to fit in the cloned basic block and + * behave nicely. + */ +BasicBlock *createAlteredBasicBlock(BasicBlock *basicBlock, const Twine &Name, + Function *F) { + // Useful to remap the informations concerning instructions. + ValueToValueMapTy VMap; + // basicBlock->dump(); + BasicBlock *alteredBB = llvm::CloneBasicBlock(basicBlock, VMap, Name, F); + DEBUG_WITH_TYPE("gen", errs() << "bcf: Original basic block cloned\n"); + // Remap operands. + BasicBlock::iterator ji = basicBlock->begin(); + for (BasicBlock::iterator i = alteredBB->begin(), e = alteredBB->end(); + i != e; ++i) { + // Loop over the operands of the instruction + for (User::op_iterator opi = i->op_begin(), ope = i->op_end(); opi != ope; + ++opi) { + // get the value for the operand + Value *v = MapValue(*opi, VMap, RF_None, 0); + if (v != 0) { + *opi = v; + DEBUG_WITH_TYPE("gen", errs() + << "bcf: Value's operand has been setted\n"); + } + } + DEBUG_WITH_TYPE("gen", errs() << "bcf: Operands remapped\n"); + // Remap phi nodes' incoming blocks. + if (PHINode *pn = dyn_cast(i)) { + for (unsigned j = 0, e = pn->getNumIncomingValues(); j != e; ++j) { + Value *v = MapValue(pn->getIncomingBlock(j), VMap, RF_None, 0); + if (v != 0) { + pn->setIncomingBlock(j, cast(v)); + } + } + } + DEBUG_WITH_TYPE("gen", errs() << "bcf: PHINodes remapped\n"); + // Remap attached metadata. + SmallVector, 4> MDs; + i->getAllMetadata(MDs); + DEBUG_WITH_TYPE("gen", errs() << "bcf: Metadatas remapped\n"); + // important for compiling with DWARF, using option -g. + i->setDebugLoc(ji->getDebugLoc()); + ji++; + DEBUG_WITH_TYPE("gen", errs() + << "bcf: Debug information location setted\n"); + + } // The instructions' informations are now all correct + + for (auto I = alteredBB->begin(), E = alteredBB->end(); I != E;) { + Instruction *Instr = &*I++; + if (isa(Instr)) + Instr->eraseFromParent(); + } + // Fix Verifier.cpp: "mismatched subprogram between llvm.dbg.value label and + // !dbg attachment" + + DEBUG_WITH_TYPE("gen", errs() + << "bcf: The cloned basic block is now correct\n"); + DEBUG_WITH_TYPE( + "gen", + errs() << "bcf: Starting to add junk code in the cloned bloc...\n"); + + // add random instruction in the middle of the bloc. This part can be + // improve + for (BasicBlock::iterator i = alteredBB->begin(), e = alteredBB->end(); + i != e; ++i) { + // in the case we find binary operator, we modify slightly this part by + // randomly insert some instructions + if (i->isBinaryOp()) { // binary instructions + unsigned opcode = i->getOpcode(); + Instruction *op, *op1 = NULL; + Twine *var = new Twine("_"); + // treat differently float or int + // Binary int + if (opcode == Instruction::Add || opcode == Instruction::Sub || + opcode == Instruction::Mul || opcode == Instruction::UDiv || + opcode == Instruction::SDiv || opcode == Instruction::URem || + opcode == Instruction::SRem || opcode == Instruction::Shl || + opcode == Instruction::LShr || opcode == Instruction::AShr || + opcode == Instruction::And || opcode == Instruction::Or || + opcode == Instruction::Xor) { + for (int random = (int)llvm::cryptoutils->get_range(10); random < 10; + ++random) { + switch (llvm::cryptoutils->get_range(4)) { // to improve + case 0: // do nothing + break; + case 1: + op = BinaryOperator::CreateNeg(i->getOperand(0), *var, &*i); + op1 = BinaryOperator::Create(Instruction::Add, op, i->getOperand(1), + "gen", &*i); + break; + case 2: + op1 = BinaryOperator::Create(Instruction::Sub, i->getOperand(0), + i->getOperand(1), *var, &*i); + op = BinaryOperator::Create(Instruction::Mul, op1, i->getOperand(1), + "gen", &*i); + break; + case 3: + op = BinaryOperator::Create(Instruction::Shl, i->getOperand(0), + i->getOperand(1), *var, &*i); + break; + } + } + } + // Binary float + if (opcode == Instruction::FAdd || opcode == Instruction::FSub || + opcode == Instruction::FMul || opcode == Instruction::FDiv || + opcode == Instruction::FRem) { + for (int random = (int)llvm::cryptoutils->get_range(10); random < 10; + ++random) { + switch (llvm::cryptoutils->get_range(3)) { // can be improved + case 0: // do nothing + break; + case 1: + op = UnaryOperator::CreateFNeg(i->getOperand(0), *var, &*i); + op1 = BinaryOperator::Create(Instruction::FAdd, op, + i->getOperand(1), "gen", &*i); + break; + case 2: + op = BinaryOperator::Create(Instruction::FSub, i->getOperand(0), + i->getOperand(1), *var, &*i); + op1 = BinaryOperator::Create(Instruction::FMul, op, + i->getOperand(1), "gen", &*i); + break; + } + } + } + if (opcode == Instruction::ICmp) { // Condition (with int) + ICmpInst *currentI = (ICmpInst *)(&i); + switch (llvm::cryptoutils->get_range(3)) { // must be improved + case 0: // do nothing + break; + case 1: + currentI->swapOperands(); + break; + case 2: // randomly change the predicate + switch (llvm::cryptoutils->get_range(10)) { + case 0: + currentI->setPredicate(ICmpInst::ICMP_EQ); + break; // equal + case 1: + currentI->setPredicate(ICmpInst::ICMP_NE); + break; // not equal + case 2: + currentI->setPredicate(ICmpInst::ICMP_UGT); + break; // unsigned greater than + case 3: + currentI->setPredicate(ICmpInst::ICMP_UGE); + break; // unsigned greater or equal + case 4: + currentI->setPredicate(ICmpInst::ICMP_ULT); + break; // unsigned less than + case 5: + currentI->setPredicate(ICmpInst::ICMP_ULE); + break; // unsigned less or equal + case 6: + currentI->setPredicate(ICmpInst::ICMP_SGT); + break; // signed greater than + case 7: + currentI->setPredicate(ICmpInst::ICMP_SGE); + break; // signed greater or equal + case 8: + currentI->setPredicate(ICmpInst::ICMP_SLT); + break; // signed less than + case 9: + currentI->setPredicate(ICmpInst::ICMP_SLE); + break; // signed less or equal + } + break; + } + } + if (opcode == Instruction::FCmp) { // Conditions (with float) + FCmpInst *currentI = (FCmpInst *)(&i); + switch (llvm::cryptoutils->get_range(3)) { // must be improved + case 0: // do nothing + break; + case 1: + currentI->swapOperands(); + break; + case 2: // randomly change the predicate + switch (llvm::cryptoutils->get_range(10)) { + case 0: + currentI->setPredicate(FCmpInst::FCMP_OEQ); + break; // ordered and equal + case 1: + currentI->setPredicate(FCmpInst::FCMP_ONE); + break; // ordered and operands are unequal + case 2: + currentI->setPredicate(FCmpInst::FCMP_UGT); + break; // unordered or greater than + case 3: + currentI->setPredicate(FCmpInst::FCMP_UGE); + break; // unordered, or greater than, or equal + case 4: + currentI->setPredicate(FCmpInst::FCMP_ULT); + break; // unordered or less than + case 5: + currentI->setPredicate(FCmpInst::FCMP_ULE); + break; // unordered, or less than, or equal + case 6: + currentI->setPredicate(FCmpInst::FCMP_OGT); + break; // ordered and greater than + case 7: + currentI->setPredicate(FCmpInst::FCMP_OGE); + break; // ordered and greater than or equal + case 8: + currentI->setPredicate(FCmpInst::FCMP_OLT); + break; // ordered and less than + case 9: + currentI->setPredicate(FCmpInst::FCMP_OLE); + break; // ordered or less than, or equal + } + break; + } + } + } + } + return alteredBB; +} // end of createAlteredBasicBlock() + +/* doFinalization + * + * Overwrite FunctionPass method to apply the transformations to the whole + * module. This part obfuscate all the always true predicates of the module. + * More precisely, the condition which predicate is FCMP_TRUE. + * It also remove all the functions' basic blocks' and instructions' names. + */ +bool BogusControlFlowPass::doF(Module &M, Function &F) { + // In this part we extract all always-true predicate and replace them with + // opaque predicate: For this, we declare two global values: x and y, and + // replace the FCMP_TRUE predicate with (y < 10 || x * (x + 1) % 2 == 0) A + // better way to obfuscate the predicates would be welcome. In the meantime + // we will erase the name of the basic blocks, the instructions and the + // functions. + DEBUG_WITH_TYPE("gen", errs() << "bcf: Starting doFinalization...\n"); + + // The global values + Twine *varX = new Twine("x"); + Twine *varY = new Twine("y"); + Value *x1 = ConstantInt::get(Type::getInt32Ty(M.getContext()), 0, false); + Value *y1 = ConstantInt::get(Type::getInt32Ty(M.getContext()), 0, false); + + GlobalVariable *x = + new GlobalVariable(M, Type::getInt32Ty(M.getContext()), false, + GlobalValue::CommonLinkage, (Constant *)x1, *varX); + GlobalVariable *y = + new GlobalVariable(M, Type::getInt32Ty(M.getContext()), false, + GlobalValue::CommonLinkage, (Constant *)y1, *varY); + + std::vector toEdit, toDelete; + BinaryOperator *op, *op1 = NULL; + LoadInst *opX, *opY; + ICmpInst *condition, *condition2; + // Looking for the conditions and branches to transform + + for (Function::iterator fi = F.begin(), fe = F.end(); fi != fe; ++fi) { + // fi->setName(""); + Instruction *tbb = fi->getTerminator(); + if (tbb->getOpcode() == Instruction::Br) { + BranchInst *br = (BranchInst *)(tbb); + if (br->isConditional()) { + FCmpInst *cond = (FCmpInst *)br->getCondition(); + unsigned opcode = cond->getOpcode(); + if (opcode == Instruction::FCmp) { + if (cond->getPredicate() == FCmpInst::FCMP_TRUE) { + DEBUG_WITH_TYPE("gen", errs() + << "bcf: an always true predicate !\n"); + toDelete.push_back(cond); // The condition + toEdit.push_back(tbb); // The branch using the condition + } + } + } + } + /* + for (BasicBlock::iterator bi = fi->begin(), be = fi->end() ; bi != be; + ++bi){ bi->setName(""); // setting the basic blocks' names + } + */ + } + + // Replacing all the branches we found + for (std::vector::iterator i = toEdit.begin(); + i != toEdit.end(); ++i) { + // if y < 10 || x*(x+1) % 2 == 0 + opX = new LoadInst(Type::getInt32Ty(M.getContext()), (Value *)x, "", (*i)); + opY = new LoadInst(Type::getInt32Ty(M.getContext()), (Value *)y, "", (*i)); + + op = BinaryOperator::Create( + Instruction::Sub, (Value *)opX, + ConstantInt::get(Type::getInt32Ty(M.getContext()), 1, false), "", (*i)); + op1 = BinaryOperator::Create(Instruction::Mul, (Value *)opX, op, "", (*i)); + op = BinaryOperator::Create( + Instruction::URem, op1, + ConstantInt::get(Type::getInt32Ty(M.getContext()), 2, false), "", (*i)); + condition = new ICmpInst( + (*i), ICmpInst::ICMP_EQ, op, + ConstantInt::get(Type::getInt32Ty(M.getContext()), 0, false)); + condition2 = new ICmpInst( + (*i), ICmpInst::ICMP_SLT, opY, + ConstantInt::get(Type::getInt32Ty(M.getContext()), 10, false)); + op1 = BinaryOperator::Create(Instruction::Or, (Value *)condition, + (Value *)condition2, "", (*i)); + + BranchInst::Create(((BranchInst *)*i)->getSuccessor(0), + ((BranchInst *)*i)->getSuccessor(1), (Value *)op1, + ((BranchInst *)*i)->getParent()); + DEBUG_WITH_TYPE("gen", errs() << "bcf: Erase branch instruction:" + << *((BranchInst *)*i) << "\n"); + (*i)->eraseFromParent(); // erase the branch + } + // Erase all the associated conditions we found + for (std::vector::iterator i = toDelete.begin(); + i != toDelete.end(); ++i) { + DEBUG_WITH_TYPE("gen", errs() << "bcf: Erase condition instruction:" + << *((Instruction *)*i) << "\n"); + (*i)->eraseFromParent(); + } + + // Only for debug + DEBUG_WITH_TYPE("cfg", errs() << "bcf: End of the pass, here are the " + "graphs after doFinalization\n"); + // for (Module::iterator mi = M.begin(), me = M.end(); mi != me; ++mi) { + // DEBUG_WITH_TYPE("cfg", errs() << "bcf: Function " << mi->getName() << + // "\n"); DEBUG_WITH_TYPE("cfg", mi->viewCFG()); + // } + + return true; +} + +/** + * @brief 便于调用虚假控制流 + * + * @param flag + * @return FunctionPass* + */ +BogusControlFlowPass *llvm::createBogusControlFlow(bool flag){ + return new BogusControlFlowPass(flag); +} \ No newline at end of file diff --git a/llvm/lib/Passes/Obfuscation/BogusControlFlow.h b/llvm/lib/Passes/Obfuscation/BogusControlFlow.h new file mode 100644 index 0000000000..a7aad65182 --- /dev/null +++ b/llvm/lib/Passes/Obfuscation/BogusControlFlow.h @@ -0,0 +1,50 @@ +#ifndef _BOGUSCONTROLFLOW_H_ +#define _BOGUSCONTROLFLOW_H_ +// LLVM libs +#include "llvm/Pass.h" +#include "llvm/IR/Module.h" +#include "llvm/IR/Function.h" +#include "llvm/IR/BasicBlock.h" +#include "llvm/IR/Instructions.h" +#include "llvm/IR/InstrTypes.h" +#include "llvm/IR/Constants.h" +#include "llvm/IR/Type.h" +#include "llvm/ADT/Statistic.h" +#include "llvm/IR/GlobalValue.h" +#include "llvm/IR/LLVMContext.h" +#include "llvm/Transforms/Utils/Cloning.h" +#include "llvm/Transforms/Utils/BasicBlockUtils.h" +#include "llvm/CodeGen/ISDOpcodes.h" +#include "llvm/Support/raw_ostream.h" +#include "llvm/Support/Debug.h" +#include "llvm/Support/CommandLine.h" +#include "llvm/Transforms/IPO.h" +#include "llvm/IR/IRBuilder.h" +#include "llvm/IR/NoFolder.h" +#include "llvm/Support/TargetSelect.h" +#include "llvm/Transforms/Utils/Local.h" +// System libs +#include +#include +// User libs +#include "CryptoUtils.h" +#include "Utils.h" +using namespace std; +using namespace llvm; +namespace llvm{ // 基本块分割 + class BogusControlFlowPass : public PassInfoMixin{ + public: + bool flag; + BogusControlFlowPass(bool flag){ + this->flag = flag; + } // 携带flag的构造函数 + PreservedAnalyses run(Function &F, FunctionAnalysisManager &AM); // Pass实现函数 + void bogus(Function &F); + void addBogusFlow(BasicBlock *basicBlock, Function &F); + bool doF(Module &M, Function &F); + static bool isRequired() { return true; } // 直接返回true即可 + }; + BogusControlFlowPass *createBogusControlFlow(bool flag); // 创建基本块分割 +} + +#endif \ No newline at end of file diff --git a/llvm/lib/Passes/Obfuscation/CryptoUtils.cpp b/llvm/lib/Passes/Obfuscation/CryptoUtils.cpp new file mode 100644 index 0000000000..63673b11ba --- /dev/null +++ b/llvm/lib/Passes/Obfuscation/CryptoUtils.cpp @@ -0,0 +1,1254 @@ +//===- CryptoUtils.cpp - AES-based Pseudo-Random Generator ----------------===// +// +// The LLVM Compiler Infrastructure +// +// This file is distributed under the University of Illinois Open Source +// License. See LICENSE.TXT for details. +// +//===----------------------------------------------------------------------===// +// +// This file implements an AES-CTR-based cryptographically secure +// pseudo-random generator. +// +// Created on: June 22, 2012 +// Last modification: November 15, 2013 +// Author(s): jrinaldini, pjunod +// +//===----------------------------------------------------------------------===// + +#include "CryptoUtils.h" +#include "llvm/ADT/Statistic.h" +#include "llvm/ADT/Twine.h" +#include "llvm/IR/LLVMContext.h" +#include "llvm/Support/Debug.h" +#include "llvm/Support/ErrorHandling.h" +#include "llvm/Support/ManagedStatic.h" +#include "llvm/Support/raw_ostream.h" + +#include +#include +#include +#include +#include +#include + +#ifdef ENDIAN_LITTLE + +#define STORE32H(y, x) \ + { \ + (y)[0] = (uint8_t)(((x) >> 24) & 0xFF); \ + (y)[1] = (uint8_t)(((x) >> 16) & 0xFF); \ + (y)[2] = (uint8_t)(((x) >> 8) & 0xFF); \ + (y)[3] = (uint8_t)(((x) >> 0) & 0xFF); \ + } +#define LOAD32H(x, y) \ + { \ + (x) = ((uint32_t)((y)[0] & 0xFF) << 24) | \ + ((uint32_t)((y)[1] & 0xFF) << 16) | \ + ((uint32_t)((y)[2] & 0xFF) << 8) | ((uint32_t)((y)[3] & 0xFF) << 0); \ + } + +#define LOAD64H(x, y) \ + { \ + (x) = ((uint64_t)((y)[0] & 0xFF) << 56) | \ + ((uint64_t)((y)[1] & 0xFF) << 48) | \ + ((uint64_t)((y)[2] & 0xFF) << 40) | \ + ((uint64_t)((y)[3] & 0xFF) << 32) | \ + ((uint64_t)((y)[4] & 0xFF) << 24) | \ + ((uint64_t)((y)[5] & 0xFF) << 16) | \ + ((uint64_t)((y)[6] & 0xFF) << 8) | ((uint64_t)((y)[7] & 0xFF) << 0); \ + } + +#define STORE64H(y, x) \ + { \ + (y)[0] = (uint8_t)(((x) >> 56) & 0xFF); \ + (y)[1] = (uint8_t)(((x) >> 48) & 0xFF); \ + (y)[2] = (uint8_t)(((x) >> 40) & 0xFF); \ + (y)[3] = (uint8_t)(((x) >> 32) & 0xFF); \ + (y)[4] = (uint8_t)(((x) >> 24) & 0xFF); \ + (y)[5] = (uint8_t)(((x) >> 16) & 0xFF); \ + (y)[6] = (uint8_t)(((x) >> 8) & 0xFF); \ + (y)[7] = (uint8_t)(((x) >> 0) & 0xFF); \ + } + +#endif /* ENDIAN_LITTLE */ + +#ifdef ENDIAN_BIG + +#define STORE32H(y, x) \ + { \ + (y)[3] = (uint8_t)(((x) >> 24) & 0xFF); \ + (y)[2] = (uint8_t)(((x) >> 16) & 0xFF); \ + (y)[1] = (uint8_t)(((x) >> 8) & 0xFF); \ + (y)[0] = (uint8_t)(((x) >> 0) & 0xFF); \ + } +#define STORE64H(y, x) \ + { \ + (y)[7] = (uint8_t)(((x) >> 56) & 0xFF); \ + (y)[6] = (uint8_t)(((x) >> 48) & 0xFF); \ + (y)[5] = (uint8_t)(((x) >> 40) & 0xFF); \ + (y)[4] = (uint8_t)(((x) >> 32) & 0xFF); \ + (y)[3] = (uint8_t)(((x) >> 24) & 0xFF); \ + (y)[2] = (uint8_t)(((x) >> 16) & 0xFF); \ + (y)[1] = (uint8_t)(((x) >> 8) & 0xFF); \ + (y)[0] = (uint8_t)(((x) >> 0) & 0xFF); \ + } +#define LOAD32H(x, y) \ + { \ + (x) = ((uint32_t)((y)[3] & 0xFF) << 24) | \ + ((uint32_t)((y)[2] & 0xFF) << 16) | \ + ((uint32_t)((y)[1] & 0xFF) << 8) | ((uint32_t)((y)[0] & 0xFF) << 0); \ + } + +#define LOAD64H(x, y) \ + { \ + (x) = ((uint64_t)((y)[7] & 0xFF) << 56) | \ + ((uint64_t)((y)[6] & 0xFF) << 48) | \ + ((uint64_t)((y)[5] & 0xFF) << 40) | \ + ((uint64_t)((y)[4] & 0xFF) << 32) | \ + ((uint64_t)((y)[3] & 0xFF) << 24) | \ + ((uint64_t)((y)[2] & 0xFF) << 16) | \ + ((uint64_t)((y)[1] & 0xFF) << 8) | ((uint64_t)((y)[0] & 0xFF) << 0); \ + } + +#endif /* ENDIAN_BIG */ + +#define AES_TE0(x) AES_PRECOMP_TE0[(x)] +#define AES_TE1(x) AES_PRECOMP_TE1[(x)] +#define AES_TE2(x) AES_PRECOMP_TE2[(x)] +#define AES_TE3(x) AES_PRECOMP_TE3[(x)] + +#define AES_TE4_0(x) AES_PRECOMP_TE4_0[(x)] +#define AES_TE4_1(x) AES_PRECOMP_TE4_1[(x)] +#define AES_TE4_2(x) AES_PRECOMP_TE4_2[(x)] +#define AES_TE4_3(x) AES_PRECOMP_TE4_3[(x)] + +#define DUMP(x, l, s) \ + std::fprintf(stderr, "%s :", (s)); \ + for (int ii = 0; ii < (l); ii++) { \ + std::fprintf(stderr, "%02hhX", *((x) + ii)); \ + } \ + std::fprintf(stderr, "\n"); + +// SHA256 +/* Various logical functions */ +#define Ch(x, y, z) (z ^ (x & (y ^ z))) +#define Maj(x, y, z) (((x | y) & z) | (x & y)) +#define S(x, n) RORc((x), (n)) +#define R1(x, n) (((x)&0xFFFFFFFFUL) >> (n)) +#define Sigma0(x) (S(x, 2) ^ S(x, 13) ^ S(x, 22)) +#define Sigma1(x) (S(x, 6) ^ S(x, 11) ^ S(x, 25)) +#define Gamma0(x) (S(x, 7) ^ S(x, 18) ^ R1(x, 3)) +#define Gamma1(x) (S(x, 17) ^ S(x, 19) ^ R1(x, 10)) +#define MIN(x, y) (((x) < (y)) ? (x) : (y)) + +#define RND(a, b, c, d, e, f, g, h, i, ki) \ + t0 = h + Sigma1(e) + Ch(e, f, g) + ki + W[i]; \ + t1 = Sigma0(a) + Maj(a, b, c); \ + d += t0; \ + h = t0 + t1; + +#define RORc(x, y) \ + (((((unsigned long)(x)&0xFFFFFFFFUL) >> (unsigned long)((y)&31)) | \ + ((unsigned long)(x) << (unsigned long)(32 - ((y)&31)))) & \ + 0xFFFFFFFFUL) +// Stats +#define DEBUG_TYPE "CryptoUtils" +STATISTIC(statsGetBytes, "a. Number of calls to get_bytes ()"); +STATISTIC(statsGetChar, "b. Number of calls to get_char ()"); +STATISTIC(statsGetUint8, "c. Number of calls to get_uint8_t ()"); +STATISTIC(statsGetUint32, "d. Number of calls to get_uint32_t ()"); +STATISTIC(statsGetUint64, "e. Number of calls to get_uint64_t ()"); +STATISTIC(statsGetRange, "f. Number of calls to get_range ()"); +STATISTIC(statsPopulate, "g. Number of calls to populate ()"); +STATISTIC(statsAESEncrypt, "h. Number of calls to aes_encrypt ()"); + +using namespace llvm; + +namespace llvm { +ManagedStatic cryptoutils; +} + +const uint32_t AES_RCON[10] = { + 0x01000000UL, 0x02000000UL, 0x04000000UL, 0x08000000UL, 0x10000000UL, + 0x20000000UL, 0x40000000UL, 0x80000000UL, 0x1b000000UL, 0x36000000UL}; + +const uint32_t AES_PRECOMP_TE0[256] = { + 0xc66363a5UL, 0xf87c7c84UL, 0xee777799UL, 0xf67b7b8dUL, 0xfff2f20dUL, + 0xd66b6bbdUL, 0xde6f6fb1UL, 0x91c5c554UL, 0x60303050UL, 0x02010103UL, + 0xce6767a9UL, 0x562b2b7dUL, 0xe7fefe19UL, 0xb5d7d762UL, 0x4dababe6UL, + 0xec76769aUL, 0x8fcaca45UL, 0x1f82829dUL, 0x89c9c940UL, 0xfa7d7d87UL, + 0xeffafa15UL, 0xb25959ebUL, 0x8e4747c9UL, 0xfbf0f00bUL, 0x41adadecUL, + 0xb3d4d467UL, 0x5fa2a2fdUL, 0x45afafeaUL, 0x239c9cbfUL, 0x53a4a4f7UL, + 0xe4727296UL, 0x9bc0c05bUL, 0x75b7b7c2UL, 0xe1fdfd1cUL, 0x3d9393aeUL, + 0x4c26266aUL, 0x6c36365aUL, 0x7e3f3f41UL, 0xf5f7f702UL, 0x83cccc4fUL, + 0x6834345cUL, 0x51a5a5f4UL, 0xd1e5e534UL, 0xf9f1f108UL, 0xe2717193UL, + 0xabd8d873UL, 0x62313153UL, 0x2a15153fUL, 0x0804040cUL, 0x95c7c752UL, + 0x46232365UL, 0x9dc3c35eUL, 0x30181828UL, 0x379696a1UL, 0x0a05050fUL, + 0x2f9a9ab5UL, 0x0e070709UL, 0x24121236UL, 0x1b80809bUL, 0xdfe2e23dUL, + 0xcdebeb26UL, 0x4e272769UL, 0x7fb2b2cdUL, 0xea75759fUL, 0x1209091bUL, + 0x1d83839eUL, 0x582c2c74UL, 0x341a1a2eUL, 0x361b1b2dUL, 0xdc6e6eb2UL, + 0xb45a5aeeUL, 0x5ba0a0fbUL, 0xa45252f6UL, 0x763b3b4dUL, 0xb7d6d661UL, + 0x7db3b3ceUL, 0x5229297bUL, 0xdde3e33eUL, 0x5e2f2f71UL, 0x13848497UL, + 0xa65353f5UL, 0xb9d1d168UL, 0x00000000UL, 0xc1eded2cUL, 0x40202060UL, + 0xe3fcfc1fUL, 0x79b1b1c8UL, 0xb65b5bedUL, 0xd46a6abeUL, 0x8dcbcb46UL, + 0x67bebed9UL, 0x7239394bUL, 0x944a4adeUL, 0x984c4cd4UL, 0xb05858e8UL, + 0x85cfcf4aUL, 0xbbd0d06bUL, 0xc5efef2aUL, 0x4faaaae5UL, 0xedfbfb16UL, + 0x864343c5UL, 0x9a4d4dd7UL, 0x66333355UL, 0x11858594UL, 0x8a4545cfUL, + 0xe9f9f910UL, 0x04020206UL, 0xfe7f7f81UL, 0xa05050f0UL, 0x783c3c44UL, + 0x259f9fbaUL, 0x4ba8a8e3UL, 0xa25151f3UL, 0x5da3a3feUL, 0x804040c0UL, + 0x058f8f8aUL, 0x3f9292adUL, 0x219d9dbcUL, 0x70383848UL, 0xf1f5f504UL, + 0x63bcbcdfUL, 0x77b6b6c1UL, 0xafdada75UL, 0x42212163UL, 0x20101030UL, + 0xe5ffff1aUL, 0xfdf3f30eUL, 0xbfd2d26dUL, 0x81cdcd4cUL, 0x180c0c14UL, + 0x26131335UL, 0xc3ecec2fUL, 0xbe5f5fe1UL, 0x359797a2UL, 0x884444ccUL, + 0x2e171739UL, 0x93c4c457UL, 0x55a7a7f2UL, 0xfc7e7e82UL, 0x7a3d3d47UL, + 0xc86464acUL, 0xba5d5de7UL, 0x3219192bUL, 0xe6737395UL, 0xc06060a0UL, + 0x19818198UL, 0x9e4f4fd1UL, 0xa3dcdc7fUL, 0x44222266UL, 0x542a2a7eUL, + 0x3b9090abUL, 0x0b888883UL, 0x8c4646caUL, 0xc7eeee29UL, 0x6bb8b8d3UL, + 0x2814143cUL, 0xa7dede79UL, 0xbc5e5ee2UL, 0x160b0b1dUL, 0xaddbdb76UL, + 0xdbe0e03bUL, 0x64323256UL, 0x743a3a4eUL, 0x140a0a1eUL, 0x924949dbUL, + 0x0c06060aUL, 0x4824246cUL, 0xb85c5ce4UL, 0x9fc2c25dUL, 0xbdd3d36eUL, + 0x43acacefUL, 0xc46262a6UL, 0x399191a8UL, 0x319595a4UL, 0xd3e4e437UL, + 0xf279798bUL, 0xd5e7e732UL, 0x8bc8c843UL, 0x6e373759UL, 0xda6d6db7UL, + 0x018d8d8cUL, 0xb1d5d564UL, 0x9c4e4ed2UL, 0x49a9a9e0UL, 0xd86c6cb4UL, + 0xac5656faUL, 0xf3f4f407UL, 0xcfeaea25UL, 0xca6565afUL, 0xf47a7a8eUL, + 0x47aeaee9UL, 0x10080818UL, 0x6fbabad5UL, 0xf0787888UL, 0x4a25256fUL, + 0x5c2e2e72UL, 0x381c1c24UL, 0x57a6a6f1UL, 0x73b4b4c7UL, 0x97c6c651UL, + 0xcbe8e823UL, 0xa1dddd7cUL, 0xe874749cUL, 0x3e1f1f21UL, 0x964b4bddUL, + 0x61bdbddcUL, 0x0d8b8b86UL, 0x0f8a8a85UL, 0xe0707090UL, 0x7c3e3e42UL, + 0x71b5b5c4UL, 0xcc6666aaUL, 0x904848d8UL, 0x06030305UL, 0xf7f6f601UL, + 0x1c0e0e12UL, 0xc26161a3UL, 0x6a35355fUL, 0xae5757f9UL, 0x69b9b9d0UL, + 0x17868691UL, 0x99c1c158UL, 0x3a1d1d27UL, 0x279e9eb9UL, 0xd9e1e138UL, + 0xebf8f813UL, 0x2b9898b3UL, 0x22111133UL, 0xd26969bbUL, 0xa9d9d970UL, + 0x078e8e89UL, 0x339494a7UL, 0x2d9b9bb6UL, 0x3c1e1e22UL, 0x15878792UL, + 0xc9e9e920UL, 0x87cece49UL, 0xaa5555ffUL, 0x50282878UL, 0xa5dfdf7aUL, + 0x038c8c8fUL, 0x59a1a1f8UL, 0x09898980UL, 0x1a0d0d17UL, 0x65bfbfdaUL, + 0xd7e6e631UL, 0x844242c6UL, 0xd06868b8UL, 0x824141c3UL, 0x299999b0UL, + 0x5a2d2d77UL, 0x1e0f0f11UL, 0x7bb0b0cbUL, 0xa85454fcUL, 0x6dbbbbd6UL, + 0x2c16163aUL}; + +const uint32_t AES_PRECOMP_TE1[256] = { + 0xa5c66363UL, 0x84f87c7cUL, 0x99ee7777UL, 0x8df67b7bUL, 0x0dfff2f2UL, + 0xbdd66b6bUL, 0xb1de6f6fUL, 0x5491c5c5UL, 0x50603030UL, 0x03020101UL, + 0xa9ce6767UL, 0x7d562b2bUL, 0x19e7fefeUL, 0x62b5d7d7UL, 0xe64dababUL, + 0x9aec7676UL, 0x458fcacaUL, 0x9d1f8282UL, 0x4089c9c9UL, 0x87fa7d7dUL, + 0x15effafaUL, 0xebb25959UL, 0xc98e4747UL, 0x0bfbf0f0UL, 0xec41adadUL, + 0x67b3d4d4UL, 0xfd5fa2a2UL, 0xea45afafUL, 0xbf239c9cUL, 0xf753a4a4UL, + 0x96e47272UL, 0x5b9bc0c0UL, 0xc275b7b7UL, 0x1ce1fdfdUL, 0xae3d9393UL, + 0x6a4c2626UL, 0x5a6c3636UL, 0x417e3f3fUL, 0x02f5f7f7UL, 0x4f83ccccUL, + 0x5c683434UL, 0xf451a5a5UL, 0x34d1e5e5UL, 0x08f9f1f1UL, 0x93e27171UL, + 0x73abd8d8UL, 0x53623131UL, 0x3f2a1515UL, 0x0c080404UL, 0x5295c7c7UL, + 0x65462323UL, 0x5e9dc3c3UL, 0x28301818UL, 0xa1379696UL, 0x0f0a0505UL, + 0xb52f9a9aUL, 0x090e0707UL, 0x36241212UL, 0x9b1b8080UL, 0x3ddfe2e2UL, + 0x26cdebebUL, 0x694e2727UL, 0xcd7fb2b2UL, 0x9fea7575UL, 0x1b120909UL, + 0x9e1d8383UL, 0x74582c2cUL, 0x2e341a1aUL, 0x2d361b1bUL, 0xb2dc6e6eUL, + 0xeeb45a5aUL, 0xfb5ba0a0UL, 0xf6a45252UL, 0x4d763b3bUL, 0x61b7d6d6UL, + 0xce7db3b3UL, 0x7b522929UL, 0x3edde3e3UL, 0x715e2f2fUL, 0x97138484UL, + 0xf5a65353UL, 0x68b9d1d1UL, 0x00000000UL, 0x2cc1ededUL, 0x60402020UL, + 0x1fe3fcfcUL, 0xc879b1b1UL, 0xedb65b5bUL, 0xbed46a6aUL, 0x468dcbcbUL, + 0xd967bebeUL, 0x4b723939UL, 0xde944a4aUL, 0xd4984c4cUL, 0xe8b05858UL, + 0x4a85cfcfUL, 0x6bbbd0d0UL, 0x2ac5efefUL, 0xe54faaaaUL, 0x16edfbfbUL, + 0xc5864343UL, 0xd79a4d4dUL, 0x55663333UL, 0x94118585UL, 0xcf8a4545UL, + 0x10e9f9f9UL, 0x06040202UL, 0x81fe7f7fUL, 0xf0a05050UL, 0x44783c3cUL, + 0xba259f9fUL, 0xe34ba8a8UL, 0xf3a25151UL, 0xfe5da3a3UL, 0xc0804040UL, + 0x8a058f8fUL, 0xad3f9292UL, 0xbc219d9dUL, 0x48703838UL, 0x04f1f5f5UL, + 0xdf63bcbcUL, 0xc177b6b6UL, 0x75afdadaUL, 0x63422121UL, 0x30201010UL, + 0x1ae5ffffUL, 0x0efdf3f3UL, 0x6dbfd2d2UL, 0x4c81cdcdUL, 0x14180c0cUL, + 0x35261313UL, 0x2fc3ececUL, 0xe1be5f5fUL, 0xa2359797UL, 0xcc884444UL, + 0x392e1717UL, 0x5793c4c4UL, 0xf255a7a7UL, 0x82fc7e7eUL, 0x477a3d3dUL, + 0xacc86464UL, 0xe7ba5d5dUL, 0x2b321919UL, 0x95e67373UL, 0xa0c06060UL, + 0x98198181UL, 0xd19e4f4fUL, 0x7fa3dcdcUL, 0x66442222UL, 0x7e542a2aUL, + 0xab3b9090UL, 0x830b8888UL, 0xca8c4646UL, 0x29c7eeeeUL, 0xd36bb8b8UL, + 0x3c281414UL, 0x79a7dedeUL, 0xe2bc5e5eUL, 0x1d160b0bUL, 0x76addbdbUL, + 0x3bdbe0e0UL, 0x56643232UL, 0x4e743a3aUL, 0x1e140a0aUL, 0xdb924949UL, + 0x0a0c0606UL, 0x6c482424UL, 0xe4b85c5cUL, 0x5d9fc2c2UL, 0x6ebdd3d3UL, + 0xef43acacUL, 0xa6c46262UL, 0xa8399191UL, 0xa4319595UL, 0x37d3e4e4UL, + 0x8bf27979UL, 0x32d5e7e7UL, 0x438bc8c8UL, 0x596e3737UL, 0xb7da6d6dUL, + 0x8c018d8dUL, 0x64b1d5d5UL, 0xd29c4e4eUL, 0xe049a9a9UL, 0xb4d86c6cUL, + 0xfaac5656UL, 0x07f3f4f4UL, 0x25cfeaeaUL, 0xafca6565UL, 0x8ef47a7aUL, + 0xe947aeaeUL, 0x18100808UL, 0xd56fbabaUL, 0x88f07878UL, 0x6f4a2525UL, + 0x725c2e2eUL, 0x24381c1cUL, 0xf157a6a6UL, 0xc773b4b4UL, 0x5197c6c6UL, + 0x23cbe8e8UL, 0x7ca1ddddUL, 0x9ce87474UL, 0x213e1f1fUL, 0xdd964b4bUL, + 0xdc61bdbdUL, 0x860d8b8bUL, 0x850f8a8aUL, 0x90e07070UL, 0x427c3e3eUL, + 0xc471b5b5UL, 0xaacc6666UL, 0xd8904848UL, 0x05060303UL, 0x01f7f6f6UL, + 0x121c0e0eUL, 0xa3c26161UL, 0x5f6a3535UL, 0xf9ae5757UL, 0xd069b9b9UL, + 0x91178686UL, 0x5899c1c1UL, 0x273a1d1dUL, 0xb9279e9eUL, 0x38d9e1e1UL, + 0x13ebf8f8UL, 0xb32b9898UL, 0x33221111UL, 0xbbd26969UL, 0x70a9d9d9UL, + 0x89078e8eUL, 0xa7339494UL, 0xb62d9b9bUL, 0x223c1e1eUL, 0x92158787UL, + 0x20c9e9e9UL, 0x4987ceceUL, 0xffaa5555UL, 0x78502828UL, 0x7aa5dfdfUL, + 0x8f038c8cUL, 0xf859a1a1UL, 0x80098989UL, 0x171a0d0dUL, 0xda65bfbfUL, + 0x31d7e6e6UL, 0xc6844242UL, 0xb8d06868UL, 0xc3824141UL, 0xb0299999UL, + 0x775a2d2dUL, 0x111e0f0fUL, 0xcb7bb0b0UL, 0xfca85454UL, 0xd66dbbbbUL, + 0x3a2c1616UL}; + +const uint32_t AES_PRECOMP_TE2[256] = { + 0x63a5c663UL, 0x7c84f87cUL, 0x7799ee77UL, 0x7b8df67bUL, 0xf20dfff2UL, + 0x6bbdd66bUL, 0x6fb1de6fUL, 0xc55491c5UL, 0x30506030UL, 0x01030201UL, + 0x67a9ce67UL, 0x2b7d562bUL, 0xfe19e7feUL, 0xd762b5d7UL, 0xabe64dabUL, + 0x769aec76UL, 0xca458fcaUL, 0x829d1f82UL, 0xc94089c9UL, 0x7d87fa7dUL, + 0xfa15effaUL, 0x59ebb259UL, 0x47c98e47UL, 0xf00bfbf0UL, 0xadec41adUL, + 0xd467b3d4UL, 0xa2fd5fa2UL, 0xafea45afUL, 0x9cbf239cUL, 0xa4f753a4UL, + 0x7296e472UL, 0xc05b9bc0UL, 0xb7c275b7UL, 0xfd1ce1fdUL, 0x93ae3d93UL, + 0x266a4c26UL, 0x365a6c36UL, 0x3f417e3fUL, 0xf702f5f7UL, 0xcc4f83ccUL, + 0x345c6834UL, 0xa5f451a5UL, 0xe534d1e5UL, 0xf108f9f1UL, 0x7193e271UL, + 0xd873abd8UL, 0x31536231UL, 0x153f2a15UL, 0x040c0804UL, 0xc75295c7UL, + 0x23654623UL, 0xc35e9dc3UL, 0x18283018UL, 0x96a13796UL, 0x050f0a05UL, + 0x9ab52f9aUL, 0x07090e07UL, 0x12362412UL, 0x809b1b80UL, 0xe23ddfe2UL, + 0xeb26cdebUL, 0x27694e27UL, 0xb2cd7fb2UL, 0x759fea75UL, 0x091b1209UL, + 0x839e1d83UL, 0x2c74582cUL, 0x1a2e341aUL, 0x1b2d361bUL, 0x6eb2dc6eUL, + 0x5aeeb45aUL, 0xa0fb5ba0UL, 0x52f6a452UL, 0x3b4d763bUL, 0xd661b7d6UL, + 0xb3ce7db3UL, 0x297b5229UL, 0xe33edde3UL, 0x2f715e2fUL, 0x84971384UL, + 0x53f5a653UL, 0xd168b9d1UL, 0x00000000UL, 0xed2cc1edUL, 0x20604020UL, + 0xfc1fe3fcUL, 0xb1c879b1UL, 0x5bedb65bUL, 0x6abed46aUL, 0xcb468dcbUL, + 0xbed967beUL, 0x394b7239UL, 0x4ade944aUL, 0x4cd4984cUL, 0x58e8b058UL, + 0xcf4a85cfUL, 0xd06bbbd0UL, 0xef2ac5efUL, 0xaae54faaUL, 0xfb16edfbUL, + 0x43c58643UL, 0x4dd79a4dUL, 0x33556633UL, 0x85941185UL, 0x45cf8a45UL, + 0xf910e9f9UL, 0x02060402UL, 0x7f81fe7fUL, 0x50f0a050UL, 0x3c44783cUL, + 0x9fba259fUL, 0xa8e34ba8UL, 0x51f3a251UL, 0xa3fe5da3UL, 0x40c08040UL, + 0x8f8a058fUL, 0x92ad3f92UL, 0x9dbc219dUL, 0x38487038UL, 0xf504f1f5UL, + 0xbcdf63bcUL, 0xb6c177b6UL, 0xda75afdaUL, 0x21634221UL, 0x10302010UL, + 0xff1ae5ffUL, 0xf30efdf3UL, 0xd26dbfd2UL, 0xcd4c81cdUL, 0x0c14180cUL, + 0x13352613UL, 0xec2fc3ecUL, 0x5fe1be5fUL, 0x97a23597UL, 0x44cc8844UL, + 0x17392e17UL, 0xc45793c4UL, 0xa7f255a7UL, 0x7e82fc7eUL, 0x3d477a3dUL, + 0x64acc864UL, 0x5de7ba5dUL, 0x192b3219UL, 0x7395e673UL, 0x60a0c060UL, + 0x81981981UL, 0x4fd19e4fUL, 0xdc7fa3dcUL, 0x22664422UL, 0x2a7e542aUL, + 0x90ab3b90UL, 0x88830b88UL, 0x46ca8c46UL, 0xee29c7eeUL, 0xb8d36bb8UL, + 0x143c2814UL, 0xde79a7deUL, 0x5ee2bc5eUL, 0x0b1d160bUL, 0xdb76addbUL, + 0xe03bdbe0UL, 0x32566432UL, 0x3a4e743aUL, 0x0a1e140aUL, 0x49db9249UL, + 0x060a0c06UL, 0x246c4824UL, 0x5ce4b85cUL, 0xc25d9fc2UL, 0xd36ebdd3UL, + 0xacef43acUL, 0x62a6c462UL, 0x91a83991UL, 0x95a43195UL, 0xe437d3e4UL, + 0x798bf279UL, 0xe732d5e7UL, 0xc8438bc8UL, 0x37596e37UL, 0x6db7da6dUL, + 0x8d8c018dUL, 0xd564b1d5UL, 0x4ed29c4eUL, 0xa9e049a9UL, 0x6cb4d86cUL, + 0x56faac56UL, 0xf407f3f4UL, 0xea25cfeaUL, 0x65afca65UL, 0x7a8ef47aUL, + 0xaee947aeUL, 0x08181008UL, 0xbad56fbaUL, 0x7888f078UL, 0x256f4a25UL, + 0x2e725c2eUL, 0x1c24381cUL, 0xa6f157a6UL, 0xb4c773b4UL, 0xc65197c6UL, + 0xe823cbe8UL, 0xdd7ca1ddUL, 0x749ce874UL, 0x1f213e1fUL, 0x4bdd964bUL, + 0xbddc61bdUL, 0x8b860d8bUL, 0x8a850f8aUL, 0x7090e070UL, 0x3e427c3eUL, + 0xb5c471b5UL, 0x66aacc66UL, 0x48d89048UL, 0x03050603UL, 0xf601f7f6UL, + 0x0e121c0eUL, 0x61a3c261UL, 0x355f6a35UL, 0x57f9ae57UL, 0xb9d069b9UL, + 0x86911786UL, 0xc15899c1UL, 0x1d273a1dUL, 0x9eb9279eUL, 0xe138d9e1UL, + 0xf813ebf8UL, 0x98b32b98UL, 0x11332211UL, 0x69bbd269UL, 0xd970a9d9UL, + 0x8e89078eUL, 0x94a73394UL, 0x9bb62d9bUL, 0x1e223c1eUL, 0x87921587UL, + 0xe920c9e9UL, 0xce4987ceUL, 0x55ffaa55UL, 0x28785028UL, 0xdf7aa5dfUL, + 0x8c8f038cUL, 0xa1f859a1UL, 0x89800989UL, 0x0d171a0dUL, 0xbfda65bfUL, + 0xe631d7e6UL, 0x42c68442UL, 0x68b8d068UL, 0x41c38241UL, 0x99b02999UL, + 0x2d775a2dUL, 0x0f111e0fUL, 0xb0cb7bb0UL, 0x54fca854UL, 0xbbd66dbbUL, + 0x163a2c16UL}; + +const uint32_t AES_PRECOMP_TE3[256] = { + 0x6363a5c6UL, 0x7c7c84f8UL, 0x777799eeUL, 0x7b7b8df6UL, 0xf2f20dffUL, + 0x6b6bbdd6UL, 0x6f6fb1deUL, 0xc5c55491UL, 0x30305060UL, 0x01010302UL, + 0x6767a9ceUL, 0x2b2b7d56UL, 0xfefe19e7UL, 0xd7d762b5UL, 0xababe64dUL, + 0x76769aecUL, 0xcaca458fUL, 0x82829d1fUL, 0xc9c94089UL, 0x7d7d87faUL, + 0xfafa15efUL, 0x5959ebb2UL, 0x4747c98eUL, 0xf0f00bfbUL, 0xadadec41UL, + 0xd4d467b3UL, 0xa2a2fd5fUL, 0xafafea45UL, 0x9c9cbf23UL, 0xa4a4f753UL, + 0x727296e4UL, 0xc0c05b9bUL, 0xb7b7c275UL, 0xfdfd1ce1UL, 0x9393ae3dUL, + 0x26266a4cUL, 0x36365a6cUL, 0x3f3f417eUL, 0xf7f702f5UL, 0xcccc4f83UL, + 0x34345c68UL, 0xa5a5f451UL, 0xe5e534d1UL, 0xf1f108f9UL, 0x717193e2UL, + 0xd8d873abUL, 0x31315362UL, 0x15153f2aUL, 0x04040c08UL, 0xc7c75295UL, + 0x23236546UL, 0xc3c35e9dUL, 0x18182830UL, 0x9696a137UL, 0x05050f0aUL, + 0x9a9ab52fUL, 0x0707090eUL, 0x12123624UL, 0x80809b1bUL, 0xe2e23ddfUL, + 0xebeb26cdUL, 0x2727694eUL, 0xb2b2cd7fUL, 0x75759feaUL, 0x09091b12UL, + 0x83839e1dUL, 0x2c2c7458UL, 0x1a1a2e34UL, 0x1b1b2d36UL, 0x6e6eb2dcUL, + 0x5a5aeeb4UL, 0xa0a0fb5bUL, 0x5252f6a4UL, 0x3b3b4d76UL, 0xd6d661b7UL, + 0xb3b3ce7dUL, 0x29297b52UL, 0xe3e33eddUL, 0x2f2f715eUL, 0x84849713UL, + 0x5353f5a6UL, 0xd1d168b9UL, 0x00000000UL, 0xeded2cc1UL, 0x20206040UL, + 0xfcfc1fe3UL, 0xb1b1c879UL, 0x5b5bedb6UL, 0x6a6abed4UL, 0xcbcb468dUL, + 0xbebed967UL, 0x39394b72UL, 0x4a4ade94UL, 0x4c4cd498UL, 0x5858e8b0UL, + 0xcfcf4a85UL, 0xd0d06bbbUL, 0xefef2ac5UL, 0xaaaae54fUL, 0xfbfb16edUL, + 0x4343c586UL, 0x4d4dd79aUL, 0x33335566UL, 0x85859411UL, 0x4545cf8aUL, + 0xf9f910e9UL, 0x02020604UL, 0x7f7f81feUL, 0x5050f0a0UL, 0x3c3c4478UL, + 0x9f9fba25UL, 0xa8a8e34bUL, 0x5151f3a2UL, 0xa3a3fe5dUL, 0x4040c080UL, + 0x8f8f8a05UL, 0x9292ad3fUL, 0x9d9dbc21UL, 0x38384870UL, 0xf5f504f1UL, + 0xbcbcdf63UL, 0xb6b6c177UL, 0xdada75afUL, 0x21216342UL, 0x10103020UL, + 0xffff1ae5UL, 0xf3f30efdUL, 0xd2d26dbfUL, 0xcdcd4c81UL, 0x0c0c1418UL, + 0x13133526UL, 0xecec2fc3UL, 0x5f5fe1beUL, 0x9797a235UL, 0x4444cc88UL, + 0x1717392eUL, 0xc4c45793UL, 0xa7a7f255UL, 0x7e7e82fcUL, 0x3d3d477aUL, + 0x6464acc8UL, 0x5d5de7baUL, 0x19192b32UL, 0x737395e6UL, 0x6060a0c0UL, + 0x81819819UL, 0x4f4fd19eUL, 0xdcdc7fa3UL, 0x22226644UL, 0x2a2a7e54UL, + 0x9090ab3bUL, 0x8888830bUL, 0x4646ca8cUL, 0xeeee29c7UL, 0xb8b8d36bUL, + 0x14143c28UL, 0xdede79a7UL, 0x5e5ee2bcUL, 0x0b0b1d16UL, 0xdbdb76adUL, + 0xe0e03bdbUL, 0x32325664UL, 0x3a3a4e74UL, 0x0a0a1e14UL, 0x4949db92UL, + 0x06060a0cUL, 0x24246c48UL, 0x5c5ce4b8UL, 0xc2c25d9fUL, 0xd3d36ebdUL, + 0xacacef43UL, 0x6262a6c4UL, 0x9191a839UL, 0x9595a431UL, 0xe4e437d3UL, + 0x79798bf2UL, 0xe7e732d5UL, 0xc8c8438bUL, 0x3737596eUL, 0x6d6db7daUL, + 0x8d8d8c01UL, 0xd5d564b1UL, 0x4e4ed29cUL, 0xa9a9e049UL, 0x6c6cb4d8UL, + 0x5656faacUL, 0xf4f407f3UL, 0xeaea25cfUL, 0x6565afcaUL, 0x7a7a8ef4UL, + 0xaeaee947UL, 0x08081810UL, 0xbabad56fUL, 0x787888f0UL, 0x25256f4aUL, + 0x2e2e725cUL, 0x1c1c2438UL, 0xa6a6f157UL, 0xb4b4c773UL, 0xc6c65197UL, + 0xe8e823cbUL, 0xdddd7ca1UL, 0x74749ce8UL, 0x1f1f213eUL, 0x4b4bdd96UL, + 0xbdbddc61UL, 0x8b8b860dUL, 0x8a8a850fUL, 0x707090e0UL, 0x3e3e427cUL, + 0xb5b5c471UL, 0x6666aaccUL, 0x4848d890UL, 0x03030506UL, 0xf6f601f7UL, + 0x0e0e121cUL, 0x6161a3c2UL, 0x35355f6aUL, 0x5757f9aeUL, 0xb9b9d069UL, + 0x86869117UL, 0xc1c15899UL, 0x1d1d273aUL, 0x9e9eb927UL, 0xe1e138d9UL, + 0xf8f813ebUL, 0x9898b32bUL, 0x11113322UL, 0x6969bbd2UL, 0xd9d970a9UL, + 0x8e8e8907UL, 0x9494a733UL, 0x9b9bb62dUL, 0x1e1e223cUL, 0x87879215UL, + 0xe9e920c9UL, 0xcece4987UL, 0x5555ffaaUL, 0x28287850UL, 0xdfdf7aa5UL, + 0x8c8c8f03UL, 0xa1a1f859UL, 0x89898009UL, 0x0d0d171aUL, 0xbfbfda65UL, + 0xe6e631d7UL, 0x4242c684UL, 0x6868b8d0UL, 0x4141c382UL, 0x9999b029UL, + 0x2d2d775aUL, 0x0f0f111eUL, 0xb0b0cb7bUL, 0x5454fca8UL, 0xbbbbd66dUL, + 0x16163a2cUL}; + +const uint32_t AES_PRECOMP_TE4_0[256] = { + 0x00000063UL, 0x0000007cUL, 0x00000077UL, 0x0000007bUL, 0x000000f2UL, + 0x0000006bUL, 0x0000006fUL, 0x000000c5UL, 0x00000030UL, 0x00000001UL, + 0x00000067UL, 0x0000002bUL, 0x000000feUL, 0x000000d7UL, 0x000000abUL, + 0x00000076UL, 0x000000caUL, 0x00000082UL, 0x000000c9UL, 0x0000007dUL, + 0x000000faUL, 0x00000059UL, 0x00000047UL, 0x000000f0UL, 0x000000adUL, + 0x000000d4UL, 0x000000a2UL, 0x000000afUL, 0x0000009cUL, 0x000000a4UL, + 0x00000072UL, 0x000000c0UL, 0x000000b7UL, 0x000000fdUL, 0x00000093UL, + 0x00000026UL, 0x00000036UL, 0x0000003fUL, 0x000000f7UL, 0x000000ccUL, + 0x00000034UL, 0x000000a5UL, 0x000000e5UL, 0x000000f1UL, 0x00000071UL, + 0x000000d8UL, 0x00000031UL, 0x00000015UL, 0x00000004UL, 0x000000c7UL, + 0x00000023UL, 0x000000c3UL, 0x00000018UL, 0x00000096UL, 0x00000005UL, + 0x0000009aUL, 0x00000007UL, 0x00000012UL, 0x00000080UL, 0x000000e2UL, + 0x000000ebUL, 0x00000027UL, 0x000000b2UL, 0x00000075UL, 0x00000009UL, + 0x00000083UL, 0x0000002cUL, 0x0000001aUL, 0x0000001bUL, 0x0000006eUL, + 0x0000005aUL, 0x000000a0UL, 0x00000052UL, 0x0000003bUL, 0x000000d6UL, + 0x000000b3UL, 0x00000029UL, 0x000000e3UL, 0x0000002fUL, 0x00000084UL, + 0x00000053UL, 0x000000d1UL, 0x00000000UL, 0x000000edUL, 0x00000020UL, + 0x000000fcUL, 0x000000b1UL, 0x0000005bUL, 0x0000006aUL, 0x000000cbUL, + 0x000000beUL, 0x00000039UL, 0x0000004aUL, 0x0000004cUL, 0x00000058UL, + 0x000000cfUL, 0x000000d0UL, 0x000000efUL, 0x000000aaUL, 0x000000fbUL, + 0x00000043UL, 0x0000004dUL, 0x00000033UL, 0x00000085UL, 0x00000045UL, + 0x000000f9UL, 0x00000002UL, 0x0000007fUL, 0x00000050UL, 0x0000003cUL, + 0x0000009fUL, 0x000000a8UL, 0x00000051UL, 0x000000a3UL, 0x00000040UL, + 0x0000008fUL, 0x00000092UL, 0x0000009dUL, 0x00000038UL, 0x000000f5UL, + 0x000000bcUL, 0x000000b6UL, 0x000000daUL, 0x00000021UL, 0x00000010UL, + 0x000000ffUL, 0x000000f3UL, 0x000000d2UL, 0x000000cdUL, 0x0000000cUL, + 0x00000013UL, 0x000000ecUL, 0x0000005fUL, 0x00000097UL, 0x00000044UL, + 0x00000017UL, 0x000000c4UL, 0x000000a7UL, 0x0000007eUL, 0x0000003dUL, + 0x00000064UL, 0x0000005dUL, 0x00000019UL, 0x00000073UL, 0x00000060UL, + 0x00000081UL, 0x0000004fUL, 0x000000dcUL, 0x00000022UL, 0x0000002aUL, + 0x00000090UL, 0x00000088UL, 0x00000046UL, 0x000000eeUL, 0x000000b8UL, + 0x00000014UL, 0x000000deUL, 0x0000005eUL, 0x0000000bUL, 0x000000dbUL, + 0x000000e0UL, 0x00000032UL, 0x0000003aUL, 0x0000000aUL, 0x00000049UL, + 0x00000006UL, 0x00000024UL, 0x0000005cUL, 0x000000c2UL, 0x000000d3UL, + 0x000000acUL, 0x00000062UL, 0x00000091UL, 0x00000095UL, 0x000000e4UL, + 0x00000079UL, 0x000000e7UL, 0x000000c8UL, 0x00000037UL, 0x0000006dUL, + 0x0000008dUL, 0x000000d5UL, 0x0000004eUL, 0x000000a9UL, 0x0000006cUL, + 0x00000056UL, 0x000000f4UL, 0x000000eaUL, 0x00000065UL, 0x0000007aUL, + 0x000000aeUL, 0x00000008UL, 0x000000baUL, 0x00000078UL, 0x00000025UL, + 0x0000002eUL, 0x0000001cUL, 0x000000a6UL, 0x000000b4UL, 0x000000c6UL, + 0x000000e8UL, 0x000000ddUL, 0x00000074UL, 0x0000001fUL, 0x0000004bUL, + 0x000000bdUL, 0x0000008bUL, 0x0000008aUL, 0x00000070UL, 0x0000003eUL, + 0x000000b5UL, 0x00000066UL, 0x00000048UL, 0x00000003UL, 0x000000f6UL, + 0x0000000eUL, 0x00000061UL, 0x00000035UL, 0x00000057UL, 0x000000b9UL, + 0x00000086UL, 0x000000c1UL, 0x0000001dUL, 0x0000009eUL, 0x000000e1UL, + 0x000000f8UL, 0x00000098UL, 0x00000011UL, 0x00000069UL, 0x000000d9UL, + 0x0000008eUL, 0x00000094UL, 0x0000009bUL, 0x0000001eUL, 0x00000087UL, + 0x000000e9UL, 0x000000ceUL, 0x00000055UL, 0x00000028UL, 0x000000dfUL, + 0x0000008cUL, 0x000000a1UL, 0x00000089UL, 0x0000000dUL, 0x000000bfUL, + 0x000000e6UL, 0x00000042UL, 0x00000068UL, 0x00000041UL, 0x00000099UL, + 0x0000002dUL, 0x0000000fUL, 0x000000b0UL, 0x00000054UL, 0x000000bbUL, + 0x00000016UL}; + +const uint32_t AES_PRECOMP_TE4_1[256] = { + 0x00006300UL, 0x00007c00UL, 0x00007700UL, 0x00007b00UL, 0x0000f200UL, + 0x00006b00UL, 0x00006f00UL, 0x0000c500UL, 0x00003000UL, 0x00000100UL, + 0x00006700UL, 0x00002b00UL, 0x0000fe00UL, 0x0000d700UL, 0x0000ab00UL, + 0x00007600UL, 0x0000ca00UL, 0x00008200UL, 0x0000c900UL, 0x00007d00UL, + 0x0000fa00UL, 0x00005900UL, 0x00004700UL, 0x0000f000UL, 0x0000ad00UL, + 0x0000d400UL, 0x0000a200UL, 0x0000af00UL, 0x00009c00UL, 0x0000a400UL, + 0x00007200UL, 0x0000c000UL, 0x0000b700UL, 0x0000fd00UL, 0x00009300UL, + 0x00002600UL, 0x00003600UL, 0x00003f00UL, 0x0000f700UL, 0x0000cc00UL, + 0x00003400UL, 0x0000a500UL, 0x0000e500UL, 0x0000f100UL, 0x00007100UL, + 0x0000d800UL, 0x00003100UL, 0x00001500UL, 0x00000400UL, 0x0000c700UL, + 0x00002300UL, 0x0000c300UL, 0x00001800UL, 0x00009600UL, 0x00000500UL, + 0x00009a00UL, 0x00000700UL, 0x00001200UL, 0x00008000UL, 0x0000e200UL, + 0x0000eb00UL, 0x00002700UL, 0x0000b200UL, 0x00007500UL, 0x00000900UL, + 0x00008300UL, 0x00002c00UL, 0x00001a00UL, 0x00001b00UL, 0x00006e00UL, + 0x00005a00UL, 0x0000a000UL, 0x00005200UL, 0x00003b00UL, 0x0000d600UL, + 0x0000b300UL, 0x00002900UL, 0x0000e300UL, 0x00002f00UL, 0x00008400UL, + 0x00005300UL, 0x0000d100UL, 0x00000000UL, 0x0000ed00UL, 0x00002000UL, + 0x0000fc00UL, 0x0000b100UL, 0x00005b00UL, 0x00006a00UL, 0x0000cb00UL, + 0x0000be00UL, 0x00003900UL, 0x00004a00UL, 0x00004c00UL, 0x00005800UL, + 0x0000cf00UL, 0x0000d000UL, 0x0000ef00UL, 0x0000aa00UL, 0x0000fb00UL, + 0x00004300UL, 0x00004d00UL, 0x00003300UL, 0x00008500UL, 0x00004500UL, + 0x0000f900UL, 0x00000200UL, 0x00007f00UL, 0x00005000UL, 0x00003c00UL, + 0x00009f00UL, 0x0000a800UL, 0x00005100UL, 0x0000a300UL, 0x00004000UL, + 0x00008f00UL, 0x00009200UL, 0x00009d00UL, 0x00003800UL, 0x0000f500UL, + 0x0000bc00UL, 0x0000b600UL, 0x0000da00UL, 0x00002100UL, 0x00001000UL, + 0x0000ff00UL, 0x0000f300UL, 0x0000d200UL, 0x0000cd00UL, 0x00000c00UL, + 0x00001300UL, 0x0000ec00UL, 0x00005f00UL, 0x00009700UL, 0x00004400UL, + 0x00001700UL, 0x0000c400UL, 0x0000a700UL, 0x00007e00UL, 0x00003d00UL, + 0x00006400UL, 0x00005d00UL, 0x00001900UL, 0x00007300UL, 0x00006000UL, + 0x00008100UL, 0x00004f00UL, 0x0000dc00UL, 0x00002200UL, 0x00002a00UL, + 0x00009000UL, 0x00008800UL, 0x00004600UL, 0x0000ee00UL, 0x0000b800UL, + 0x00001400UL, 0x0000de00UL, 0x00005e00UL, 0x00000b00UL, 0x0000db00UL, + 0x0000e000UL, 0x00003200UL, 0x00003a00UL, 0x00000a00UL, 0x00004900UL, + 0x00000600UL, 0x00002400UL, 0x00005c00UL, 0x0000c200UL, 0x0000d300UL, + 0x0000ac00UL, 0x00006200UL, 0x00009100UL, 0x00009500UL, 0x0000e400UL, + 0x00007900UL, 0x0000e700UL, 0x0000c800UL, 0x00003700UL, 0x00006d00UL, + 0x00008d00UL, 0x0000d500UL, 0x00004e00UL, 0x0000a900UL, 0x00006c00UL, + 0x00005600UL, 0x0000f400UL, 0x0000ea00UL, 0x00006500UL, 0x00007a00UL, + 0x0000ae00UL, 0x00000800UL, 0x0000ba00UL, 0x00007800UL, 0x00002500UL, + 0x00002e00UL, 0x00001c00UL, 0x0000a600UL, 0x0000b400UL, 0x0000c600UL, + 0x0000e800UL, 0x0000dd00UL, 0x00007400UL, 0x00001f00UL, 0x00004b00UL, + 0x0000bd00UL, 0x00008b00UL, 0x00008a00UL, 0x00007000UL, 0x00003e00UL, + 0x0000b500UL, 0x00006600UL, 0x00004800UL, 0x00000300UL, 0x0000f600UL, + 0x00000e00UL, 0x00006100UL, 0x00003500UL, 0x00005700UL, 0x0000b900UL, + 0x00008600UL, 0x0000c100UL, 0x00001d00UL, 0x00009e00UL, 0x0000e100UL, + 0x0000f800UL, 0x00009800UL, 0x00001100UL, 0x00006900UL, 0x0000d900UL, + 0x00008e00UL, 0x00009400UL, 0x00009b00UL, 0x00001e00UL, 0x00008700UL, + 0x0000e900UL, 0x0000ce00UL, 0x00005500UL, 0x00002800UL, 0x0000df00UL, + 0x00008c00UL, 0x0000a100UL, 0x00008900UL, 0x00000d00UL, 0x0000bf00UL, + 0x0000e600UL, 0x00004200UL, 0x00006800UL, 0x00004100UL, 0x00009900UL, + 0x00002d00UL, 0x00000f00UL, 0x0000b000UL, 0x00005400UL, 0x0000bb00UL, + 0x00001600UL}; + +const uint32_t AES_PRECOMP_TE4_2[256] = { + 0x00630000UL, 0x007c0000UL, 0x00770000UL, 0x007b0000UL, 0x00f20000UL, + 0x006b0000UL, 0x006f0000UL, 0x00c50000UL, 0x00300000UL, 0x00010000UL, + 0x00670000UL, 0x002b0000UL, 0x00fe0000UL, 0x00d70000UL, 0x00ab0000UL, + 0x00760000UL, 0x00ca0000UL, 0x00820000UL, 0x00c90000UL, 0x007d0000UL, + 0x00fa0000UL, 0x00590000UL, 0x00470000UL, 0x00f00000UL, 0x00ad0000UL, + 0x00d40000UL, 0x00a20000UL, 0x00af0000UL, 0x009c0000UL, 0x00a40000UL, + 0x00720000UL, 0x00c00000UL, 0x00b70000UL, 0x00fd0000UL, 0x00930000UL, + 0x00260000UL, 0x00360000UL, 0x003f0000UL, 0x00f70000UL, 0x00cc0000UL, + 0x00340000UL, 0x00a50000UL, 0x00e50000UL, 0x00f10000UL, 0x00710000UL, + 0x00d80000UL, 0x00310000UL, 0x00150000UL, 0x00040000UL, 0x00c70000UL, + 0x00230000UL, 0x00c30000UL, 0x00180000UL, 0x00960000UL, 0x00050000UL, + 0x009a0000UL, 0x00070000UL, 0x00120000UL, 0x00800000UL, 0x00e20000UL, + 0x00eb0000UL, 0x00270000UL, 0x00b20000UL, 0x00750000UL, 0x00090000UL, + 0x00830000UL, 0x002c0000UL, 0x001a0000UL, 0x001b0000UL, 0x006e0000UL, + 0x005a0000UL, 0x00a00000UL, 0x00520000UL, 0x003b0000UL, 0x00d60000UL, + 0x00b30000UL, 0x00290000UL, 0x00e30000UL, 0x002f0000UL, 0x00840000UL, + 0x00530000UL, 0x00d10000UL, 0x00000000UL, 0x00ed0000UL, 0x00200000UL, + 0x00fc0000UL, 0x00b10000UL, 0x005b0000UL, 0x006a0000UL, 0x00cb0000UL, + 0x00be0000UL, 0x00390000UL, 0x004a0000UL, 0x004c0000UL, 0x00580000UL, + 0x00cf0000UL, 0x00d00000UL, 0x00ef0000UL, 0x00aa0000UL, 0x00fb0000UL, + 0x00430000UL, 0x004d0000UL, 0x00330000UL, 0x00850000UL, 0x00450000UL, + 0x00f90000UL, 0x00020000UL, 0x007f0000UL, 0x00500000UL, 0x003c0000UL, + 0x009f0000UL, 0x00a80000UL, 0x00510000UL, 0x00a30000UL, 0x00400000UL, + 0x008f0000UL, 0x00920000UL, 0x009d0000UL, 0x00380000UL, 0x00f50000UL, + 0x00bc0000UL, 0x00b60000UL, 0x00da0000UL, 0x00210000UL, 0x00100000UL, + 0x00ff0000UL, 0x00f30000UL, 0x00d20000UL, 0x00cd0000UL, 0x000c0000UL, + 0x00130000UL, 0x00ec0000UL, 0x005f0000UL, 0x00970000UL, 0x00440000UL, + 0x00170000UL, 0x00c40000UL, 0x00a70000UL, 0x007e0000UL, 0x003d0000UL, + 0x00640000UL, 0x005d0000UL, 0x00190000UL, 0x00730000UL, 0x00600000UL, + 0x00810000UL, 0x004f0000UL, 0x00dc0000UL, 0x00220000UL, 0x002a0000UL, + 0x00900000UL, 0x00880000UL, 0x00460000UL, 0x00ee0000UL, 0x00b80000UL, + 0x00140000UL, 0x00de0000UL, 0x005e0000UL, 0x000b0000UL, 0x00db0000UL, + 0x00e00000UL, 0x00320000UL, 0x003a0000UL, 0x000a0000UL, 0x00490000UL, + 0x00060000UL, 0x00240000UL, 0x005c0000UL, 0x00c20000UL, 0x00d30000UL, + 0x00ac0000UL, 0x00620000UL, 0x00910000UL, 0x00950000UL, 0x00e40000UL, + 0x00790000UL, 0x00e70000UL, 0x00c80000UL, 0x00370000UL, 0x006d0000UL, + 0x008d0000UL, 0x00d50000UL, 0x004e0000UL, 0x00a90000UL, 0x006c0000UL, + 0x00560000UL, 0x00f40000UL, 0x00ea0000UL, 0x00650000UL, 0x007a0000UL, + 0x00ae0000UL, 0x00080000UL, 0x00ba0000UL, 0x00780000UL, 0x00250000UL, + 0x002e0000UL, 0x001c0000UL, 0x00a60000UL, 0x00b40000UL, 0x00c60000UL, + 0x00e80000UL, 0x00dd0000UL, 0x00740000UL, 0x001f0000UL, 0x004b0000UL, + 0x00bd0000UL, 0x008b0000UL, 0x008a0000UL, 0x00700000UL, 0x003e0000UL, + 0x00b50000UL, 0x00660000UL, 0x00480000UL, 0x00030000UL, 0x00f60000UL, + 0x000e0000UL, 0x00610000UL, 0x00350000UL, 0x00570000UL, 0x00b90000UL, + 0x00860000UL, 0x00c10000UL, 0x001d0000UL, 0x009e0000UL, 0x00e10000UL, + 0x00f80000UL, 0x00980000UL, 0x00110000UL, 0x00690000UL, 0x00d90000UL, + 0x008e0000UL, 0x00940000UL, 0x009b0000UL, 0x001e0000UL, 0x00870000UL, + 0x00e90000UL, 0x00ce0000UL, 0x00550000UL, 0x00280000UL, 0x00df0000UL, + 0x008c0000UL, 0x00a10000UL, 0x00890000UL, 0x000d0000UL, 0x00bf0000UL, + 0x00e60000UL, 0x00420000UL, 0x00680000UL, 0x00410000UL, 0x00990000UL, + 0x002d0000UL, 0x000f0000UL, 0x00b00000UL, 0x00540000UL, 0x00bb0000UL, + 0x00160000UL}; + +const uint32_t AES_PRECOMP_TE4_3[256] = { + 0x63000000UL, 0x7c000000UL, 0x77000000UL, 0x7b000000UL, 0xf2000000UL, + 0x6b000000UL, 0x6f000000UL, 0xc5000000UL, 0x30000000UL, 0x01000000UL, + 0x67000000UL, 0x2b000000UL, 0xfe000000UL, 0xd7000000UL, 0xab000000UL, + 0x76000000UL, 0xca000000UL, 0x82000000UL, 0xc9000000UL, 0x7d000000UL, + 0xfa000000UL, 0x59000000UL, 0x47000000UL, 0xf0000000UL, 0xad000000UL, + 0xd4000000UL, 0xa2000000UL, 0xaf000000UL, 0x9c000000UL, 0xa4000000UL, + 0x72000000UL, 0xc0000000UL, 0xb7000000UL, 0xfd000000UL, 0x93000000UL, + 0x26000000UL, 0x36000000UL, 0x3f000000UL, 0xf7000000UL, 0xcc000000UL, + 0x34000000UL, 0xa5000000UL, 0xe5000000UL, 0xf1000000UL, 0x71000000UL, + 0xd8000000UL, 0x31000000UL, 0x15000000UL, 0x04000000UL, 0xc7000000UL, + 0x23000000UL, 0xc3000000UL, 0x18000000UL, 0x96000000UL, 0x05000000UL, + 0x9a000000UL, 0x07000000UL, 0x12000000UL, 0x80000000UL, 0xe2000000UL, + 0xeb000000UL, 0x27000000UL, 0xb2000000UL, 0x75000000UL, 0x09000000UL, + 0x83000000UL, 0x2c000000UL, 0x1a000000UL, 0x1b000000UL, 0x6e000000UL, + 0x5a000000UL, 0xa0000000UL, 0x52000000UL, 0x3b000000UL, 0xd6000000UL, + 0xb3000000UL, 0x29000000UL, 0xe3000000UL, 0x2f000000UL, 0x84000000UL, + 0x53000000UL, 0xd1000000UL, 0x00000000UL, 0xed000000UL, 0x20000000UL, + 0xfc000000UL, 0xb1000000UL, 0x5b000000UL, 0x6a000000UL, 0xcb000000UL, + 0xbe000000UL, 0x39000000UL, 0x4a000000UL, 0x4c000000UL, 0x58000000UL, + 0xcf000000UL, 0xd0000000UL, 0xef000000UL, 0xaa000000UL, 0xfb000000UL, + 0x43000000UL, 0x4d000000UL, 0x33000000UL, 0x85000000UL, 0x45000000UL, + 0xf9000000UL, 0x02000000UL, 0x7f000000UL, 0x50000000UL, 0x3c000000UL, + 0x9f000000UL, 0xa8000000UL, 0x51000000UL, 0xa3000000UL, 0x40000000UL, + 0x8f000000UL, 0x92000000UL, 0x9d000000UL, 0x38000000UL, 0xf5000000UL, + 0xbc000000UL, 0xb6000000UL, 0xda000000UL, 0x21000000UL, 0x10000000UL, + 0xff000000UL, 0xf3000000UL, 0xd2000000UL, 0xcd000000UL, 0x0c000000UL, + 0x13000000UL, 0xec000000UL, 0x5f000000UL, 0x97000000UL, 0x44000000UL, + 0x17000000UL, 0xc4000000UL, 0xa7000000UL, 0x7e000000UL, 0x3d000000UL, + 0x64000000UL, 0x5d000000UL, 0x19000000UL, 0x73000000UL, 0x60000000UL, + 0x81000000UL, 0x4f000000UL, 0xdc000000UL, 0x22000000UL, 0x2a000000UL, + 0x90000000UL, 0x88000000UL, 0x46000000UL, 0xee000000UL, 0xb8000000UL, + 0x14000000UL, 0xde000000UL, 0x5e000000UL, 0x0b000000UL, 0xdb000000UL, + 0xe0000000UL, 0x32000000UL, 0x3a000000UL, 0x0a000000UL, 0x49000000UL, + 0x06000000UL, 0x24000000UL, 0x5c000000UL, 0xc2000000UL, 0xd3000000UL, + 0xac000000UL, 0x62000000UL, 0x91000000UL, 0x95000000UL, 0xe4000000UL, + 0x79000000UL, 0xe7000000UL, 0xc8000000UL, 0x37000000UL, 0x6d000000UL, + 0x8d000000UL, 0xd5000000UL, 0x4e000000UL, 0xa9000000UL, 0x6c000000UL, + 0x56000000UL, 0xf4000000UL, 0xea000000UL, 0x65000000UL, 0x7a000000UL, + 0xae000000UL, 0x08000000UL, 0xba000000UL, 0x78000000UL, 0x25000000UL, + 0x2e000000UL, 0x1c000000UL, 0xa6000000UL, 0xb4000000UL, 0xc6000000UL, + 0xe8000000UL, 0xdd000000UL, 0x74000000UL, 0x1f000000UL, 0x4b000000UL, + 0xbd000000UL, 0x8b000000UL, 0x8a000000UL, 0x70000000UL, 0x3e000000UL, + 0xb5000000UL, 0x66000000UL, 0x48000000UL, 0x03000000UL, 0xf6000000UL, + 0x0e000000UL, 0x61000000UL, 0x35000000UL, 0x57000000UL, 0xb9000000UL, + 0x86000000UL, 0xc1000000UL, 0x1d000000UL, 0x9e000000UL, 0xe1000000UL, + 0xf8000000UL, 0x98000000UL, 0x11000000UL, 0x69000000UL, 0xd9000000UL, + 0x8e000000UL, 0x94000000UL, 0x9b000000UL, 0x1e000000UL, 0x87000000UL, + 0xe9000000UL, 0xce000000UL, 0x55000000UL, 0x28000000UL, 0xdf000000UL, + 0x8c000000UL, 0xa1000000UL, 0x89000000UL, 0x0d000000UL, 0xbf000000UL, + 0xe6000000UL, 0x42000000UL, 0x68000000UL, 0x41000000UL, 0x99000000UL, + 0x2d000000UL, 0x0f000000UL, 0xb0000000UL, 0x54000000UL, 0xbb000000UL, + 0x16000000UL}; + +const uint32_t masks[32] = { + 0x80000000UL, 0x40000000UL, 0x20000000UL, 0x10000000UL, 0x08000000UL, + 0x04000000UL, 0x02000000UL, 0x01000000UL, 0x00800000UL, 0x00400000UL, + 0x00200000UL, 0x00100000UL, 0x00080000UL, 0x00040000UL, 0x00020000UL, + 0x00010000UL, 0x00008000UL, 0x00004000UL, 0x00002000UL, 0x00001000UL, + 0x00000800UL, 0x00000400UL, 0x00000200UL, 0x00000100UL, 0x00000080UL, + 0x00000040UL, 0x00000020UL, 0x00000010UL, 0x00000008UL, 0x00000004UL, + 0x00000002UL, 0x00000001UL}; + +CryptoUtils::CryptoUtils() { seeded = false; } + +unsigned CryptoUtils::scramble32(const unsigned in, const char key[16]) { + assert(key != NULL && "CryptoUtils::scramble key=NULL"); + + unsigned tmpA, tmpB; + + // Orr, Nathan or Adi can probably break it, but who cares? + + // Round 1 + tmpA = 0x0; + tmpA ^= AES_PRECOMP_TE0[((in >> 24) ^ key[0]) & 0xFF]; + tmpA ^= AES_PRECOMP_TE1[((in >> 16) ^ key[1]) & 0xFF]; + tmpA ^= AES_PRECOMP_TE2[((in >> 8) ^ key[2]) & 0xFF]; + tmpA ^= AES_PRECOMP_TE3[((in >> 0) ^ key[3]) & 0xFF]; + + // Round 2 + tmpB = 0x0; + tmpB ^= AES_PRECOMP_TE0[((tmpA >> 24) ^ key[4]) & 0xFF]; + tmpB ^= AES_PRECOMP_TE1[((tmpA >> 16) ^ key[5]) & 0xFF]; + tmpB ^= AES_PRECOMP_TE2[((tmpA >> 8) ^ key[6]) & 0xFF]; + tmpB ^= AES_PRECOMP_TE3[((tmpA >> 0) ^ key[7]) & 0xFF]; + + // Round 3 + tmpA = 0x0; + tmpA ^= AES_PRECOMP_TE0[((tmpB >> 24) ^ key[8]) & 0xFF]; + tmpA ^= AES_PRECOMP_TE1[((tmpB >> 16) ^ key[9]) & 0xFF]; + tmpA ^= AES_PRECOMP_TE2[((tmpB >> 8) ^ key[10]) & 0xFF]; + tmpA ^= AES_PRECOMP_TE3[((tmpB >> 0) ^ key[11]) & 0xFF]; + + // Round 4 + tmpB = 0x0; + tmpB ^= AES_PRECOMP_TE0[((tmpA >> 24) ^ key[12]) & 0xFF]; + tmpB ^= AES_PRECOMP_TE1[((tmpA >> 16) ^ key[13]) & 0xFF]; + tmpB ^= AES_PRECOMP_TE2[((tmpA >> 8) ^ key[14]) & 0xFF]; + tmpB ^= AES_PRECOMP_TE3[((tmpA >> 0) ^ key[15]) & 0xFF]; + + LOAD32H(tmpA, key); + + return tmpA ^ tmpB; +} + +bool CryptoUtils::prng_seed(std::string const &_seed) { + unsigned char s[16]; + unsigned int i = 0; + + /* We accept a prefix "0x" */ + if (!(_seed.size() == 32 || _seed.size() == 34)) { + errs() << "The AES-CTR PRNG seeding mechanism is expecting a 16-byte value " + "expressed in hexadecimal, like DEAD....BEEF\n"; + return false; + } + + seed = _seed; + + if (_seed.size() == 34) { + // Assuming that the two first characters are "0x" + i = 2; + } + + for (unsigned int j = 0; i < _seed.size(); i += 2, j++) { + std::string byte = _seed.substr(i, 2); + s[j] = (unsigned char)(int)strtol(byte.c_str(), NULL, 16); + } + + // _seed is defined to be the + // key initial value + memcpy(key, s, 16); + DEBUG_WITH_TYPE("cryptoutils", dbgs() + << "CPNRG seeded with " << _seed << "\n"); + + // ctr is initialized to all-zeroes + memset(ctr, 0, 16); + + // Once the seed is there, we compute the + // AES128 key-schedule + aes_compute_ks(ks, key); + + seeded = true; + + // We are now ready to fill the pool with + // cryptographically secure pseudo-random + // values. + populate_pool(); + return true; +} + +CryptoUtils::~CryptoUtils() { + // Some wiping work here + memset(key, 0, 16); + memset(ks, 0, 44 * sizeof(uint32_t)); + memset(ctr, 0, 16); + memset(pool, 0, CryptoUtils_POOL_SIZE); + + idx = 0; +} + +void CryptoUtils::populate_pool() { + + statsPopulate++; + + for (int i = 0; i < CryptoUtils_POOL_SIZE; i += 16) { + + // ctr += 1 + inc_ctr(); + + // We then encrypt the counter + aes_encrypt(pool + i, ctr, ks); + } + + // Reinitializing the index of the first + // available pseudo-random byte + idx = 0; +} + +#if defined(_WIN64) || defined(_WIN32) +// sic! don't change include order +#include +#include + +struct WinDevRandom { + WinDevRandom() : m_hcryptProv{0}, m_last_read{0} { + assert(!m_hcryptProv); + if (!CryptAcquireContext(&m_hcryptProv, nullptr, nullptr, PROV_RSA_FULL, + CRYPT_VERIFYCONTEXT)) { + errs() << "CryptAcquireContext failed (LastError: " << GetLastError() + << ")\n"; + } else { + assert(m_hcryptProv); + } + } + + ~WinDevRandom() { close(); } + + std::size_t read(char *key, std::size_t sz) { + assert(m_hcryptProv); + if (!CryptGenRandom(m_hcryptProv, sz, reinterpret_cast(key))) { + errs() << "CryptGenRandom failed (LastError: " << GetLastError() << ")\n"; + } + m_last_read = sz; + return sz; + } + + void close() { + if (m_hcryptProv && !CryptReleaseContext(m_hcryptProv, 0)) { + errs() << "CryptReleaseContext failed (LastError: " << GetLastError() + << ")\n"; + } + m_hcryptProv = 0; + assert(!m_hcryptProv); + } + + std::size_t gcount() { return m_last_read; } + + explicit operator bool() { return true; } + + bool good() const { return m_hcryptProv; } + +private: + HCRYPTPROV m_hcryptProv; + std::size_t m_last_read; +}; +#endif + +bool CryptoUtils::prng_seed() { + +#if defined(__linux__) + std::string const dev = "/dev/urandom"; + std::ifstream devrandom(dev); +#elif defined(_WIN64) || defined(_WIN32) + std::string const dev = "CryptGenRandom"; + WinDevRandom devrandom; +#else + std::string const dev = "/dev/random"; + std::ifstream devrandom(dev); +#endif + + if (!devrandom.good()) { + errs() << "Cannot open " << dev << "\n"; + return false; + } + + devrandom.read(key, 16); + auto const gc = devrandom.gcount(); + if (gc != 16) { + errs() << "Cannot read enough bytes got=" << gc << " want=16"; + return false; + } + + devrandom.close(); + DEBUG_WITH_TYPE("cryptoutils", + dbgs() << "cryptoutils seeded with " << dev << "\n"); + + std::memset(ctr, 0, 16); + + // Once the seed is there, we compute the + // AES128 key-schedule + aes_compute_ks(ks, key); + + seeded = true; + return true; +} + +void CryptoUtils::inc_ctr() { + uint64_t iseed; + + LOAD64H(iseed, ctr + 8); + ++iseed; + STORE64H(ctr + 8, iseed); +} + +char *CryptoUtils::get_seed() { + + if (seeded) { + return key; + } else { + return NULL; + } +} + +void CryptoUtils::get_bytes(char *buffer, const int len) { + + int sofar = 0, available = 0; + + assert(buffer != NULL && "CryptoUtils::get_bytes buffer=NULL"); + assert(len > 0 && "CryptoUtils::get_bytes len <= 0"); + + statsGetBytes++; + + if (len > 0) { + + // If the PRNG is not seeded, it the very last time to do it ! + if (!seeded) { + prng_seed(); + populate_pool(); + } + + do { + if (idx + (len - sofar) >= CryptoUtils_POOL_SIZE) { + // We don't have enough bytes ready in the pool, + // so let's use the available ones and repopulate ! + available = CryptoUtils_POOL_SIZE - idx; + memcpy(buffer + sofar, pool + idx, available); + sofar += available; + populate_pool(); + } else { + memcpy(buffer + sofar, pool + idx, len - sofar); + idx += len - sofar; + // This will trigger a loop exit + sofar = len; + } + } while (sofar < (len - 1)); + } +} + +uint8_t CryptoUtils::get_uint8_t() { + char ret; + + statsGetUint8++; + + get_bytes(&ret, 1); + + return (uint8_t)ret; +} + +uint16_t CryptoUtils::get_uint16_t() { + return (uint16_t)get_uint64_t(); +} + +char CryptoUtils::get_char() { + char ret; + + statsGetChar++; + + get_bytes(&ret, 1); + + return ret; +} + +uint32_t CryptoUtils::get_uint32_t() { + char tmp[4]; + uint32_t ret = 0; + + statsGetUint32++; + + get_bytes(tmp, 4); + + LOAD32H(ret, tmp); + + return ret; +} + +uint64_t CryptoUtils::get_uint64_t() { + char tmp[8]; + uint64_t ret = 0; + + statsGetUint64++; + + get_bytes(tmp, 8); + + LOAD64H(ret, tmp); + + return ret; +} + +uint32_t CryptoUtils::get_range(const uint32_t max) { + uint32_t log, r, mask; + + statsGetRange++; + + if (max == 0) { + return 0; + } else { + // Computing the above power of two + log = 32; + int i = 0; + // This loop will terminate, as there is at least one + // bit set somewhere in max + while (!(max & masks[i++])) { + log -= 1; + } + mask = (0x1UL << log) - 1; + + // This should loop two times in average + do { + r = get_uint32_t() & mask; + } while (r >= max); + + return r; + } +} + +void CryptoUtils::aes_compute_ks(uint32_t *ks, const char *k) { + int i; + uint32_t *p, tmp; + + assert(ks != NULL); + assert(k != NULL); + + LOAD32H(ks[0], k); + LOAD32H(ks[1], k + 4); + LOAD32H(ks[2], k + 8); + LOAD32H(ks[3], k + 12); + + p = ks; + i = 0; + while (1) { + tmp = p[3]; + tmp = ((AES_TE4_3(BYTE(tmp, 2))) ^ (AES_TE4_2(BYTE(tmp, 1))) ^ + (AES_TE4_1(BYTE(tmp, 0))) ^ (AES_TE4_0(BYTE(tmp, 3)))); + + p[4] = p[0] ^ tmp ^ AES_RCON[i]; + p[5] = p[1] ^ p[4]; + p[6] = p[2] ^ p[5]; + p[7] = p[3] ^ p[6]; + if (++i == 10) { + break; + } + p += 4; + } +} + +void CryptoUtils::aes_encrypt(char *out, const char *in, const uint32_t *ks) { + uint32_t state0 = 0, state1 = 0, state2 = 0, state3 = 0; + uint32_t tmp0, tmp1, tmp2, tmp3; + int i; + uint32_t r; + + statsAESEncrypt++; + + r = 0; + LOAD32H(state0, in + 0); + LOAD32H(state1, in + 4); + LOAD32H(state2, in + 8); + LOAD32H(state3, in + 12); + + state0 ^= ks[r + 0]; + state1 ^= ks[r + 1]; + state2 ^= ks[r + 2]; + state3 ^= ks[r + 3]; + + i = 0; + while (1) { + r += 4; + + tmp0 = AES_TE0(BYTE(state0, 3)) ^ AES_TE1(BYTE(state1, 2)) ^ + AES_TE2(BYTE(state2, 1)) ^ AES_TE3(BYTE(state3, 0)) ^ ks[r + 0]; + + tmp1 = AES_TE0(BYTE(state1, 3)) ^ AES_TE1(BYTE(state2, 2)) ^ + AES_TE2(BYTE(state3, 1)) ^ AES_TE3(BYTE(state0, 0)) ^ ks[r + 1]; + + tmp2 = AES_TE0(BYTE(state2, 3)) ^ AES_TE1(BYTE(state3, 2)) ^ + AES_TE2(BYTE(state0, 1)) ^ AES_TE3(BYTE(state1, 0)) ^ ks[r + 2]; + + tmp3 = AES_TE0(BYTE(state3, 3)) ^ AES_TE1(BYTE(state0, 2)) ^ + AES_TE2(BYTE(state1, 1)) ^ AES_TE3(BYTE(state2, 0)) ^ ks[r + 3]; + + if (i == 8) { + break; + } + i++; + state0 = tmp0; + state1 = tmp1; + state2 = tmp2; + state3 = tmp3; + } + + r += 4; + state0 = (AES_TE4_3(BYTE(tmp0, 3))) ^ (AES_TE4_2(BYTE(tmp1, 2))) ^ + (AES_TE4_1(BYTE(tmp2, 1))) ^ (AES_TE4_0(BYTE(tmp3, 0))) ^ ks[r + 0]; + + state1 = (AES_TE4_3(BYTE(tmp1, 3))) ^ (AES_TE4_2(BYTE(tmp2, 2))) ^ + (AES_TE4_1(BYTE(tmp3, 1))) ^ (AES_TE4_0(BYTE(tmp0, 0))) ^ ks[r + 1]; + + state2 = (AES_TE4_3(BYTE(tmp2, 3))) ^ (AES_TE4_2(BYTE(tmp3, 2))) ^ + (AES_TE4_1(BYTE(tmp0, 1))) ^ (AES_TE4_0(BYTE(tmp1, 0))) ^ ks[r + 2]; + + state3 = (AES_TE4_3(BYTE(tmp3, 3))) ^ (AES_TE4_2(BYTE(tmp0, 2))) ^ + (AES_TE4_1(BYTE(tmp1, 1))) ^ (AES_TE4_0(BYTE(tmp2, 0))) ^ ks[r + 3]; + + STORE32H(out + 0, state0); + STORE32H(out + 4, state1); + STORE32H(out + 8, state2); + STORE32H(out + 12, state3); +} + +int CryptoUtils::sha256_process(sha256_state *md, const unsigned char *in, + unsigned long inlen) { + unsigned long n; + int err; + assert(md != NULL && "CryptoUtils::sha256_process md=NULL"); + assert(in != NULL && "CryptoUtils::sha256_process in=NULL"); + + if (md->curlen > sizeof(md->buf)) { + return 1; + } + while (inlen > 0) { + if (md->curlen == 0 && inlen >= 64) { + if ((err = sha256_compress(md, (unsigned char *)in)) != 0) { + return err; + } + md->length += 64 * 8; + in += 64; + inlen -= 64; + } else { + n = MIN(inlen, (64 - md->curlen)); + memcpy(md->buf + md->curlen, in, (size_t)n); + md->curlen += n; + in += n; + inlen -= n; + if (md->curlen == 64) { + if ((err = sha256_compress(md, md->buf)) != 0) { + return err; + } + md->length += 8 * 64; + md->curlen = 0; + } + } + } + return 0; +} + +int CryptoUtils::sha256_compress(sha256_state *md, unsigned char *buf) { + uint32_t S[8], W[64], t0, t1; + int i; + + /* copy state into S */ + for (i = 0; i < 8; i++) { + S[i] = md->state[i]; + } + + /* copy the state into 512-bits into W[0..15] */ + for (i = 0; i < 16; i++) { + LOAD32H(W[i], buf + (4 * i)); + } + + /* fill W[16..63] */ + for (i = 16; i < 64; i++) { + W[i] = Gamma1(W[i - 2]) + W[i - 7] + Gamma0(W[i - 15]) + W[i - 16]; + } + + /* Compress */ + + RND(S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], 0, 0x428a2f98); + RND(S[7], S[0], S[1], S[2], S[3], S[4], S[5], S[6], 1, 0x71374491); + RND(S[6], S[7], S[0], S[1], S[2], S[3], S[4], S[5], 2, 0xb5c0fbcf); + RND(S[5], S[6], S[7], S[0], S[1], S[2], S[3], S[4], 3, 0xe9b5dba5); + RND(S[4], S[5], S[6], S[7], S[0], S[1], S[2], S[3], 4, 0x3956c25b); + RND(S[3], S[4], S[5], S[6], S[7], S[0], S[1], S[2], 5, 0x59f111f1); + RND(S[2], S[3], S[4], S[5], S[6], S[7], S[0], S[1], 6, 0x923f82a4); + RND(S[1], S[2], S[3], S[4], S[5], S[6], S[7], S[0], 7, 0xab1c5ed5); + RND(S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], 8, 0xd807aa98); + RND(S[7], S[0], S[1], S[2], S[3], S[4], S[5], S[6], 9, 0x12835b01); + RND(S[6], S[7], S[0], S[1], S[2], S[3], S[4], S[5], 10, 0x243185be); + RND(S[5], S[6], S[7], S[0], S[1], S[2], S[3], S[4], 11, 0x550c7dc3); + RND(S[4], S[5], S[6], S[7], S[0], S[1], S[2], S[3], 12, 0x72be5d74); + RND(S[3], S[4], S[5], S[6], S[7], S[0], S[1], S[2], 13, 0x80deb1fe); + RND(S[2], S[3], S[4], S[5], S[6], S[7], S[0], S[1], 14, 0x9bdc06a7); + RND(S[1], S[2], S[3], S[4], S[5], S[6], S[7], S[0], 15, 0xc19bf174); + RND(S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], 16, 0xe49b69c1); + RND(S[7], S[0], S[1], S[2], S[3], S[4], S[5], S[6], 17, 0xefbe4786); + RND(S[6], S[7], S[0], S[1], S[2], S[3], S[4], S[5], 18, 0x0fc19dc6); + RND(S[5], S[6], S[7], S[0], S[1], S[2], S[3], S[4], 19, 0x240ca1cc); + RND(S[4], S[5], S[6], S[7], S[0], S[1], S[2], S[3], 20, 0x2de92c6f); + RND(S[3], S[4], S[5], S[6], S[7], S[0], S[1], S[2], 21, 0x4a7484aa); + RND(S[2], S[3], S[4], S[5], S[6], S[7], S[0], S[1], 22, 0x5cb0a9dc); + RND(S[1], S[2], S[3], S[4], S[5], S[6], S[7], S[0], 23, 0x76f988da); + RND(S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], 24, 0x983e5152); + RND(S[7], S[0], S[1], S[2], S[3], S[4], S[5], S[6], 25, 0xa831c66d); + RND(S[6], S[7], S[0], S[1], S[2], S[3], S[4], S[5], 26, 0xb00327c8); + RND(S[5], S[6], S[7], S[0], S[1], S[2], S[3], S[4], 27, 0xbf597fc7); + RND(S[4], S[5], S[6], S[7], S[0], S[1], S[2], S[3], 28, 0xc6e00bf3); + RND(S[3], S[4], S[5], S[6], S[7], S[0], S[1], S[2], 29, 0xd5a79147); + RND(S[2], S[3], S[4], S[5], S[6], S[7], S[0], S[1], 30, 0x06ca6351); + RND(S[1], S[2], S[3], S[4], S[5], S[6], S[7], S[0], 31, 0x14292967); + RND(S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], 32, 0x27b70a85); + RND(S[7], S[0], S[1], S[2], S[3], S[4], S[5], S[6], 33, 0x2e1b2138); + RND(S[6], S[7], S[0], S[1], S[2], S[3], S[4], S[5], 34, 0x4d2c6dfc); + RND(S[5], S[6], S[7], S[0], S[1], S[2], S[3], S[4], 35, 0x53380d13); + RND(S[4], S[5], S[6], S[7], S[0], S[1], S[2], S[3], 36, 0x650a7354); + RND(S[3], S[4], S[5], S[6], S[7], S[0], S[1], S[2], 37, 0x766a0abb); + RND(S[2], S[3], S[4], S[5], S[6], S[7], S[0], S[1], 38, 0x81c2c92e); + RND(S[1], S[2], S[3], S[4], S[5], S[6], S[7], S[0], 39, 0x92722c85); + RND(S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], 40, 0xa2bfe8a1); + RND(S[7], S[0], S[1], S[2], S[3], S[4], S[5], S[6], 41, 0xa81a664b); + RND(S[6], S[7], S[0], S[1], S[2], S[3], S[4], S[5], 42, 0xc24b8b70); + RND(S[5], S[6], S[7], S[0], S[1], S[2], S[3], S[4], 43, 0xc76c51a3); + RND(S[4], S[5], S[6], S[7], S[0], S[1], S[2], S[3], 44, 0xd192e819); + RND(S[3], S[4], S[5], S[6], S[7], S[0], S[1], S[2], 45, 0xd6990624); + RND(S[2], S[3], S[4], S[5], S[6], S[7], S[0], S[1], 46, 0xf40e3585); + RND(S[1], S[2], S[3], S[4], S[5], S[6], S[7], S[0], 47, 0x106aa070); + RND(S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], 48, 0x19a4c116); + RND(S[7], S[0], S[1], S[2], S[3], S[4], S[5], S[6], 49, 0x1e376c08); + RND(S[6], S[7], S[0], S[1], S[2], S[3], S[4], S[5], 50, 0x2748774c); + RND(S[5], S[6], S[7], S[0], S[1], S[2], S[3], S[4], 51, 0x34b0bcb5); + RND(S[4], S[5], S[6], S[7], S[0], S[1], S[2], S[3], 52, 0x391c0cb3); + RND(S[3], S[4], S[5], S[6], S[7], S[0], S[1], S[2], 53, 0x4ed8aa4a); + RND(S[2], S[3], S[4], S[5], S[6], S[7], S[0], S[1], 54, 0x5b9cca4f); + RND(S[1], S[2], S[3], S[4], S[5], S[6], S[7], S[0], 55, 0x682e6ff3); + RND(S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], 56, 0x748f82ee); + RND(S[7], S[0], S[1], S[2], S[3], S[4], S[5], S[6], 57, 0x78a5636f); + RND(S[6], S[7], S[0], S[1], S[2], S[3], S[4], S[5], 58, 0x84c87814); + RND(S[5], S[6], S[7], S[0], S[1], S[2], S[3], S[4], 59, 0x8cc70208); + RND(S[4], S[5], S[6], S[7], S[0], S[1], S[2], S[3], 60, 0x90befffa); + RND(S[3], S[4], S[5], S[6], S[7], S[0], S[1], S[2], 61, 0xa4506ceb); + RND(S[2], S[3], S[4], S[5], S[6], S[7], S[0], S[1], 62, 0xbef9a3f7); + RND(S[1], S[2], S[3], S[4], S[5], S[6], S[7], S[0], 63, 0xc67178f2); + + /* feedback */ + for (i = 0; i < 8; i++) { + md->state[i] = md->state[i] + S[i]; + } + return 0; +} + +/** + Initialize the hash state + @param md The hash state you wish to initialize + @return CRYPT_OK if successful +*/ +int CryptoUtils::sha256_init(sha256_state *md) { + assert(md != NULL && "CryptoUtils::sha256_init md=NULL"); + + md->curlen = 0; + md->length = 0; + md->state[0] = 0x6A09E667UL; + md->state[1] = 0xBB67AE85UL; + md->state[2] = 0x3C6EF372UL; + md->state[3] = 0xA54FF53AUL; + md->state[4] = 0x510E527FUL; + md->state[5] = 0x9B05688CUL; + md->state[6] = 0x1F83D9ABUL; + md->state[7] = 0x5BE0CD19UL; + return 0; +} + +/** + Terminate the hash to get the digest + @param md The hash state + @param out [out] The destination of the hash (32 bytes) + @return CRYPT_OK if successful +*/ +int CryptoUtils::sha256_done(sha256_state *md, unsigned char *out) { + int i; + + assert(md != NULL && "CryptoUtils::sha256_done md=NULL"); + assert(out != NULL && "CryptoUtils::sha256_done out=NULL"); + + if (md->curlen >= sizeof(md->buf)) { + return 1; + } + + /* increase the length of the message */ + md->length += md->curlen * 8; + + /* append the '1' bit */ + md->buf[md->curlen++] = (unsigned char)0x80; + + /* if the length is currently above 56 bytes we append zeros + * then compress. Then we can fall back to padding zeros and length + * encoding like normal. + */ + if (md->curlen > 56) { + while (md->curlen < 64) { + md->buf[md->curlen++] = (unsigned char)0; + } + sha256_compress(md, md->buf); + md->curlen = 0; + } + + /* pad upto 56 bytes of zeroes */ + while (md->curlen < 56) { + md->buf[md->curlen++] = (unsigned char)0; + } + + /* store length */ + STORE64H(md->buf + 56, md->length); + sha256_compress(md, md->buf); + + /* copy output */ + for (i = 0; i < 8; i++) { + STORE32H(out + (4 * i), md->state[i]); + } + return 0; +} + +int CryptoUtils::sha256(const char *msg, unsigned char *hash) { + unsigned char tmp[32]; + sha256_state md; + + sha256_init(&md); + sha256_process(&md, (const unsigned char *)msg, + (unsigned long)strlen((const char *)msg)); + sha256_done(&md, tmp); + + memcpy(hash, tmp, 32); + return 0; +} \ No newline at end of file diff --git a/llvm/lib/Passes/Obfuscation/CryptoUtils.h b/llvm/lib/Passes/Obfuscation/CryptoUtils.h new file mode 100644 index 0000000000..6a1aee516c --- /dev/null +++ b/llvm/lib/Passes/Obfuscation/CryptoUtils.h @@ -0,0 +1,147 @@ +//===- CryptoUtils.h - Cryptographically Secure Pseudo-Random Generator ---===// +// +// The LLVM Compiler Infrastructure +// +// This file is distributed under the University of Illinois Open Source +// License. See LICENSE.TXT for details. +// +//===----------------------------------------------------------------------===// +// +// This file contains includes and defines for the AES CTR PRNG +// The AES implementation has been derived and adapted +// from libtomcrypt (see http://libtom.org) +// Created on: 22 juin 2012 +// Author(s): jrinaldini, pjunod +//===----------------------------------------------------------------------===// +#ifndef _OBFUSCATION_CRYPTUTILS_H +#define _OBFUSCATION_CRYPTUTILS_H + +#include "llvm/Support/ManagedStatic.h" + +#include +#include +#include + +namespace llvm { + +class CryptoUtils; +extern ManagedStatic cryptoutils; + +#define BYTE(x, n) (((x) >> (8 * (n))) & 0xFF) + +#if defined(__i386) || defined(__i386__) || defined(_M_IX86) || \ + defined(INTEL_CC) || defined(_WIN64) || defined(_WIN32) + +#ifndef ENDIAN_LITTLE +#define ENDIAN_LITTLE +#endif +#define ENDIAN_32BITWORD + +#if !defined(_WIN64) || !defined(_WIN32) +#ifndef UNALIGNED +#define UNALIGNED +#endif +#endif + +#elif defined(__alpha) + +#ifndef ENDIAN_LITTLE +#define ENDIAN_LITTLE +#endif +#define ENDIAN_64BITWORD + +#elif defined(__x86_64__) + +#ifndef ENDIAN_LITTLE +#define ENDIAN_LITTLE +#endif +#define ENDIAN_64BITWORD +#define UNALIGNED + +#elif (defined(__R5900) || defined(R5900) || defined(__R5900__)) && \ + (defined(_mips) || defined(__mips__) || defined(mips)) + +#ifndef ENDIAN_LITTLE +#define ENDIAN_LITTLE +#endif +#define ENDIAN_64BITWORD + +#elif defined(__sparc) || defined(__aarch64__) + +#ifndef ENDIAN_BIG +#define ENDIAN_BIG +#endif +#if defined(__arch64__) || defined(__aarch64__) +#define ENDIAN_64BITWORD +#else +#define ENDIAN_32BITWORD +#endif + +#endif + +#if defined(__BIG_ENDIAN__) || defined(_BIG_ENDIAN) +#define ENDIAN_BIG +#endif + +#if !defined(ENDIAN_BIG) && !defined(ENDIAN_LITTLE) +#error \ + "Unknown endianness of the compilation platform, check this header aes_encrypt.h" +#endif + +#define CryptoUtils_POOL_SIZE (0x1 << 17) // 2^17 + +class CryptoUtils { +public: + CryptoUtils(); + ~CryptoUtils(); + + char *get_seed(); + void get_bytes(char *buffer, const int len); + char get_char(); + bool prng_seed(std::string const &seed); + + // Returns a uniformly distributed 8-bit value + uint8_t get_uint8_t(); + // Returns a uniformly distributed 16-bit value + uint16_t get_uint16_t(); + // Returns a uniformly distributed 32-bit value + uint32_t get_uint32_t(); + // Returns an integer uniformly distributed on [0, max[ + uint32_t get_range(const uint32_t max); + // Returns a uniformly distributed 64-bit value + uint64_t get_uint64_t(); + + // Scramble a 32-bit value depending on a 128-bit value + unsigned scramble32(const unsigned in, const char key[16]); + + int sha256(const char *msg, unsigned char *hash); + +private: + uint32_t ks[44]; + char key[16]; + char ctr[16]; + char pool[CryptoUtils_POOL_SIZE]; + uint32_t idx; + std::string seed; + bool seeded; + + typedef struct { + uint64_t length; + uint32_t state[8], curlen; + unsigned char buf[64]; + } sha256_state; + + void aes_compute_ks(uint32_t *ks, const char *k); + void aes_encrypt(char *out, const char *in, const uint32_t *ks); + bool prng_seed(); + void inc_ctr(); + void populate_pool(); + int sha256_done(sha256_state *md, unsigned char *out); + int sha256_init(sha256_state *md); + static int sha256_compress(sha256_state *md, unsigned char *buf); + int sha256_process(sha256_state *md, const unsigned char *in, + unsigned long inlen); +}; +} // namespace llvm + +#endif \ No newline at end of file diff --git a/llvm/lib/Passes/Obfuscation/Flattening.cpp b/llvm/lib/Passes/Obfuscation/Flattening.cpp new file mode 100644 index 0000000000..4fccc5ee5e --- /dev/null +++ b/llvm/lib/Passes/Obfuscation/Flattening.cpp @@ -0,0 +1,130 @@ +#include "Utils.h" +#include "CryptoUtils.h" +#include "Flattening.h" +#include "SplitBasicBlock.h" +//#include "llvm/Transforms/Utils/LowerSwitch.h" +// namespace +using namespace llvm; +using std::vector; + +#define DEBUG_TYPE "flattening" // 调试标识 +// Stats +STATISTIC(Flattened, "Functions flattened"); + +PreservedAnalyses FlatteningPass::run(Function& F, FunctionAnalysisManager& AM) { + Function *tmp = &F; // 传入的Function + // 判断是否需要开启控制流平坦化 + if (toObfuscate(flag, tmp, "fla")) { + INIT_CONTEXT(F); + // outs()<<"[Soule] debug. "<< F.getName()<<" \n"; + if (flatten(*tmp)) { + ++Flattened; + } + return PreservedAnalyses::none(); + } + return PreservedAnalyses::all(); +} + + +bool FlatteningPass::flatten(Function &F) { + // 基本块数量不超过1则无需平坦化 + if(F.size() <= 1){ + //outs() << "\033[0;33mFunction size is lower then one\033[0m\n"; // warning + return false; + } + // emmmm....... + if (F.getName().str().find("$basic_ostream") != std::string::npos) { + outs() << "[obf] force_nofla: " << F.getName().str().c_str() << "\n"; + return false; + } + // 将除入口块(第一个基本块)以外的基本块保存到一个 vector 容器中,便于后续处理 + // 首先保存所有基本块 + vector origBB; + for(BasicBlock &BB: F){ + origBB.push_back(&BB); + } + // 从vector中去除第一个基本块 + origBB.erase(origBB.begin()); + BasicBlock &entryBB = F.getEntryBlock(); + // 如果第一个基本块的末尾是条件跳转,单独分离 + bool bEntryBB_isConditional = false; + if(BranchInst *br = dyn_cast(entryBB.getTerminator())){ + if(br->isConditional()){ + BasicBlock *newBB = entryBB.splitBasicBlock(br, "newBB"); + origBB.insert(origBB.begin(), newBB); + bEntryBB_isConditional = true; + } + } + + // 创建分发块和返回块 + BasicBlock *dispatchBB = BasicBlock::Create(*CONTEXT, "dispatchBB", &F, &entryBB); + BasicBlock *returnBB = BasicBlock::Create(*CONTEXT, "returnBB", &F, &entryBB); + BranchInst::Create(dispatchBB, returnBB); + entryBB.moveBefore(dispatchBB); + // 去除第一个基本块末尾的跳转 + if (bEntryBB_isConditional) { + entryBB.getTerminator()->eraseFromParent(); + } + // 使第一个基本块跳转到dispatchBB + BranchInst *brDispatchBB = BranchInst::Create(dispatchBB, &entryBB); + + // 在入口块插入alloca和store指令创建并初始化switch变量,初始值为随机值 + int randNumCase = rand(); + AllocaInst *swVarPtr = new AllocaInst(TYPE_I32, 0, "swVar.ptr", brDispatchBB); + new StoreInst(CONST_I32(randNumCase), swVarPtr, brDispatchBB); + // 在分发块插入load指令读取switch变量 + LoadInst *swVar = new LoadInst(TYPE_I32, swVarPtr, "swVar", false, dispatchBB); + // 在分发块插入switch指令实现基本块的调度 + BasicBlock *swDefault = BasicBlock::Create(*CONTEXT, "swDefault", &F, returnBB); + BranchInst::Create(returnBB, swDefault); + SwitchInst *swInst = SwitchInst::Create(swVar, swDefault, 0, dispatchBB); + // 将原基本块插入到返回块之前,并分配case值 + for(BasicBlock *BB : origBB){ + BB->moveBefore(returnBB); + swInst->addCase(CONST_I32(randNumCase), BB); + randNumCase = rand(); + } + + // 在每个基本块最后添加修改switch变量的指令和跳转到返回块的指令 + for(BasicBlock *BB : origBB){ + // retn BB + if(BB->getTerminator()->getNumSuccessors() == 0){ + continue; + } + // 非条件跳转 + else if(BB->getTerminator()->getNumSuccessors() == 1){ + BasicBlock *sucBB = BB->getTerminator()->getSuccessor(0); + if (bEntryBB_isConditional) { + entryBB.getTerminator()->eraseFromParent(); + } + ConstantInt *numCase = swInst->findCaseDest(sucBB); + new StoreInst(numCase, swVarPtr, BB); + BranchInst::Create(returnBB, BB); + } + // 条件跳转 + else if(BB->getTerminator()->getNumSuccessors() == 2){ + // BranchInst *br = cast(BB->getTerminator()); + BranchInst *br = dyn_cast(BB->getTerminator()); + if (!br) { + //outs() << "[FAILED] dyn_cast(BB->getTerminator()); " << BB->getName() << "\n"; + continue; + } + if (!br->isConditional()) { + //outs() << "[FAILED] br->isConditional(); " << BB->getName() << "\n"; + continue; + } + ConstantInt *numCaseTrue = swInst->findCaseDest(BB->getTerminator()->getSuccessor(0)); + ConstantInt *numCaseFalse = swInst->findCaseDest(BB->getTerminator()->getSuccessor(1)); + SelectInst *sel = SelectInst::Create(br->getCondition(), numCaseTrue, numCaseFalse, "", BB->getTerminator()); + BB->getTerminator()->eraseFromParent(); + new StoreInst(sel, swVarPtr, BB); + BranchInst::Create(returnBB, BB); + } + } + fixStack(F); // 修复逃逸变量和PHI指令 + return true; +} + +FlatteningPass *llvm::createFlattening(bool flag) { + return new FlatteningPass(flag); +} diff --git a/llvm/lib/Passes/Obfuscation/Flattening.h b/llvm/lib/Passes/Obfuscation/Flattening.h new file mode 100644 index 0000000000..be7ac1b4cb --- /dev/null +++ b/llvm/lib/Passes/Obfuscation/Flattening.h @@ -0,0 +1,30 @@ +#ifndef LLVM_FLATTENING_H +#define LLVM_FLATTENING_H +// LLVM libs +#include "llvm/Pass.h" +#include "llvm/IR/Function.h" +#include "llvm/IR/Instructions.h" +#include "llvm/Transforms/Utils.h" +#include "llvm/Support/CommandLine.h" +#include "llvm/Support/raw_ostream.h" +#include "llvm/IR/LegacyPassManager.h" +#include "llvm/Transforms/Utils/Local.h" +//#include "llvm/Transforms/IPO/PassManagerBuilder.h" +// System libs +#include +#include +#include +namespace llvm{ + class FlatteningPass : public PassInfoMixin{ + public: + bool flag; + FlatteningPass(bool flag){ + this->flag = flag; + } // 携带flag的构造函数 + PreservedAnalyses run(Function &F, FunctionAnalysisManager &AM); + bool flatten(Function &F); + static bool isRequired() { return true; } + }; + FlatteningPass *createFlattening(bool flag); +} +#endif // LLVM_FLATTENING_H \ No newline at end of file diff --git a/llvm/lib/Passes/Obfuscation/IPObfuscationContext.cpp b/llvm/lib/Passes/Obfuscation/IPObfuscationContext.cpp new file mode 100644 index 0000000000..b33e43b165 --- /dev/null +++ b/llvm/lib/Passes/Obfuscation/IPObfuscationContext.cpp @@ -0,0 +1,331 @@ +// #include "llvm/Transforms/Obfuscation/ObfuscationPassManager.h" +//#include "llvm/Transforms/IPO/PassManagerBuilder.h" // Soule.llvm17.update +#include "llvm/IR/LegacyPassManager.h" +#include "llvm/Support/raw_ostream.h" +#include "llvm/Support/FileSystem.h" +#include "llvm/Support/CommandLine.h" +#include "llvm/Support/Path.h" + +#include "IPObfuscationContext.h" +#include "Utils.h" +#include "llvm/IR/IRBuilder.h" +#include "CryptoUtils.h" +#include "llvm/IR/DebugInfo.h" +#include "llvm/Support/Debug.h" + +#if LLVM_VERSION_MAJOR > 10 +#include "compat/CallSite.h" +#else +#include "llvm/IR/CallSite.h" +#endif + +#define DEBUG_TYPE "ipobf" + +using namespace llvm; + +namespace llvm +{ + + bool IPObfuscationContext::runOnModule(llvm::Module &M) + { + for (auto &F : M) + { + SurveyFunction(F); + } + + for (auto &F : M) + { + if (F.isDeclaration()) + { + continue; + } + IPOInfo *Info = AllocaSecretSlot(F); + + IPOInfoList.push_back(Info); + IPOInfoMap[&F] = Info; + } + + std::vector NewFuncs; + for (auto *F : LocalFunctions) + { + Function *NF = InsertSecretArgument(F); + NewFuncs.push_back(NF); + } + + for (auto *F : NewFuncs) + { + computeCallSiteSecretArgument(F); + } + + for (AllocaInst *Slot : DeadSlots) + { + for (Value::use_iterator I = Slot->use_begin(), E = Slot->use_end(); I != E; ++I) + { + if (Instruction *Inst = dyn_cast(I->getUser())) + { + Inst->eraseFromParent(); + } + } + Slot->eraseFromParent(); + } + return true; + } + + void IPObfuscationContext::SurveyFunction(Function &F) + { + if (!F.hasLocalLinkage() || F.isDeclaration()) + { + return; + } + + for (const Use &U : F.uses()) + { + ImmutableCallSite CS(U.getUser()); + if (!CS || !CS.isCallee(&U)) + { + return; + } + + const Instruction *TheCall = CS.getInstruction(); + if (!TheCall) + { + return; + } + } + + LLVM_DEBUG(dbgs() << "Enqueue Local Function " << F.getName() << "\n"); + LocalFunctions.insert(&F); + } + + Function *IPObfuscationContext::InsertSecretArgument(Function *F) + { + FunctionType *FTy = F->getFunctionType(); + std::vector Params; + + SmallVector ArgAttrVec; + const AttributeList &PAL = F->getAttributes(); + + Params.push_back(Type::getInt32Ty(F->getContext())); // Soule LLVM 17.0.6? getInt32PtrTy -> getInt32Ty + ArgAttrVec.push_back(AttributeSet()); + + unsigned i = 0; + for (Function::arg_iterator I = F->arg_begin(), E = F->arg_end(); I != E; + ++I, ++i) + { + Params.push_back(I->getType()); + ArgAttrVec.push_back(PAL.getParamAttrs(i)); + } + + // Find out the new return value. + Type *RetTy = FTy->getReturnType(); + +// The existing function return attributes. +#if LLVM_VERSION_MAJOR >= 13 + AttributeSet RAttrs = PAL.getRetAttrs(); +#else + AttributeSet RAttrs = PAL.getRetAttributes(); +#endif + +// Reconstruct the AttributesList based on the vector we constructed. +#if LLVM_VERSION_MAJOR >= 13 + AttributeList NewPAL = AttributeList::get(F->getContext(), PAL.getFnAttrs(), RAttrs, ArgAttrVec); +#else + AttributeList NewPAL = AttributeList::get(F->getContext(), PAL.getFnAttributes(), RAttrs, ArgAttrVec); +#endif + + // Create the new function type based on the recomputed parameters. + FunctionType *NFTy = FunctionType::get(RetTy, Params, FTy->isVarArg()); + + // Create the new function body and insert it into the module... + Function *NF = Function::Create(NFTy, F->getLinkage()); + NF->copyAttributesFrom(F); + NF->setComdat(F->getComdat()); + NF->setAttributes(NewPAL); + // Insert the new function before the old function, so we won't be processing + // it again. + F->getParent()->getFunctionList().insert(F->getIterator(), NF); + NF->takeName(F); + NF->setSubprogram(F->getSubprogram()); + + SmallVector Args; + while (!F->use_empty()) + { + CallSite CS(F->user_back()); + Instruction *Call = CS.getInstruction(); + + ArgAttrVec.clear(); + const AttributeList &CallPAL = CS.getAttributes(); + + // Get the Secret Token + Function *Caller = Call->getParent()->getParent(); + IPOInfo *SecretInfo = IPOInfoMap[Caller]; + Args.push_back(SecretInfo->CalleeSlot); + ArgAttrVec.push_back(AttributeSet()); + // Declare these outside of the loops, so we can reuse them for the second + // loop, which loops the varargs. + CallSite::arg_iterator I = CS.arg_begin(); + unsigned i = 0; + // Loop over those operands, corresponding to the normal arguments to the + // original function, and add those that are still alive. + for (unsigned e = FTy->getNumParams(); i != e; ++I, ++i) + { + Args.push_back(*I); +#if LLVM_VERSION_MAJOR >= 13 + AttributeSet Attrs = CallPAL.getParamAttrs(i); +#else + AttributeSet Attrs = CallPAL.getParamAttributes(i); +#endif + ArgAttrVec.push_back(Attrs); + } + + // Push any varargs arguments on the list. Don't forget their attributes. + for (CallSite::arg_iterator E = CS.arg_end(); I != E; ++I, ++i) + { + Args.push_back(*I); +#if LLVM_VERSION_MAJOR >= 13 + ArgAttrVec.push_back(CallPAL.getParamAttrs(i)); +#else + ArgAttrVec.push_back(CallPAL.getParamAttributes(i)); +#endif + } + +// Reconstruct the AttributesList based on the vector we constructed. +#if LLVM_VERSION_MAJOR >= 13 + AttributeList NewCallPAL = + AttributeList::get(F->getContext(), CallPAL.getFnAttrs(), CallPAL.getRetAttrs(), ArgAttrVec); +#else + AttributeList NewCallPAL = + AttributeList::get(F->getContext(), CallPAL.getFnAttributes(), CallPAL.getRetAttributes(), ArgAttrVec); +#endif + + Instruction *New; + if (InvokeInst *II = dyn_cast(Call)) + { + New = InvokeInst::Create(NF, II->getNormalDest(), II->getUnwindDest(), + Args, "", Call); + cast(New)->setCallingConv(CS.getCallingConv()); + cast(New)->setAttributes(NewCallPAL); + } + else + { + New = CallInst::Create(NF, Args, "", Call); + cast(New)->setCallingConv(CS.getCallingConv()); + cast(New)->setAttributes(NewCallPAL); + if (cast(Call)->isTailCall()) + cast(New)->setTailCall(); + } + New->setDebugLoc(Call->getDebugLoc()); + + Args.clear(); + + if (!Call->use_empty()) + { + Call->replaceAllUsesWith(New); + New->takeName(Call); + } + + // Finally, remove the old call from the program, reducing the use-count of + // F. + Call->eraseFromParent(); + } + + NF->splice(NF->begin(), F); + + // Loop over the argument list, transferring uses of the old arguments over to + // the new arguments, also transferring over the names as well. + Function::arg_iterator I2 = NF->arg_begin(); + I2->setName("SecretArg"); + ++I2; + for (Function::arg_iterator I = F->arg_begin(), E = F->arg_end(); I != E; + ++I) + { + I->replaceAllUsesWith(I2); + I2->takeName(I); + ++I2; + } + + // Load Secret Token from the secret argument + IntegerType *I32Ty = Type::getInt32Ty(NF->getContext()); + IRBuilder<> IRB(&NF->getEntryBlock().front()); + Value *Ptr = IRB.CreateBitCast(NF->arg_begin(), I32Ty->getPointerTo()); + LoadInst *MySecret = IRB.CreateLoad(Ptr->getType(),Ptr); + + IPOInfo *Info = IPOInfoMap[F]; + Info->SecretLI->eraseFromParent(); + Info->SecretLI = MySecret; + DeadSlots.push_back(Info->CallerSlot); + + IPOInfoMap[NF] = Info; + IPOInfoMap.erase(F); + + F->eraseFromParent(); + + return NF; + } + + // Create StackSlots for Secrets and a LoadInst for caller's secret slot + IPObfuscationContext::IPOInfo *IPObfuscationContext::AllocaSecretSlot(Function &F) + { + IRBuilder<> IRB(&F.getEntryBlock().front()); + IntegerType *I32Ty = Type::getInt32Ty(F.getContext()); + AllocaInst *CallerSlot = IRB.CreateAlloca(I32Ty, nullptr, "CallerSlot"); + CallerSlot->setAlignment(Align(4)); + AllocaInst *CalleeSlot = IRB.CreateAlloca(I32Ty, nullptr, "CalleeSlot"); + CalleeSlot->setAlignment(Align(4)); + + CryptoUtils RandomEngine; + uint32_t V = RandomEngine.get_uint32_t(); + ConstantInt *SecretCI = ConstantInt::get(I32Ty, V, false); + IRB.CreateStore(SecretCI, CallerSlot); + LoadInst *MySecret = IRB.CreateLoad(CallerSlot->getType(),CallerSlot, "MySecret"); + + IPOInfo *Info = new IPOInfo(CallerSlot, CalleeSlot, MySecret, SecretCI); + return Info; + } + + char IPObfuscationContext::ID = 0; + + bool IPObfuscationContext::doFinalization(Module &) + { + for (auto *Info : IPOInfoList) + { + delete (Info); + } + return false; + } + + const IPObfuscationContext::IPOInfo *IPObfuscationContext::getIPOInfo(Function *F) + { + return IPOInfoMap[F]; + } + + // at each callsite, compute the callee's secret argument using the caller's + void IPObfuscationContext::computeCallSiteSecretArgument(Function *F) + { + IPOInfo *CalleeIPOInfo = IPOInfoMap[F]; + + for (const Use &U : F->uses()) + { + CallSite CS(U.getUser()); + Instruction *Call = CS.getInstruction(); + IRBuilder<> IRB(Call); + + Function *Caller = Call->getParent()->getParent(); + IPOInfo *CallerIPOInfo = IPOInfoMap[Caller]; + + Value *CallerSecret; + CallerSecret = CallerIPOInfo->SecretLI; + + Constant *X = ConstantExpr::getSub(CallerIPOInfo->SecretCI, CalleeIPOInfo->SecretCI); + Value *CalleeSecret = IRB.CreateSub(CallerSecret, X); + IRB.CreateStore(CalleeSecret, CallerIPOInfo->CalleeSlot); + } + } +} + +IPObfuscationContext *llvm::createIPObfuscationContextPass(bool flag) +{ + return new IPObfuscationContext(flag); +} + +INITIALIZE_PASS(IPObfuscationContext, "ipobf", "IPObfuscationContext", false, false) \ No newline at end of file diff --git a/llvm/lib/Passes/Obfuscation/IPObfuscationContext.h b/llvm/lib/Passes/Obfuscation/IPObfuscationContext.h new file mode 100644 index 0000000000..b847430279 --- /dev/null +++ b/llvm/lib/Passes/Obfuscation/IPObfuscationContext.h @@ -0,0 +1,60 @@ +#ifndef OBFUSCATION_IPOBFUSCATIONCONTEXT_H +#define OBFUSCATION_IPOBFUSCATIONCONTEXT_H + +#include "llvm/IR/Module.h" +#include "llvm/IR/Function.h" +#include "compat/CallSite.h" +#include "llvm/Pass.h" +#include +#include + +// Namespace +namespace llvm +{ + class ModulePass; + class FunctionPass; + class PassRegistry; + + struct IPObfuscationContext : public ModulePass + { + static char ID; + bool flag; + + /* Inter-procedural obfuscation secret info of a function */ + struct IPOInfo + { + IPOInfo(AllocaInst *CallerAI, AllocaInst *CalleeAI, LoadInst *LI, ConstantInt *Value) + : CallerSlot(CallerAI), CalleeSlot(CalleeAI), SecretLI(LI), SecretCI(Value) {} + // Stack slot use to store caller's secret token + AllocaInst *CallerSlot; + // Stack slot use to store callee's secret argument + AllocaInst *CalleeSlot; + // Load caller secret from caller's slot or the secret argument passed by caller + LoadInst *SecretLI; + // A random constant value + ConstantInt *SecretCI; + }; + + std::set LocalFunctions; + SmallVector IPOInfoList; + std::map IPOInfoMap; + std::vector DeadSlots; + + IPObfuscationContext() : ModulePass(ID) { this->flag = false; } + IPObfuscationContext(bool flag) : ModulePass(ID) { this->flag = flag; } + + void SurveyFunction(Function &F); + Function *InsertSecretArgument(Function *F); + void computeCallSiteSecretArgument(Function *F); + IPOInfo *AllocaSecretSlot(Function &F); + const IPOInfo *getIPOInfo(Function *F); + + bool runOnModule(Module &M) override; + bool doFinalization(Module &) override; + }; + + IPObfuscationContext *createIPObfuscationContextPass(bool flag); + void initializeIPObfuscationContextPass(PassRegistry &Registry); +} + +#endif \ No newline at end of file diff --git a/llvm/lib/Passes/Obfuscation/IndirectBranch.cpp b/llvm/lib/Passes/Obfuscation/IndirectBranch.cpp new file mode 100644 index 0000000000..7c85f764ce --- /dev/null +++ b/llvm/lib/Passes/Obfuscation/IndirectBranch.cpp @@ -0,0 +1,153 @@ +/* +LLVM Indirect Branching Pass +Copyright (C) 2017 Zhang(https://github.com/Naville/) + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as published +by the Free Software Foundation, either version 3 of the License, or +any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ +#include "IndirectBranch.h" +#include + +PreservedAnalyses IndirectBranchPass::run(Module &M, ModuleAnalysisManager &AM) { + if (this->flag) { + outs() << "[Soule] force.run.IndirectBranchPass\n"; + } + for (Function &Fn : M) { + if (toObfuscate(flag, &Fn, "ibr")) { + + if (Options && Options->skipFunction(Fn.getName())) { + continue; + } + + if (Fn.empty() || Fn.hasLinkOnceLinkage() || Fn.getSection() == ".text.startup") { + continue; + } + + LLVMContext &Ctx = Fn.getContext(); + + // Init member fields + BBNumbering.clear(); + BBTargets.clear(); + + // llvm cannot split critical edge from IndirectBrInst + SplitAllCriticalEdges(Fn, CriticalEdgeSplittingOptions(nullptr, nullptr)); + NumberBasicBlock(Fn); + + if (BBNumbering.empty()) { + continue; + } + + uint64_t V = RandomEngine.get_uint64_t(); + IntegerType *intType = Type::getInt32Ty(Ctx); + unsigned pointerSize = + Fn.getEntryBlock().getModule()->getDataLayout().getTypeAllocSize( + PointerType::getUnqual(Fn.getContext())); // Soule + if (pointerSize == 8) { + intType = Type::getInt64Ty(Ctx); + } + ConstantInt *EncKey = ConstantInt::get(intType, V, false); + ConstantInt *EncKey1 = ConstantInt::get(intType, -V, false); + + Value *MySecret = ConstantInt::get(intType, 0, true); + + ConstantInt *Zero = ConstantInt::get(intType, 0); + GlobalVariable *DestBBs = getIndirectTargets(Fn, EncKey1); + + for (auto &BB : Fn) { + auto *BI = dyn_cast(BB.getTerminator()); + if (BI && BI->isConditional()) { + IRBuilder<> IRB(BI); + + Value *Cond = BI->getCondition(); + Value *Idx; + Value *TIdx, *FIdx; + + TIdx = ConstantInt::get(intType, BBNumbering[BI->getSuccessor(0)]); + FIdx = ConstantInt::get(intType, BBNumbering[BI->getSuccessor(1)]); + Idx = IRB.CreateSelect(Cond, TIdx, FIdx); + + Value *GEP = + IRB.CreateGEP(DestBBs->getValueType(), DestBBs, {Zero, Idx}); + Value *EncDestAddr = + IRB.CreateLoad(GEP->getType(), GEP, "EncDestAddr"); + // -EncKey = X - FuncSecret + Value *DecKey = IRB.CreateAdd(EncKey, MySecret); + Value *DestAddr = + IRB.CreateGEP(Type::getInt8Ty(Ctx), EncDestAddr, DecKey); + + IndirectBrInst *IBI = IndirectBrInst::Create(DestAddr, 2); + IBI->addDestination(BI->getSuccessor(0)); + IBI->addDestination(BI->getSuccessor(1)); + ReplaceInstWithInst(BI, IBI); + } + } + } + } + return PreservedAnalyses::none(); +} + +void IndirectBranchPass::NumberBasicBlock(Function &F) { + for (auto &BB : F) { + if (auto *BI = dyn_cast(BB.getTerminator())) { + if (BI->isConditional()) { + unsigned N = BI->getNumSuccessors(); + for (unsigned I = 0; I < N; I++) { + BasicBlock *Succ = BI->getSuccessor(I); + if (BBNumbering.count(Succ) == 0) { + BBTargets.push_back(Succ); + BBNumbering[Succ] = 0; + } + } + } + } + } + + long seed = RandomEngine.get_uint32_t(); + std::default_random_engine e(seed); + std::shuffle(BBTargets.begin(), BBTargets.end(), e); + + unsigned N = 0; + for (auto BB : BBTargets) { + BBNumbering[BB] = N++; + } +} + +GlobalVariable *IndirectBranchPass::getIndirectTargets(Function &F, ConstantInt *EncKey) { + std::string GVName(F.getName().str() + "_IndirectBrTargets"); + GlobalVariable *GV = F.getParent()->getNamedGlobal(GVName); + if (GV) + return GV; + + // encrypt branch targets + std::vector Elements; + for (const auto BB : BBTargets) { + Constant *CE = ConstantExpr::getBitCast(BlockAddress::get(BB), + llvm::PointerType::get(Type::getInt8Ty(F.getContext()),0)); + CE = ConstantExpr::getGetElementPtr(Type::getInt8Ty(F.getContext()), CE, + EncKey); + Elements.push_back(CE); + } + + ArrayType *ATy = + ArrayType::get(llvm::PointerType::get(Type::getInt8Ty(F.getContext()),0), Elements.size()); + Constant *CA = ConstantArray::get(ATy, ArrayRef(Elements)); + GV = + new GlobalVariable(*F.getParent(), ATy, false, + GlobalValue::LinkageTypes::PrivateLinkage, CA, GVName); + appendToCompilerUsed(*F.getParent(), {GV}); + return GV; +} + +IndirectBranchPass *llvm::createIndirectBranch(bool flag) { + return new IndirectBranchPass(flag); +} \ No newline at end of file diff --git a/llvm/lib/Passes/Obfuscation/IndirectBranch.h b/llvm/lib/Passes/Obfuscation/IndirectBranch.h new file mode 100644 index 0000000000..d81201bdf4 --- /dev/null +++ b/llvm/lib/Passes/Obfuscation/IndirectBranch.h @@ -0,0 +1,41 @@ +#ifndef LLVM_INDIRECTBRANCH_H +#define LLVM_INDIRECTBRANCH_H +// LLVM libs +#include "llvm/IR/Constants.h" +#include "llvm/IR/IRBuilder.h" +#include "llvm/IR/InstIterator.h" +#include "llvm/IR/Instructions.h" +#include "llvm/IR/Module.h" +#include "llvm/IR/Value.h" +#include "llvm/Pass.h" +#include "llvm/Support/CommandLine.h" +#include "llvm/Support/raw_ostream.h" +#include "llvm/Transforms/Utils/ModuleUtils.h" +#include "llvm/Transforms/Utils/BasicBlockUtils.h" +// User libs +#include "Utils.h" +#include "CryptoUtils.h" +#include "ObfuscationOptions.h" +using namespace llvm; +using namespace std; +namespace llvm { // 间接跳转 + class IndirectBranchPass : public PassInfoMixin{ + public: + bool flag; + ObfuscationOptions *Options; + std::map BBNumbering; + std::vector BBTargets; // all conditional branch targets + CryptoUtils RandomEngine; + IndirectBranchPass(bool flag){ + this->flag = flag; + this->Options = new ObfuscationOptions; + } // 携带flag的构造函数 + PreservedAnalyses run(Module &M, ModuleAnalysisManager &AM); // Pass实现函数 + void NumberBasicBlock(Function &F); + GlobalVariable *getIndirectTargets(Function &F, + ConstantInt *EncKey); + static bool isRequired() { return true; } // 直接返回true即可 + }; + IndirectBranchPass *createIndirectBranch(bool flag); // 创建间接跳转 +} +#endif // LLVM_INDIRECTBRANCH_H \ No newline at end of file diff --git a/llvm/lib/Passes/Obfuscation/IndirectCall.cpp b/llvm/lib/Passes/Obfuscation/IndirectCall.cpp new file mode 100644 index 0000000000..c41592f862 --- /dev/null +++ b/llvm/lib/Passes/Obfuscation/IndirectCall.cpp @@ -0,0 +1,159 @@ +#include "IndirectCall.h" + +using namespace llvm; +using std::vector; + +/** + * @brief + * + * @param F + * @param AM + * @return PreservedAnalyses + */ +PreservedAnalyses IndirectCallPass::run(Function &F, FunctionAnalysisManager &AM){ + // 判断是否需要开启间接调用 + if (toObfuscate(flag, &F, "icall")){ + doIndirctCall(F); + return PreservedAnalyses::none(); + } + return PreservedAnalyses::all(); +} + +bool IndirectCallPass::doIndirctCall(Function &Fn){ + if (Options && Options->skipFunction(Fn.getName())) { + return false; + } + + LLVMContext &Ctx = Fn.getContext(); + + CalleeNumbering.clear(); + Callees.clear(); + CallSites.clear(); + + NumberCallees(Fn); + + if (Callees.empty()) { + return false; + } + + uint64_t V = RandomEngine.get_uint64_t(); + IntegerType *intType = Type::getInt32Ty(Ctx); + + unsigned pointerSize = Fn.getEntryBlock().getModule()->getDataLayout().getTypeAllocSize(PointerType::getUnqual(Fn.getContext())); // Soule + if (pointerSize == 8) { + intType = Type::getInt64Ty(Ctx); + } + ConstantInt *EncKey = ConstantInt::get(intType, V, false); + ConstantInt *EncKey1 = ConstantInt::get(intType, -V, false); + + Value *MySecret = ConstantInt::get(intType, 0, true); + + ConstantInt *Zero = ConstantInt::get(intType, 0); + GlobalVariable *Targets = getIndirectCallees(Fn, EncKey1); + + for (auto CI : CallSites) { + SmallVector Args; + SmallVector ArgAttrVec; + + CallBase *CB = CI; + + Function *Callee = CB->getCalledFunction(); + FunctionType *FTy = CB->getFunctionType(); + IRBuilder<> IRB(CB); + + Args.clear(); + ArgAttrVec.clear(); + + Value *Idx = ConstantInt::get(intType, CalleeNumbering[CB->getCalledFunction()]); + Value *GEP = IRB.CreateGEP(Targets->getValueType(), Targets, {Zero, Idx}); + LoadInst *EncDestAddr = IRB.CreateLoad(GEP->getType(), GEP, CI->getName()); + + const AttributeList &CallPAL = CB->getAttributes(); + auto I = CB->arg_begin(); + unsigned i = 0; + + for (unsigned e = FTy->getNumParams(); i != e; ++I, ++i) { + Args.push_back(*I); + AttributeSet Attrs = CallPAL.getParamAttrs(i); + ArgAttrVec.push_back(Attrs); + } + + for (auto E = CB->arg_end(); I != E; ++I, ++i) { + Args.push_back(*I); + ArgAttrVec.push_back(CallPAL.getParamAttrs(i)); + } + + Value *Secret = IRB.CreateAdd(EncKey, MySecret); + Value *DestAddr = IRB.CreateGEP(Type::getInt8Ty(Ctx), EncDestAddr, Secret); + + Value *FnPtr = IRB.CreateBitCast(DestAddr, FTy->getPointerTo()); + FnPtr->setName("Call_" + Callee->getName()); + CB->setCalledOperand(FnPtr); + } + + return true; +} + +/** + * @brief + * + * @param F + * @param EncKey + * @return GlobalVariable* + */ +GlobalVariable *IndirectCallPass::getIndirectCallees(Function &F, ConstantInt *EncKey){ + std::string GVName(F.getName().str() + "_IndirectCallees"); + GlobalVariable *GV = F.getParent()->getNamedGlobal(GVName); + if (GV){ + return GV; + } + // callee's address + std::vector Elements; + for (auto Callee : Callees){ + Constant *CE = ConstantExpr::getBitCast(Callee, llvm::PointerType::get(Type::getInt8Ty(F.getContext()),0)); + CE = ConstantExpr::getGetElementPtr(Type::getInt8Ty(F.getContext()), CE, EncKey); + Elements.push_back(CE); + } + ArrayType *ATy = ArrayType::get(llvm::PointerType::get(Type::getInt8Ty(F.getContext()),0), Elements.size()); + Constant *CA = ConstantArray::get(ATy, ArrayRef(Elements)); + GV = new GlobalVariable(*F.getParent(), ATy, false, GlobalValue::LinkageTypes::PrivateLinkage, CA, GVName); + appendToCompilerUsed(*F.getParent(), {GV}); + return GV; +} + +/** + * @brief + * + * @param F + */ +void IndirectCallPass::NumberCallees(Function &F){ + for (auto &BB : F){ + for (auto &I : BB){ + if (dyn_cast(&I)){ + CallSite CS(&I); + Function *Callee = CS.getCalledFunction(); + if (Callee == nullptr){ + continue; + } + if (Callee->isIntrinsic()){ + continue; + } + CallSites.push_back((CallInst *)&I); + if (CalleeNumbering.count(Callee) == 0){ + CalleeNumbering[Callee] = Callees.size(); + Callees.push_back(Callee); + } + } + } + } +} + +/** + * @brief + * + * @param flag + * @return IndirectCallPass* + */ +IndirectCallPass *llvm::createIndirectCall(bool flag){ + return new IndirectCallPass(flag); +} \ No newline at end of file diff --git a/llvm/lib/Passes/Obfuscation/IndirectCall.h b/llvm/lib/Passes/Obfuscation/IndirectCall.h new file mode 100644 index 0000000000..845369457f --- /dev/null +++ b/llvm/lib/Passes/Obfuscation/IndirectCall.h @@ -0,0 +1,39 @@ +// LLVM libs +#include "llvm/IR/Constants.h" +#include "llvm/IR/IRBuilder.h" +#include "llvm/Transforms/Utils/BasicBlockUtils.h" +#include "llvm/Transforms/Utils/ModuleUtils.h" +#include "llvm/Transforms/Scalar.h" +#include "llvm/Analysis/CFG.h" +// User libs +#include "ObfuscationOptions.h" +#include "IPObfuscationContext.h" +#include "compat/CallSite.h" +#include "CryptoUtils.h" +#include "Utils.h" +// System libs +#include + +namespace llvm{ + class IndirectCallPass : public PassInfoMixin{ + public: + bool flag; + std::vector CallSites; + IPObfuscationContext *IPO; + ObfuscationOptions *Options; + std::vector Callees; + std::map CalleeNumbering; + CryptoUtils RandomEngine; + IndirectCallPass(bool flag){ + this->flag = flag; + this->IPO = new IPObfuscationContext; + this->Options = new ObfuscationOptions; + } // 携带flag的构造函数 + bool doIndirctCall(Function &F); + PreservedAnalyses run(Function &F, FunctionAnalysisManager &AM); + GlobalVariable *getIndirectCallees(Function &F, ConstantInt *EncKey); + void NumberCallees(Function &F); + static bool isRequired() { return true; } + }; + IndirectCallPass *createIndirectCall(bool flag); +} \ No newline at end of file diff --git a/llvm/lib/Passes/Obfuscation/IndirectGlobalVariable.cpp b/llvm/lib/Passes/Obfuscation/IndirectGlobalVariable.cpp new file mode 100644 index 0000000000..d9ae9bce07 --- /dev/null +++ b/llvm/lib/Passes/Obfuscation/IndirectGlobalVariable.cpp @@ -0,0 +1,168 @@ +/* +LLVM Indirect Branching Pass +Copyright (C) 2017 Zhang(https://github.com/Naville/) + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as published +by the Free Software Foundation, either version 3 of the License, or +any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ +#include "IndirectGlobalVariable.h" +#include + +PreservedAnalyses IndirectGlobalVariablePass::run(Module &M, ModuleAnalysisManager &AM) { + + if (this->flag) { + outs() << "[Soule] force.run.IndirectGlobalVariablePass\n"; + } + for (Function &Fn : M) { + if (!toObfuscate(flag, &Fn, "igv")) { + continue; + } + + if (Options && Options->skipFunction(Fn.getName())) { + continue; + } + + LLVMContext &Ctx = Fn.getContext(); + + GVNumbering.clear(); + GlobalVariables.clear(); + + LowerConstantExpr(Fn); + NumberGlobalVariable(Fn); + + if (GlobalVariables.empty()) { + continue; + } + + uint64_t V = RandomEngine.get_uint64_t(); + IntegerType *intType = Type::getInt32Ty(Ctx); + unsigned pointerSize = Fn.getEntryBlock().getModule()->getDataLayout().getTypeAllocSize(PointerType::getUnqual(Fn.getContext())); // Soule + if (pointerSize == 8) { + intType = Type::getInt64Ty(Ctx); + } + + ConstantInt *EncKey = ConstantInt::get(intType, V, false); + ConstantInt *EncKey1 = ConstantInt::get(intType, -V, false); + + Value *MySecret = ConstantInt::get(intType, 0, true); + + ConstantInt *Zero = ConstantInt::get(intType, 0); + GlobalVariable *GVars = getIndirectGlobalVariables(Fn, EncKey1); + + for (inst_iterator I = inst_begin(Fn), E = inst_end(Fn); I != E; ++I) { + Instruction *Inst = &*I; + if (isa(Inst) || isa(Inst) || + isa(Inst) || isa(Inst) || + isa(Inst) || isa(Inst) || + isa(Inst)) { + continue; + } + if (PHINode *PHI = dyn_cast(Inst)) { + for (unsigned int i = 0; i < PHI->getNumIncomingValues(); ++i) { + Value *val = PHI->getIncomingValue(i); + if (GlobalVariable *GV = dyn_cast(val)) { + if (GVNumbering.count(GV) == 0) { + continue; + } + + Instruction *IP = PHI->getIncomingBlock(i)->getTerminator(); + IRBuilder<> IRB(IP); + + Value *Idx = ConstantInt::get(intType, GVNumbering[GV]); + Value *GEP = + IRB.CreateGEP(GVars->getValueType(), GVars, {Zero, Idx}); + LoadInst *EncGVAddr = + IRB.CreateLoad(GEP->getType(), GEP, GV->getName()); + + Value *Secret = IRB.CreateAdd(EncKey, MySecret); + Value *GVAddr = + IRB.CreateGEP(Type::getInt8Ty(Ctx), EncGVAddr, Secret); + GVAddr = IRB.CreateBitCast(GVAddr, GV->getType()); + GVAddr->setName("IndGV0_"); + PHI->setIncomingValue(i, GVAddr); + } + } + } else { + for (User::op_iterator op = Inst->op_begin(); op != Inst->op_end(); + ++op) { + if (GlobalVariable *GV = dyn_cast(*op)) { + if (GVNumbering.count(GV) == 0) { + continue; + } + + IRBuilder<> IRB(Inst); + Value *Idx = ConstantInt::get(intType, GVNumbering[GV]); + Value *GEP = + IRB.CreateGEP(GVars->getValueType(), GVars, {Zero, Idx}); + LoadInst *EncGVAddr = + IRB.CreateLoad(GEP->getType(), GEP, GV->getName()); + + Value *Secret = IRB.CreateAdd(EncKey, MySecret); + Value *GVAddr = + IRB.CreateGEP(Type::getInt8Ty(Ctx), EncGVAddr, Secret); + GVAddr = IRB.CreateBitCast(GVAddr, GV->getType()); + GVAddr->setName("IndGV1_"); + Inst->replaceUsesOfWith(GV, GVAddr); + } + } + } + } + + } + return PreservedAnalyses::none(); +} + +void IndirectGlobalVariablePass::NumberGlobalVariable(Function &F) { + for (inst_iterator I = inst_begin(F), E = inst_end(F); I != E; ++I) { + for (User::op_iterator op = (*I).op_begin(); op != (*I).op_end(); ++op) { + Value *val = *op; + if (GlobalVariable *GV = dyn_cast(val)) { + if (!GV->isThreadLocal() && GVNumbering.count(GV) == 0 && + !GV->isDLLImportDependent()) { + GVNumbering[GV] = GlobalVariables.size(); + GlobalVariables.push_back((GlobalVariable *)val); + } + } + } + } +} + +GlobalVariable* IndirectGlobalVariablePass::getIndirectGlobalVariables(Function &F, ConstantInt *EncKey) { + std::string GVName(F.getName().str() + "_IndirectGVars"); + GlobalVariable *GV = F.getParent()->getNamedGlobal(GVName); + if (GV) + return GV; + + std::vector Elements; + for (auto GVar : GlobalVariables) { + Constant *CE = + ConstantExpr::getBitCast(GVar, llvm::PointerType::get(Type::getInt8Ty(F.getContext()),0)); + CE = ConstantExpr::getGetElementPtr(Type::getInt8Ty(F.getContext()), CE, + EncKey); + Elements.push_back(CE); + } + + ArrayType *ATy = + ArrayType::get(llvm::PointerType::get(Type::getInt8Ty(F.getContext()),0), Elements.size()); + Constant *CA = ConstantArray::get(ATy, ArrayRef(Elements)); + GV = + new GlobalVariable(*F.getParent(), ATy, false, + GlobalValue::LinkageTypes::PrivateLinkage, CA, GVName); + appendToCompilerUsed(*F.getParent(), {GV}); + return GV; +} + + +IndirectGlobalVariablePass *llvm::createIndirectGlobalVariable(bool flag) { + return new IndirectGlobalVariablePass(flag); +} \ No newline at end of file diff --git a/llvm/lib/Passes/Obfuscation/IndirectGlobalVariable.h b/llvm/lib/Passes/Obfuscation/IndirectGlobalVariable.h new file mode 100644 index 0000000000..f74300a6e3 --- /dev/null +++ b/llvm/lib/Passes/Obfuscation/IndirectGlobalVariable.h @@ -0,0 +1,42 @@ +#ifndef LLVM_INDIRECTGLOBALVARIABLE_H +#define LLVM_INDIRECTGLOBALVARIABLE_H +// LLVM libs +#include "llvm/IR/Constants.h" +#include "llvm/IR/IRBuilder.h" +#include "llvm/IR/InstIterator.h" +#include "llvm/IR/Instructions.h" +#include "llvm/IR/Module.h" +#include "llvm/IR/Value.h" +#include "llvm/Pass.h" +#include "llvm/Support/CommandLine.h" +#include "llvm/Support/raw_ostream.h" +#include "llvm/Transforms/Utils/ModuleUtils.h" +#include "llvm/Transforms/Utils/BasicBlockUtils.h" +// User libs +#include "Utils.h" +#include "CryptoUtils.h" +#include "ObfuscationOptions.h" +using namespace llvm; +using namespace std; +namespace llvm { // 间接跳转 + class IndirectGlobalVariablePass : public PassInfoMixin { + public: + bool flag; + ObfuscationOptions *Options; + std::map GVNumbering; + std::vector GlobalVariables; + CryptoUtils RandomEngine; + + IndirectGlobalVariablePass(bool flag) { + this->flag = flag; + this->Options = new ObfuscationOptions; + } // 携带flag的构造函数 + PreservedAnalyses run(Module &M, ModuleAnalysisManager &AM); // Pass实现函数 + + void NumberGlobalVariable(Function &F); + GlobalVariable *getIndirectGlobalVariables(Function &F, ConstantInt *EncKey); + static bool isRequired() { return true; } // 直接返回true即可 + }; + IndirectGlobalVariablePass* createIndirectGlobalVariable(bool flag); // 创建间接跳转 +} // namespace llvm +#endif // LLVM_INDIRECTGLOBALVARIABLE_H \ No newline at end of file diff --git a/llvm/lib/Passes/Obfuscation/ObfuscationOptions.cpp b/llvm/lib/Passes/Obfuscation/ObfuscationOptions.cpp new file mode 100644 index 0000000000..ab54f10446 --- /dev/null +++ b/llvm/lib/Passes/Obfuscation/ObfuscationOptions.cpp @@ -0,0 +1,114 @@ +#include "ObfuscationOptions.h" + +#include "llvm/Support/ErrorOr.h" +#include "llvm/Support/MemoryBuffer.h" +#include "llvm/Support/SourceMgr.h" +#include "llvm/ADT/SmallString.h" +#include "ObfuscationOptions.h" +#include "llvm/Support/FileSystem.h" +#include + +using namespace llvm; + +namespace llvm { + +void ObfuscationOptions::init() { + EnableIndirectBr = false; + EnableIndirectCall = false; + EnableIndirectGV = false; + EnableCFF = false; + EnableCSE = false; + hasFilter = false; +} + +ObfuscationOptions::ObfuscationOptions() { + init(); +} +ObfuscationOptions::ObfuscationOptions(const Twine &FileName) { + init(); + if (sys::fs::exists(FileName)) { + parseOptions(FileName); + } +} + +static StringRef getNodeString(yaml::Node *n) { + if (yaml::ScalarNode *sn = dyn_cast(n)) { + SmallString<32> Storage; + StringRef Val = sn->getValue(Storage); + return Val; + } + return ""; +} + +static unsigned long getIntVal(yaml::Node *n) { + return strtoul(getNodeString(n).str().c_str(), nullptr, 10); +} + +static std::set getStringList(yaml::Node *n) { + std::set filter; + if (yaml::SequenceNode *sn = dyn_cast(n)) { + for (yaml::SequenceNode::iterator i = sn->begin(), e = sn->end(); i != e; ++i) { + filter.insert(getNodeString(i).str()); + } + } + return filter; +} + +bool ObfuscationOptions::skipFunction(const Twine &FName) { + if (FName.str().find("goron_") == std::string::npos) { + return hasFilter && FunctionFilter.count(FName.str()) == 0; + } + return true; +} + +void ObfuscationOptions::handleRoot(yaml::Node *n) { + if (!n){ + return; + } + if (yaml::MappingNode *mn = dyn_cast(n)) { + for (yaml::MappingNode::iterator i = mn->begin(), e = mn->end(); + i != e; ++i) { + StringRef K = getNodeString(i->getKey()); + if (K == "IndirectBr") { + EnableIndirectBr = static_cast(getIntVal(i->getValue())); + } else if (K == "IndirectCall") { + EnableIndirectCall = static_cast(getIntVal(i->getValue())); + } else if (K == "IndirectGV") { + EnableIndirectGV = static_cast(getIntVal(i->getValue())); + } else if (K == "ControlFlowFlatten") { + EnableCFF = static_cast(getIntVal(i->getValue())); + } else if (K == "ConstantStringEncryption") { + EnableCSE = static_cast(getIntVal(i->getValue())); + } else if (K == "Filter") { + hasFilter = true; + FunctionFilter = getStringList(i->getValue()); + } + } + } +} + +bool ObfuscationOptions::parseOptions(const Twine &FileName) { + ErrorOr> BufOrErr = MemoryBuffer::getFileOrSTDIN(FileName); + MemoryBuffer &Buf = *BufOrErr.get(); + llvm::SourceMgr sm; + yaml::Stream stream(Buf.getBuffer(), sm, false); + for (yaml::document_iterator di = stream.begin(), de = stream.end(); di != de; + ++di) { + yaml::Node *n = di->getRoot(); + if (n) + handleRoot(n); + else + break; + } + return true; +} + +void ObfuscationOptions::dump() { + dbgs() << "EnableIndirectBr: " << EnableIndirectBr << "\n" + << "EnableIndirectCall: " << EnableIndirectCall << "\n" + << "EnableIndirectGV: " << EnableIndirectGV << "\n" + << "EnableCFF: " << EnableCFF << "\n" + << "hasFilter:" << hasFilter << "\n"; +} + +} \ No newline at end of file diff --git a/llvm/lib/Passes/Obfuscation/ObfuscationOptions.h b/llvm/lib/Passes/Obfuscation/ObfuscationOptions.h new file mode 100644 index 0000000000..dac70cf431 --- /dev/null +++ b/llvm/lib/Passes/Obfuscation/ObfuscationOptions.h @@ -0,0 +1,26 @@ +#ifndef OBFUSCATION_OBFUSCATIONOPTIONS_H +#define OBFUSCATION_OBFUSCATIONOPTIONS_H +#include +#include +namespace llvm { + struct ObfuscationOptions { + explicit ObfuscationOptions(const Twine &FileName); + explicit ObfuscationOptions(); + bool skipFunction(const Twine &FName); + void dump(); + + bool EnableIndirectBr; + bool EnableIndirectCall; + bool EnableIndirectGV; + bool EnableCFF; + bool EnableCSE; + bool hasFilter; + + private: + void init(); + void handleRoot(yaml::Node *n); + bool parseOptions(const Twine &FileName); + std::set FunctionFilter; + }; +} +#endif \ No newline at end of file diff --git a/llvm/lib/Passes/Obfuscation/SplitBasicBlock.cpp b/llvm/lib/Passes/Obfuscation/SplitBasicBlock.cpp new file mode 100644 index 0000000000..ebdb8f87d4 --- /dev/null +++ b/llvm/lib/Passes/Obfuscation/SplitBasicBlock.cpp @@ -0,0 +1,143 @@ +/* + * LLVM StringEncryption Pass + Copyright (C) 2017 Zhang(https://github.com/Naville/) + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published + by the Free Software Foundation, either version 3 of the License, or + any later version. + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . + */ +// User libs +#include "Utils.h" +#include "CryptoUtils.h" +#include "SplitBasicBlock.h" +// namespace +using namespace llvm; +using std::vector; + +#define DEBUG_TYPE "split" // 调试标识 +// Stats +STATISTIC(Split, "Basicblock splitted"); // 宏定义 + +// 可选的参数,指定一个基本块会被分裂成几个基本块,默认值为 3 +static cl::opt SplitNum("split_num", cl::init(3), cl::desc("Split time(s) each BB")); +// 貌似NEW PM暂时不支持这种传递 + +/** + * @brief 新的实现方案 + * + * @param F + * @param AM + * @return PreservedAnalyses + */ +PreservedAnalyses SplitBasicBlockPass::run(Function& F, FunctionAnalysisManager& AM) { + Function *tmp = &F; // 传入的Function + if (toObfuscate(flag, tmp, "split")){ // 判断什么函数需要开启混淆 + split(tmp); // 分割流程 + ++Split; // 计次 + return PreservedAnalyses::none(); + } + return PreservedAnalyses::all(); +} + +/** + * @brief 对传入的基本块做分割 + * + * @param BB + */ +void SplitBasicBlockPass::split(Function *f){ + std::vector origBB; + // 保存所有基本块 防止分割的同时迭代新的基本块 + for (Function::iterator I = f->begin(), IE = f->end(); I != IE; ++I){ + origBB.push_back(&*I); + } + // 遍历函数的全部基本块 + for (std::vector::iterator I = origBB.begin(), IE = origBB.end();I != IE; ++I){ + BasicBlock *curr = *I; + //outs() << "\033[1;32mSplitNum : " << SplitNum << "\033[0m\n"; + //outs() << "\033[1;32mBasicBlock Size : " << curr->size() << "\033[0m\n"; + int splitN = SplitNum; + // 无需分割只有一条指令的基本块 + // 不可分割含有PHI指令基本块 + if (curr->size() < 2 || containsPHI(curr)){ + //outs() << "\033[0;33mThis BasicBlock is lower then two or had PIH Instruction!\033[0m\n"; + continue; + } + // 检查splitN和基本块大小 如果传入的分割块数甚至大于等于基本块自身大小 则修改分割数为基本块大小减一 + if ((size_t)splitN >= curr->size()){ + //outs() << "\033[0;33mSplitNum is bigger then currBasicBlock's size\033[0m\n"; // warning + //outs() << "\033[0;33mSo SplitNum Now is BasicBlock's size -1 : " << (curr->size() - 1) << "\033[0m\n"; + splitN = curr->size() - 1; + } else { + //outs() << "\033[1;32msplitNum Now is " << splitN << "\033[0m\n"; + } + // Generate splits point + std::vector test; + for (unsigned i = 1; i < curr->size(); ++i){ + test.push_back(i); + } + // Shuffle + if (test.size() != 1){ + shuffle(test); + std::sort(test.begin(), test.begin() + splitN); + } + // 分割 + BasicBlock::iterator it = curr->begin(); + BasicBlock *toSplit = curr; + int last = 0; + for (int i = 0; i < splitN; ++i){ + if (toSplit->size() < 2){ + continue; + } + for (int j = 0; j < test[i] - last; ++j){ + ++it; + } + last = test[i]; + toSplit = toSplit->splitBasicBlock(it, toSplit->getName() + ".split"); + } + ++Split; + } +} + +/** + * @brief 判断基本块是否包含PHI指令 + * + * @param BB + * @return true + * @return false + */ +bool SplitBasicBlockPass::containsPHI(BasicBlock *BB){ + for (Instruction &I : *BB){ + if (isa(&I)){ + return true; + } + } + return false; +} + +/** + * @brief 辅助分割流程的函数 + * + * @param vec + */ +void SplitBasicBlockPass::shuffle(std::vector &vec){ + int n = vec.size(); + for (int i = n - 1; i > 0; --i){ + std::swap(vec[i], vec[cryptoutils->get_uint32_t() % (i + 1)]); + } +} + +/** + * @brief 便于调用基本块分割 + * + * @param flag + * @return FunctionPass* + */ +SplitBasicBlockPass *llvm::createSplitBasicBlock(bool flag){ + return new SplitBasicBlockPass(flag); +} \ No newline at end of file diff --git a/llvm/lib/Passes/Obfuscation/SplitBasicBlock.h b/llvm/lib/Passes/Obfuscation/SplitBasicBlock.h new file mode 100644 index 0000000000..540a67bf7c --- /dev/null +++ b/llvm/lib/Passes/Obfuscation/SplitBasicBlock.h @@ -0,0 +1,33 @@ +#ifndef LLVM_SPLIT_BASIC_BLOCK_H +#define LLVM_SPLIT_BASIC_BLOCK_H +// LLVM libs +#include "llvm/Pass.h" +#include "llvm/IR/Module.h" +#include "llvm/IR/Function.h" +#include "llvm/IR/BasicBlock.h" +#include "llvm/ADT/Statistic.h" +#include "llvm/IR/PassManager.h" //new Pass +#include "llvm/Transforms/IPO.h" +#include "llvm/IR/Instructions.h" +#include "llvm/Transforms/Scalar.h" +#include "llvm/Passes/PassBuilder.h" +#include "llvm/Support/raw_ostream.h" +#include "llvm/Support/CommandLine.h" +// System libs +#include +namespace llvm{ // 基本块分割 + class SplitBasicBlockPass : public PassInfoMixin{ + public: + bool flag; + SplitBasicBlockPass(bool flag){ + this->flag = flag; + } // 携带flag的构造函数 + PreservedAnalyses run(Function &F, FunctionAnalysisManager &AM); // Pass实现函数 + void split(Function *f); // 对单个基本块执行分裂操作 + bool containsPHI(BasicBlock *BB); //判断一个基本块中是否包含 PHI指令(PHINode) + void shuffle(std::vector &vec); // 辅助作用的函数 + static bool isRequired() { return true; } // 直接返回true即可 + }; + SplitBasicBlockPass *createSplitBasicBlock(bool flag); // 创建基本块分割 +} +#endif // LLVM_SPLIT_BASIC_BLOCK_H \ No newline at end of file diff --git a/llvm/lib/Passes/Obfuscation/StringEncryption.cpp b/llvm/lib/Passes/Obfuscation/StringEncryption.cpp new file mode 100644 index 0000000000..d647f4e3ca --- /dev/null +++ b/llvm/lib/Passes/Obfuscation/StringEncryption.cpp @@ -0,0 +1,487 @@ +#include "StringEncryption.h" + +#define DEBUG_TYPE "strenc" + +using namespace llvm; + +bool StringEncryptionPass::do_StrEnc(Module &M, ModuleAnalysisManager &AM) { + std::set ConstantStringUsers; + + // collect all c strings + + LLVMContext &Ctx = M.getContext(); + ConstantInt *Zero = ConstantInt::get(Type::getInt32Ty(Ctx), 0); + for (GlobalVariable &GV : M.globals()) { + if (!GV.isConstant() || !GV.hasInitializer() || + GV.hasDLLExportStorageClass() || GV.isDLLImportDependent()) { + continue; + } + Constant *Init = GV.getInitializer(); + if (Init == nullptr) + continue; + if (ConstantDataSequential *CDS = dyn_cast(Init)) { + if (CDS->isCString()) { + CSPEntry *Entry = new CSPEntry(); + StringRef Data = CDS->getRawDataValues(); + Entry->Data.reserve(Data.size()); + for (unsigned i = 0; i < Data.size(); ++i) { + Entry->Data.push_back(static_cast(Data[i])); + } + Entry->ID = static_cast(ConstantStringPool.size()); + ConstantAggregateZero *ZeroInit = + ConstantAggregateZero::get(CDS->getType()); + GlobalVariable *DecGV = new GlobalVariable( + M, CDS->getType(), false, GlobalValue::PrivateLinkage, ZeroInit, + "dec" + Twine::utohexstr(Entry->ID) + GV.getName()); + GlobalVariable *DecStatus = new GlobalVariable( + M, Type::getInt32Ty(Ctx), false, GlobalValue::PrivateLinkage, Zero, + "dec_status_" + Twine::utohexstr(Entry->ID) + GV.getName()); + DecGV->setAlignment(MaybeAlign(GV.getAlignment())); + Entry->DecGV = DecGV; + Entry->DecStatus = DecStatus; + ConstantStringPool.push_back(Entry); + CSPEntryMap[&GV] = Entry; + collectConstantStringUser(&GV, ConstantStringUsers); + } + } + } + + // encrypt those strings, build corresponding decrypt function + for (CSPEntry *Entry : ConstantStringPool) { + getRandomBytes(Entry->EncKey, 16, 32); + for (unsigned i = 0; i < Entry->Data.size(); ++i) { + Entry->Data[i] ^= Entry->EncKey[i % Entry->EncKey.size()]; + } + Entry->DecFunc = buildDecryptFunction(&M, Entry); + } + + // build initialization function for supported constant string users + for (GlobalVariable *GV : ConstantStringUsers) { + if (isValidToEncrypt(GV)) { + Type *EltType = GV->getValueType(); + ConstantAggregateZero *ZeroInit = ConstantAggregateZero::get(EltType); + GlobalVariable *DecGV = + new GlobalVariable(M, EltType, false, GlobalValue::PrivateLinkage, + ZeroInit, "dec_" + GV->getName()); + DecGV->setAlignment(MaybeAlign(GV->getAlignment())); + GlobalVariable *DecStatus = new GlobalVariable( + M, Type::getInt32Ty(Ctx), false, GlobalValue::PrivateLinkage, Zero, + "dec_status_" + GV->getName()); + CSUser *User = new CSUser(EltType, GV, DecGV); + User->DecStatus = DecStatus; + User->InitFunc = buildInitFunction(&M, User); + CSUserMap[GV] = User; + } + } + + // emit the constant string pool + // | junk bytes | key 1 | encrypted string 1 | junk bytes | key 2 | encrypted + // string 2 | ... + std::vector Data; + std::vector JunkBytes; + + JunkBytes.reserve(32); + for (CSPEntry *Entry : ConstantStringPool) { + JunkBytes.clear(); + getRandomBytes(JunkBytes, 16, 32); + Data.insert(Data.end(), JunkBytes.begin(), JunkBytes.end()); + Entry->Offset = static_cast(Data.size()); + Data.insert(Data.end(), Entry->EncKey.begin(), Entry->EncKey.end()); + Data.insert(Data.end(), Entry->Data.begin(), Entry->Data.end()); + } + + Constant *CDA = + ConstantDataArray::get(M.getContext(), ArrayRef(Data)); + EncryptedStringTable = + new GlobalVariable(M, CDA->getType(), true, GlobalValue::PrivateLinkage, + CDA, "EncryptedStringTable"); + + // decrypt string back at every use, change the plain string use to the + // decrypted one + bool Changed = false; + for (Function &F : M) { + if (F.isDeclaration()) + continue; + Changed |= processConstantStringUse(&F); + } + + for (auto &I : CSUserMap) { + CSUser *User = I.second; + Changed |= processConstantStringUse(User->InitFunc); + } + + // delete unused global variables + deleteUnusedGlobalVariable(); + for (CSPEntry *Entry : ConstantStringPool) { + if (Entry->DecFunc->use_empty()) { + Entry->DecFunc->eraseFromParent(); + } + } + return Changed; +} + +PreservedAnalyses StringEncryptionPass::run(Module &M, ModuleAnalysisManager &AM) { + if (this->flag) { + outs() << "[Soule] force.run.StringEncryptionPass\n"; + if (do_StrEnc(M, AM)) + return PreservedAnalyses::none(); + } + return PreservedAnalyses::all(); +} + +void StringEncryptionPass::getRandomBytes(std::vector &Bytes, + uint32_t MinSize, uint32_t MaxSize) { + uint32_t N = RandomEngine.get_uint32_t(); + uint32_t Len; + + assert(MaxSize >= MinSize); + + if (MinSize == MaxSize) { + Len = MinSize; + } else { + Len = MinSize + (N % (MaxSize - MinSize)); + } + + char *Buffer = new char[Len]; + RandomEngine.get_bytes(Buffer, Len); + for (uint32_t i = 0; i < Len; ++i) { + Bytes.push_back(static_cast(Buffer[i])); + } + + delete[] Buffer; +} + +// +// static void goron_decrypt_string(uint8_t *plain_string, const uint8_t *data) +//{ +// const uint8_t *key = data; +// uint32_t key_size = 1234; +// uint8_t *es = (uint8_t *) &data[key_size]; +// uint32_t i; +// for (i = 0;i < 5678;i ++) { +// plain_string[i] = es[i] ^ key[i % key_size]; +// } +//} + +Function *StringEncryptionPass::buildDecryptFunction( + Module *M, const StringEncryptionPass::CSPEntry *Entry) { + LLVMContext &Ctx = M->getContext(); + IRBuilder<> IRB(Ctx); + FunctionType *FuncTy = FunctionType::get( + Type::getVoidTy(Ctx), {IRB.getPtrTy(), IRB.getPtrTy()}, false); + Function *DecFunc = Function::Create( + FuncTy, GlobalValue::PrivateLinkage, + "goron_decrypt_string_" + Twine::utohexstr(Entry->ID), M); + + auto ArgIt = DecFunc->arg_begin(); + Argument *PlainString = ArgIt; // output + ++ArgIt; + Argument *Data = ArgIt; // input + + PlainString->setName("plain_string"); + PlainString->addAttr(Attribute::NoCapture); + Data->setName("data"); + Data->addAttr(Attribute::NoCapture); + Data->addAttr(Attribute::ReadOnly); + + BasicBlock *Enter = BasicBlock::Create(Ctx, "Enter", DecFunc); + BasicBlock *LoopBody = BasicBlock::Create(Ctx, "LoopBody", DecFunc); + BasicBlock *UpdateDecStatus = + BasicBlock::Create(Ctx, "UpdateDecStatus", DecFunc); + BasicBlock *Exit = BasicBlock::Create(Ctx, "Exit", DecFunc); + + IRB.SetInsertPoint(Enter); + ConstantInt *KeySize = + ConstantInt::get(Type::getInt32Ty(Ctx), Entry->EncKey.size()); + Value *EncPtr = IRB.CreateInBoundsGEP(IRB.getInt8Ty(), Data, KeySize); + Value *DecStatus = + IRB.CreateLoad(Entry->DecStatus->getValueType(), Entry->DecStatus); + Value *IsDecrypted = IRB.CreateICmpEQ(DecStatus, IRB.getInt32(1)); + IRB.CreateCondBr(IsDecrypted, Exit, LoopBody); + + IRB.SetInsertPoint(LoopBody); + PHINode *LoopCounter = IRB.CreatePHI(IRB.getInt32Ty(), 2); + LoopCounter->addIncoming(IRB.getInt32(0), Enter); + + Value *EncCharPtr = + IRB.CreateInBoundsGEP(IRB.getInt8Ty(), EncPtr, LoopCounter); + Value *EncChar = IRB.CreateLoad(IRB.getInt8Ty(), EncCharPtr); + Value *KeyIdx = IRB.CreateURem(LoopCounter, KeySize); + + Value *KeyCharPtr = IRB.CreateInBoundsGEP(IRB.getInt8Ty(), Data, KeyIdx); + Value *KeyChar = IRB.CreateLoad(IRB.getInt8Ty(), KeyCharPtr); + + Value *DecChar = IRB.CreateXor(EncChar, KeyChar); + Value *DecCharPtr = + IRB.CreateInBoundsGEP(IRB.getInt8Ty(), PlainString, LoopCounter); + IRB.CreateStore(DecChar, DecCharPtr); + + Value *NewCounter = + IRB.CreateAdd(LoopCounter, IRB.getInt32(1), "", true, true); + LoopCounter->addIncoming(NewCounter, LoopBody); + + Value *Cond = IRB.CreateICmpEQ( + NewCounter, IRB.getInt32(static_cast(Entry->Data.size()))); + IRB.CreateCondBr(Cond, UpdateDecStatus, LoopBody); + + IRB.SetInsertPoint(UpdateDecStatus); + IRB.CreateStore(IRB.getInt32(1), Entry->DecStatus); + IRB.CreateBr(Exit); + + IRB.SetInsertPoint(Exit); + IRB.CreateRetVoid(); + + return DecFunc; +} + +Function * +StringEncryptionPass::buildInitFunction(Module *M, + const StringEncryptionPass::CSUser *User) { + LLVMContext &Ctx = M->getContext(); + IRBuilder<> IRB(Ctx); + FunctionType *FuncTy = FunctionType::get(Type::getVoidTy(Ctx), + {User->DecGV->getType()}, false); + Function *InitFunc = Function::Create( + FuncTy, GlobalValue::PrivateLinkage, + "__global_variable_initializer_" + User->GV->getName(), M); + + auto ArgIt = InitFunc->arg_begin(); + Argument *thiz = ArgIt; + + thiz->setName("this"); + thiz->addAttr(Attribute::NoCapture); + + // convert constant initializer into a series of instructions + BasicBlock *Enter = BasicBlock::Create(Ctx, "Enter", InitFunc); + BasicBlock *InitBlock = BasicBlock::Create(Ctx, "InitBlock", InitFunc); + BasicBlock *Exit = BasicBlock::Create(Ctx, "Exit", InitFunc); + + IRB.SetInsertPoint(Enter); + Value *DecStatus = + IRB.CreateLoad(User->DecStatus->getValueType(), User->DecStatus); + Value *IsDecrypted = IRB.CreateICmpEQ(DecStatus, IRB.getInt32(1)); + IRB.CreateCondBr(IsDecrypted, Exit, InitBlock); + + IRB.SetInsertPoint(InitBlock); + Constant *Init = User->GV->getInitializer(); + lowerGlobalConstant(Init, IRB, User->DecGV, User->Ty); + IRB.CreateStore(IRB.getInt32(1), User->DecStatus); + IRB.CreateBr(Exit); + + IRB.SetInsertPoint(Exit); + IRB.CreateRetVoid(); + return InitFunc; +} + +void StringEncryptionPass::lowerGlobalConstant(Constant *CV, IRBuilder<> &IRB, + Value *Ptr, Type *Ty) { + if (isa(CV)) { + IRB.CreateStore(CV, Ptr); + return; + } + + if (ConstantArray *CA = dyn_cast(CV)) { + lowerGlobalConstantArray(CA, IRB, Ptr, Ty); + } else if (ConstantStruct *CS = dyn_cast(CV)) { + lowerGlobalConstantStruct(CS, IRB, Ptr, Ty); + } else { + IRB.CreateStore(CV, Ptr); + } +} + +void StringEncryptionPass::lowerGlobalConstantArray(ConstantArray *CA, + IRBuilder<> &IRB, Value *Ptr, + Type *Ty) { + for (unsigned i = 0, e = CA->getNumOperands(); i != e; ++i) { + Constant *CV = CA->getOperand(i); + Value *GEP = IRB.CreateGEP(Ty, Ptr, {IRB.getInt32(0), IRB.getInt32(i)}); + lowerGlobalConstant(CV, IRB, GEP, CV->getType()); + } +} + +void StringEncryptionPass::lowerGlobalConstantStruct(ConstantStruct *CS, + IRBuilder<> &IRB, Value *Ptr, + Type *Ty) { + for (unsigned i = 0, e = CS->getNumOperands(); i != e; ++i) { + Constant *CV = CS->getOperand(i); + Value *GEP = IRB.CreateGEP(Ty, Ptr, {IRB.getInt32(0), IRB.getInt32(i)}); + lowerGlobalConstant(CV, IRB, GEP, CV->getType()); + } +} + +bool StringEncryptionPass::processConstantStringUse(Function *F) { + if (!toObfuscate(flag, F, "cse")) { + return false; + } + if (Options && Options->skipFunction(F->getName())) { + return false; + } + LowerConstantExpr(*F); + SmallPtrSet + DecryptedGV; // if GV has multiple use in a block, decrypt only at the + // first use + bool Changed = false; + for (BasicBlock &BB : *F) { + DecryptedGV.clear(); + if (BB.isEHPad()) { + continue; + } + for (Instruction &Inst : BB) { + if (Inst.isEHPad()) { + continue; + } + if (PHINode *PHI = dyn_cast(&Inst)) { + for (unsigned int i = 0; i < PHI->getNumIncomingValues(); ++i) { + if (GlobalVariable *GV = dyn_cast( + PHI->getIncomingValue(i))) { + auto Iter1 = CSPEntryMap.find(GV); + auto Iter2 = CSUserMap.find(GV); + if (Iter2 != + CSUserMap.end()) { // GV is a constant string user + CSUser *User = Iter2->second; + if (DecryptedGV.count(GV) > 0) { + Inst.replaceUsesOfWith(GV, User->DecGV); + } else { + Instruction *InsertPoint = + PHI->getIncomingBlock(i)->getTerminator(); + IRBuilder<> IRB(InsertPoint); + IRB.CreateCall(User->InitFunc, {User->DecGV}); + Inst.replaceUsesOfWith(GV, User->DecGV); + MaybeDeadGlobalVars.insert(GV); + DecryptedGV.insert(GV); + Changed = true; + } + } else if (Iter1 != + CSPEntryMap + .end()) { // GV is a constant string + CSPEntry *Entry = Iter1->second; + if (DecryptedGV.count(GV) > 0) { + Inst.replaceUsesOfWith(GV, Entry->DecGV); + } else { + Instruction *InsertPoint = + PHI->getIncomingBlock(i)->getTerminator(); + IRBuilder<> IRB(InsertPoint); + + Value *OutBuf = IRB.CreateBitCast(Entry->DecGV, IRB.getPtrTy()); + Value *Data = IRB.CreateInBoundsGEP( + EncryptedStringTable->getValueType(), + EncryptedStringTable, + {IRB.getInt32(0), IRB.getInt32(Entry->Offset)}); + IRB.CreateCall(Entry->DecFunc, {OutBuf, Data}); + + Inst.replaceUsesOfWith(GV, Entry->DecGV); + MaybeDeadGlobalVars.insert(GV); + DecryptedGV.insert(GV); + Changed = true; + } + } + } + } + } else { + for (User::op_iterator op = Inst.op_begin(); + op != Inst.op_end(); ++op) { + if (GlobalVariable *GV = dyn_cast(*op)) { + auto Iter1 = CSPEntryMap.find(GV); + auto Iter2 = CSUserMap.find(GV); + if (Iter2 != CSUserMap.end()) { + CSUser *User = Iter2->second; + if (DecryptedGV.count(GV) > 0) { + Inst.replaceUsesOfWith(GV, User->DecGV); + } else { + IRBuilder<> IRB(&Inst); + IRB.CreateCall(User->InitFunc, {User->DecGV}); + Inst.replaceUsesOfWith(GV, User->DecGV); + MaybeDeadGlobalVars.insert(GV); + DecryptedGV.insert(GV); + Changed = true; + } + } else if (Iter1 != CSPEntryMap.end()) { + CSPEntry *Entry = Iter1->second; + if (DecryptedGV.count(GV) > 0) { + Inst.replaceUsesOfWith(GV, Entry->DecGV); + } else { + IRBuilder<> IRB(&Inst); + + Value *OutBuf = IRB.CreateBitCast(Entry->DecGV, IRB.getPtrTy()); + Value *Data = IRB.CreateInBoundsGEP( + EncryptedStringTable->getValueType(), + EncryptedStringTable, + {IRB.getInt32(0), IRB.getInt32(Entry->Offset)}); + IRB.CreateCall(Entry->DecFunc, {OutBuf, Data}); + + Inst.replaceUsesOfWith(GV, Entry->DecGV); + MaybeDeadGlobalVars.insert(GV); + DecryptedGV.insert(GV); + Changed = true; + } + } + } + } + } + } + } + return Changed; +} + +void StringEncryptionPass::collectConstantStringUser( + GlobalVariable *CString, std::set &Users) { + SmallPtrSet Visited; + SmallVector ToVisit; + + ToVisit.push_back(CString); + while (!ToVisit.empty()) { + Value *V = ToVisit.pop_back_val(); + if (Visited.count(V) > 0) + continue; + Visited.insert(V); + for (Value *User : V->users()) { + if (auto *GV = dyn_cast(User)) { + Users.insert(GV); + } else { + ToVisit.push_back(User); + } + } + } +} + +bool StringEncryptionPass::isValidToEncrypt(GlobalVariable *GV) { + if (GV->isConstant() && GV->hasInitializer()) { + return GV->getInitializer() != nullptr; + } else { + return false; + } +} + +void StringEncryptionPass::deleteUnusedGlobalVariable() { + bool Changed = true; + while (Changed) { + Changed = false; + for (auto Iter = MaybeDeadGlobalVars.begin(); + Iter != MaybeDeadGlobalVars.end();) { + GlobalVariable *GV = *Iter; + if (!GV->hasLocalLinkage()) { + ++Iter; + continue; + } + + GV->removeDeadConstantUsers(); + if (GV->use_empty()) { + if (GV->hasInitializer()) { + Constant *Init = GV->getInitializer(); + GV->setInitializer(nullptr); + if (isSafeToDestroyConstant(Init)) + Init->destroyConstant(); + } + Iter = MaybeDeadGlobalVars.erase(Iter); + GV->eraseFromParent(); + Changed = true; + } else { + ++Iter; + } + } + } +} + +StringEncryptionPass *llvm::createStringEncryption(bool flag){ + return new StringEncryptionPass(flag); +} \ No newline at end of file diff --git a/llvm/lib/Passes/Obfuscation/StringEncryption.h b/llvm/lib/Passes/Obfuscation/StringEncryption.h new file mode 100644 index 0000000000..36c3a5484c --- /dev/null +++ b/llvm/lib/Passes/Obfuscation/StringEncryption.h @@ -0,0 +1,109 @@ +#ifndef LLVM_STRING_ENCRYPTION_H +#define LLVM_STRING_ENCRYPTION_H +// LLVM libs +#include "llvm/Transforms/Utils/GlobalStatus.h" +#include "llvm/IR/LLVMContext.h" +#include "llvm/IR/Constants.h" +#include "llvm/IR/GlobalValue.h" +#include "llvm/IR/IRBuilder.h" +#include "llvm/IR/InstIterator.h" +#include "llvm/IR/Instructions.h" +#include "llvm/Support/raw_ostream.h" +#include "llvm/IR/Module.h" +#include "llvm/IR/Value.h" +#include "llvm/Pass.h" +#include "llvm/Support/CommandLine.h" +#include "llvm/Support/TargetSelect.h" +#include "llvm/Transforms/Utils/BasicBlockUtils.h" +//#include "llvm/Transforms/IPO/PassManagerBuilder.h" +#include "llvm/Support/FormatVariadic.h" +#include "llvm/Support/SHA1.h" +#include "llvm/Transforms/Utils/ModuleUtils.h" + +// User libs +#include "CryptoUtils.h" +#include "Utils.h" +// System libs +#include +#include +#include +#include +#include +#include +#include + +#include "ObfuscationOptions.h" + +using namespace std; +namespace llvm { +struct EncryptedGV { + GlobalVariable *GV; + uint64_t key; + uint32_t len; +}; + +class StringEncryptionPass : public PassInfoMixin { +public: + bool flag; + struct CSPEntry { + CSPEntry() + : ID(0), Offset(0), DecGV(nullptr), DecStatus(nullptr), + DecFunc(nullptr) {} + unsigned ID; + unsigned Offset; + GlobalVariable *DecGV; + GlobalVariable *DecStatus; // is decrypted or not + std::vector Data; + std::vector EncKey; + Function *DecFunc; + }; + + struct CSUser { + CSUser(Type *ETy, GlobalVariable *User, GlobalVariable *NewGV) + : Ty(ETy), GV(User), DecGV(NewGV), DecStatus(nullptr), + InitFunc(nullptr) {} + Type *Ty; + GlobalVariable *GV; + GlobalVariable *DecGV; + GlobalVariable *DecStatus; // is decrypted or not + Function *InitFunc; // InitFunc will use decryted string to + // initialize DecGV + }; + + ObfuscationOptions *Options; + CryptoUtils RandomEngine; + std::vector ConstantStringPool; + std::map CSPEntryMap; + std::map CSUserMap; + GlobalVariable *EncryptedStringTable; + std::set MaybeDeadGlobalVars; + + map + encstatus; + StringEncryptionPass(bool flag) { + this->flag = flag; + Options = new ObfuscationOptions; + //EncryptedStringTable = new GlobalVariable; + } + PreservedAnalyses run(Module &M, ModuleAnalysisManager &AM); // Pass实现函数 + bool do_StrEnc(Module &M, ModuleAnalysisManager &AM); + void collectConstantStringUser(GlobalVariable *CString, + std::set &Users); + bool isValidToEncrypt(GlobalVariable *GV); + bool processConstantStringUse(Function *F); + void deleteUnusedGlobalVariable(); + Function *buildDecryptFunction(Module *M, const CSPEntry *Entry); + Function *buildInitFunction(Module *M, const CSUser *User); + void getRandomBytes(std::vector &Bytes, uint32_t MinSize, + uint32_t MaxSize); + void lowerGlobalConstant(Constant *CV, IRBuilder<> &IRB, Value *Ptr, + Type *Ty); + void lowerGlobalConstantStruct(ConstantStruct *CS, IRBuilder<> &IRB, + Value *Ptr, Type *Ty); + void lowerGlobalConstantArray(ConstantArray *CA, IRBuilder<> &IRB, Value *Ptr, + Type *Ty); + static bool isRequired() { return true; } // 直接返回true即可 +}; +StringEncryptionPass *createStringEncryption(bool flag); // 创建字符串加密 +} +#endif \ No newline at end of file diff --git a/llvm/lib/Passes/Obfuscation/Substitution.cpp b/llvm/lib/Passes/Obfuscation/Substitution.cpp new file mode 100644 index 0000000000..a34c1dc5c6 --- /dev/null +++ b/llvm/lib/Passes/Obfuscation/Substitution.cpp @@ -0,0 +1,507 @@ +//===- Substitution.cpp - Substitution Obfuscation +// pass-------------------------===// +// +// The LLVM Compiler Infrastructure +// +// This file is distributed under the University of Illinois Open Source +// License. See LICENSE.TXT for details. +// +//===----------------------------------------------------------------------===// +// +// This file implements operators substitution's pass +// +//===----------------------------------------------------------------------===// + +#include "Substitution.h" +#include "llvm/IR/LLVMContext.h" +#include "llvm/Support/raw_ostream.h" +#include "Utils.h" +#include "llvm/IR/Intrinsics.h" + +#define DEBUG_TYPE "substitution" + +static cl::opt ObfTimes("sub_loop", + cl::desc("Choose how many time the -sub pass loops on a function"), + cl::value_desc("number of times"), cl::init(1), cl::Optional); + + +// Stats +STATISTIC(Add, "Add substitued"); +STATISTIC(Sub, "Sub substitued"); +// STATISTIC(Mul, "Mul substitued"); +// STATISTIC(Div, "Div substitued"); +// STATISTIC(Rem, "Rem substitued"); +// STATISTIC(Shi, "Shift substitued"); +STATISTIC(And, "And substitued"); +STATISTIC(Or, "Or substitued"); +STATISTIC(Xor, "Xor substitued"); + +PreservedAnalyses SubstitutionPass::run(Function &F, FunctionAnalysisManager &AM) { + // Check if the percentage is correct + if (ObfTimes <= 0) { + errs() << "Substitution application number -sub_loop=x must be x > 0"; + return PreservedAnalyses::all(); + } + + Function *tmp = &F; + // Do we obfuscate + if (toObfuscate(flag, tmp, "sub")) { + substitute(tmp); + return PreservedAnalyses::none(); + } + + return PreservedAnalyses::all(); +} + +bool SubstitutionPass::substitute(Function *f) { + Function *tmp = f; + + // Loop for the number of time we run the pass on the function + int times = ObfTimes; + do { + for (Function::iterator bb = tmp->begin(); bb != tmp->end(); ++bb) { + for (BasicBlock::iterator inst = bb->begin(); inst != bb->end(); ++inst) { + if (inst->isBinaryOp()) { + switch (inst->getOpcode()) { + case BinaryOperator::Add: + // case BinaryOperator::FAdd: + // Substitute with random add operation + (this->*funcAdd[llvm::cryptoutils->get_range(NUMBER_ADD_SUBST)])( + cast(inst)); + ++Add; + break; + case BinaryOperator::Sub: + // case BinaryOperator::FSub: + // Substitute with random sub operation + (this->*funcSub[llvm::cryptoutils->get_range(NUMBER_SUB_SUBST)])( + cast(inst)); + ++Sub; + break; + case BinaryOperator::Mul: + case BinaryOperator::FMul: + //++Mul; + break; + case BinaryOperator::UDiv: + case BinaryOperator::SDiv: + case BinaryOperator::FDiv: + //++Div; + break; + case BinaryOperator::URem: + case BinaryOperator::SRem: + case BinaryOperator::FRem: + //++Rem; + break; + case Instruction::Shl: + //++Shi; + break; + case Instruction::LShr: + //++Shi; + break; + case Instruction::AShr: + //++Shi; + break; + case Instruction::And: + (this->* + funcAnd[llvm::cryptoutils->get_range(2)])(cast(inst)); + ++And; + break; + case Instruction::Or: + (this->* + funcOr[llvm::cryptoutils->get_range(2)])(cast(inst)); + ++Or; + break; + case Instruction::Xor: + (this->* + funcXor[llvm::cryptoutils->get_range(2)])(cast(inst)); + ++Xor; + break; + default: + break; + } // End switch + } // End isBinaryOp + } // End for basickblock + } // End for Function + } while (--times > 0); // for times + return false; +} + +// Implementation of a = b - (-c) +void SubstitutionPass::addNeg(BinaryOperator *bo) { + BinaryOperator *op = NULL; + + // Create sub + if (bo->getOpcode() == Instruction::Add) { + op = BinaryOperator::CreateNeg(bo->getOperand(1), "", bo); + op = + BinaryOperator::Create(Instruction::Sub, bo->getOperand(0), op, "", bo); + + // Check signed wrap + //op->setHasNoSignedWrap(bo->hasNoSignedWrap()); + //op->setHasNoUnsignedWrap(bo->hasNoUnsignedWrap()); + + bo->replaceAllUsesWith(op); + }/* else { + op = BinaryOperator::CreateFNeg(bo->getOperand(1), "", bo); + op = BinaryOperator::Create(Instruction::FSub, bo->getOperand(0), op, "", + bo); + }*/ +} + +// Implementation of a = -(-b + (-c)) +void SubstitutionPass::addDoubleNeg(BinaryOperator *bo) { + BinaryOperator *op, *op2 = NULL; + UnaryOperator *op3, *op4; + if (bo->getOpcode() == Instruction::Add) { + op = BinaryOperator::CreateNeg(bo->getOperand(0), "", bo); + op2 = BinaryOperator::CreateNeg(bo->getOperand(1), "", bo); + op = BinaryOperator::Create(Instruction::Add, op, op2, "", bo); + op = BinaryOperator::CreateNeg(op, "", bo); + bo->replaceAllUsesWith(op); + // Check signed wrap + //op->setHasNoSignedWrap(bo->hasNoSignedWrap()); + //op->setHasNoUnsignedWrap(bo->hasNoUnsignedWrap()); + } else { + op3 = UnaryOperator::CreateFNeg(bo->getOperand(0), "", bo); + op4 = UnaryOperator::CreateFNeg(bo->getOperand(1), "", bo); + op = BinaryOperator::Create(Instruction::FAdd, op3, op4, "", bo); + op3 = UnaryOperator::CreateFNeg(op, "", bo); + bo->replaceAllUsesWith(op3); + } +} + +// Implementation of r = rand (); a = b + r; a = a + c; a = a - r +void SubstitutionPass::addRand(BinaryOperator *bo) { + BinaryOperator *op = NULL; + + if (bo->getOpcode() == Instruction::Add) { + Type *ty = bo->getType(); + ConstantInt *co = + (ConstantInt *)ConstantInt::get(ty, llvm::cryptoutils->get_uint64_t()); + op = + BinaryOperator::Create(Instruction::Add, bo->getOperand(0), co, "", bo); + op = + BinaryOperator::Create(Instruction::Add, op, bo->getOperand(1), "", bo); + op = BinaryOperator::Create(Instruction::Sub, op, co, "", bo); + + // Check signed wrap + //op->setHasNoSignedWrap(bo->hasNoSignedWrap()); + //op->setHasNoUnsignedWrap(bo->hasNoUnsignedWrap()); + + bo->replaceAllUsesWith(op); + } + /* else { + Type *ty = bo->getType(); + ConstantFP *co = + (ConstantFP*)ConstantFP::get(ty,(float)llvm::cryptoutils->get_uint64_t()); + op = BinaryOperator::Create(Instruction::FAdd,bo->getOperand(0),co,"",bo); + op = BinaryOperator::Create(Instruction::FAdd,op,bo->getOperand(1),"",bo); + op = BinaryOperator::Create(Instruction::FSub,op,co,"",bo); + } */ +} + +// Implementation of r = rand (); a = b - r; a = a + b; a = a + r +void SubstitutionPass::addRand2(BinaryOperator *bo) { + BinaryOperator *op = NULL; + + if (bo->getOpcode() == Instruction::Add) { + Type *ty = bo->getType(); + ConstantInt *co = + (ConstantInt *)ConstantInt::get(ty, llvm::cryptoutils->get_uint64_t()); + op = + BinaryOperator::Create(Instruction::Sub, bo->getOperand(0), co, "", bo); + op = + BinaryOperator::Create(Instruction::Add, op, bo->getOperand(1), "", bo); + op = BinaryOperator::Create(Instruction::Add, op, co, "", bo); + + // Check signed wrap + //op->setHasNoSignedWrap(bo->hasNoSignedWrap()); + //op->setHasNoUnsignedWrap(bo->hasNoUnsignedWrap()); + + bo->replaceAllUsesWith(op); + } + /* else { + Type *ty = bo->getType(); + ConstantFP *co = + (ConstantFP*)ConstantFP::get(ty,(float)llvm::cryptoutils->get_uint64_t()); + op = BinaryOperator::Create(Instruction::FAdd,bo->getOperand(0),co,"",bo); + op = BinaryOperator::Create(Instruction::FAdd,op,bo->getOperand(1),"",bo); + op = BinaryOperator::Create(Instruction::FSub,op,co,"",bo); + } */ +} + +// Implementation of a = b + (-c) +void SubstitutionPass::subNeg(BinaryOperator *bo) { + BinaryOperator *op = NULL; + if (bo->getOpcode() == Instruction::Sub) { + op = BinaryOperator::CreateNeg(bo->getOperand(1), "", bo); + op = BinaryOperator::Create(Instruction::Add, bo->getOperand(0), op, "", bo); + // Check signed wrap + //op->setHasNoSignedWrap(bo->hasNoSignedWrap()); + //op->setHasNoUnsignedWrap(bo->hasNoUnsignedWrap()); + } else { + auto op1 = UnaryOperator::CreateFNeg(bo->getOperand(1), "", bo); + op = BinaryOperator::Create(Instruction::FAdd, bo->getOperand(0), op1, "", bo); + } + bo->replaceAllUsesWith(op); +} + +// Implementation of r = rand (); a = b + r; a = a - c; a = a - r +void SubstitutionPass::subRand(BinaryOperator *bo) { + BinaryOperator *op = NULL; + + if (bo->getOpcode() == Instruction::Sub) { + Type *ty = bo->getType(); + ConstantInt *co = + (ConstantInt *)ConstantInt::get(ty, llvm::cryptoutils->get_uint64_t()); + op = + BinaryOperator::Create(Instruction::Add, bo->getOperand(0), co, "", bo); + op = + BinaryOperator::Create(Instruction::Sub, op, bo->getOperand(1), "", bo); + op = BinaryOperator::Create(Instruction::Sub, op, co, "", bo); + + // Check signed wrap + //op->setHasNoSignedWrap(bo->hasNoSignedWrap()); + //op->setHasNoUnsignedWrap(bo->hasNoUnsignedWrap()); + + bo->replaceAllUsesWith(op); + } + /* else { + Type *ty = bo->getType(); + ConstantFP *co = + (ConstantFP*)ConstantFP::get(ty,(float)llvm::cryptoutils->get_uint64_t()); + op = BinaryOperator::Create(Instruction::FAdd,bo->getOperand(0),co,"",bo); + op = BinaryOperator::Create(Instruction::FSub,op,bo->getOperand(1),"",bo); + op = BinaryOperator::Create(Instruction::FSub,op,co,"",bo); + } */ +} + +// Implementation of r = rand (); a = b - r; a = a - c; a = a + r +void SubstitutionPass::subRand2(BinaryOperator *bo) { + BinaryOperator *op = NULL; + + if (bo->getOpcode() == Instruction::Sub) { + Type *ty = bo->getType(); + ConstantInt *co = + (ConstantInt *)ConstantInt::get(ty, llvm::cryptoutils->get_uint64_t()); + op = + BinaryOperator::Create(Instruction::Sub, bo->getOperand(0), co, "", bo); + op = + BinaryOperator::Create(Instruction::Sub, op, bo->getOperand(1), "", bo); + op = BinaryOperator::Create(Instruction::Add, op, co, "", bo); + + // Check signed wrap + //op->setHasNoSignedWrap(bo->hasNoSignedWrap()); + //op->setHasNoUnsignedWrap(bo->hasNoUnsignedWrap()); + + bo->replaceAllUsesWith(op); + } + /* else { + Type *ty = bo->getType(); + ConstantFP *co = + (ConstantFP*)ConstantFP::get(ty,(float)llvm::cryptoutils->get_uint64_t()); + op = BinaryOperator::Create(Instruction::FSub,bo->getOperand(0),co,"",bo); + op = BinaryOperator::Create(Instruction::FSub,op,bo->getOperand(1),"",bo); + op = BinaryOperator::Create(Instruction::FAdd,op,co,"",bo); + } */ +} + +// Implementation of a = b & c => a = (b^~c)& b +void SubstitutionPass::andSubstitution(BinaryOperator *bo) { + BinaryOperator *op = NULL; + + // Create NOT on second operand => ~c + op = BinaryOperator::CreateNot(bo->getOperand(1), "", bo); + + // Create XOR => (b^~c) + BinaryOperator *op1 = + BinaryOperator::Create(Instruction::Xor, bo->getOperand(0), op, "", bo); + + // Create AND => (b^~c) & b + op = BinaryOperator::Create(Instruction::And, op1, bo->getOperand(0), "", bo); + bo->replaceAllUsesWith(op); +} + +// Implementation of a = a & b <=> ~(~a | ~b) & (r | ~r) +void SubstitutionPass::andSubstitutionRand(BinaryOperator *bo) { + // Copy of the BinaryOperator type to create the random number with the + // same type of the operands + Type *ty = bo->getType(); + + // r (Random number) + ConstantInt *co = + (ConstantInt *)ConstantInt::get(ty, llvm::cryptoutils->get_uint64_t()); + + // ~a + BinaryOperator *op = BinaryOperator::CreateNot(bo->getOperand(0), "", bo); + + // ~b + BinaryOperator *op1 = BinaryOperator::CreateNot(bo->getOperand(1), "", bo); + + // ~r + BinaryOperator *opr = BinaryOperator::CreateNot(co, "", bo); + + // (~a | ~b) + BinaryOperator *opa = + BinaryOperator::Create(Instruction::Or, op, op1, "", bo); + + // (r | ~r) + opr = BinaryOperator::Create(Instruction::Or, co, opr, "", bo); + + // ~(~a | ~b) + op = BinaryOperator::CreateNot(opa, "", bo); + + // ~(~a | ~b) & (r | ~r) + op = BinaryOperator::Create(Instruction::And, op, opr, "", bo); + + // We replace all the old AND operators with the new one transformed + bo->replaceAllUsesWith(op); +} + +// Implementation of a = a | b => +// a = (((~a & r) | (a & ~r)) ^ ((~b & r) | (b & ~r))) | (~(~a | ~b) & (r | ~r)) +void SubstitutionPass::orSubstitutionRand(BinaryOperator *bo) { + + Type *ty = bo->getType(); + ConstantInt *co = + (ConstantInt *)ConstantInt::get(ty, llvm::cryptoutils->get_uint64_t()); + + // ~a + BinaryOperator *op = BinaryOperator::CreateNot(bo->getOperand(0), "", bo); + + // ~b + BinaryOperator *op1 = BinaryOperator::CreateNot(bo->getOperand(1), "", bo); + + // ~r + BinaryOperator *op2 = BinaryOperator::CreateNot(co, "", bo); + + // ~a & r + BinaryOperator *op3 = + BinaryOperator::Create(Instruction::And, op, co, "", bo); + + // a & ~r + BinaryOperator *op4 = + BinaryOperator::Create(Instruction::And, bo->getOperand(0), op2, "", bo); + + // ~b & r + BinaryOperator *op5 = + BinaryOperator::Create(Instruction::And, op1, co, "", bo); + + // b & ~r + BinaryOperator *op6 = + BinaryOperator::Create(Instruction::And, bo->getOperand(1), op2, "", bo); + + // (~a & r) | (a & ~r) + op3 = BinaryOperator::Create(Instruction::Or, op3, op4, "", bo); + + // (~b & r) | (b & ~r) + op4 = BinaryOperator::Create(Instruction::Or, op5, op6, "", bo); + + // ((~a & r) | (a & ~r)) ^ ((~b & r) | (b & ~r)) + op5 = BinaryOperator::Create(Instruction::Xor, op3, op4, "", bo); + + // ~a | ~b + op3 = BinaryOperator::Create(Instruction::Or, op, op1, "", bo); + + // ~(~a | ~b) + op3 = BinaryOperator::CreateNot(op3, "", bo); + + // r | ~r + op4 = BinaryOperator::Create(Instruction::Or, co, op2, "", bo); + + // ~(~a | ~b) & (r | ~r) + op4 = BinaryOperator::Create(Instruction::And, op3, op4, "", bo); + + // (((~a & r) | (a & ~r)) ^ ((~b & r) | (b & ~r))) | (~(~a | ~b) & (r | ~r)) + op = BinaryOperator::Create(Instruction::Or, op5, op4, "", bo); + bo->replaceAllUsesWith(op); +} + +// Implementation of a = b | c => a = (b & c) | (b ^ c) +void SubstitutionPass::orSubstitution(BinaryOperator *bo) { + BinaryOperator *op = NULL; + + // Creating first operand (b & c) + op = BinaryOperator::Create(Instruction::And, bo->getOperand(0), + bo->getOperand(1), "", bo); + + // Creating second operand (b ^ c) + BinaryOperator *op1 = BinaryOperator::Create( + Instruction::Xor, bo->getOperand(0), bo->getOperand(1), "", bo); + + // final op + op = BinaryOperator::Create(Instruction::Or, op, op1, "", bo); + bo->replaceAllUsesWith(op); +} + +// Implementation of a = a ^ b => a = (~a & b) | (a & ~b) +void SubstitutionPass::xorSubstitution(BinaryOperator *bo) { + BinaryOperator *op = NULL; + + // Create NOT on first operand + op = BinaryOperator::CreateNot(bo->getOperand(0), "", bo); // ~a + + // Create AND + op = BinaryOperator::Create(Instruction::And, bo->getOperand(1), op, "", + bo); // ~a & b + + // Create NOT on second operand + BinaryOperator *op1 = + BinaryOperator::CreateNot(bo->getOperand(1), "", bo); // ~b + + // Create AND + op1 = BinaryOperator::Create(Instruction::And, bo->getOperand(0), op1, "", + bo); // a & ~b + + // Create OR + op = BinaryOperator::Create(Instruction::Or, op, op1, "", + bo); // (~a & b) | (a & ~b) + bo->replaceAllUsesWith(op); +} + +// implementation of a = a ^ b <=> (a ^ r) ^ (b ^ r) <=> +// ((~a & r) | (a & ~r)) ^ ((~b & r) | (b & ~r)) +// note : r is a random number +void SubstitutionPass::xorSubstitutionRand(BinaryOperator *bo) { + BinaryOperator *op = NULL; + + Type *ty = bo->getType(); + ConstantInt *co = + (ConstantInt *)ConstantInt::get(ty, llvm::cryptoutils->get_uint64_t()); + + // ~a + op = BinaryOperator::CreateNot(bo->getOperand(0), "", bo); + + // ~a & r + op = BinaryOperator::Create(Instruction::And, co, op, "", bo); + + // ~r + BinaryOperator *opr = BinaryOperator::CreateNot(co, "", bo); + + // a & ~r + BinaryOperator *op1 = + BinaryOperator::Create(Instruction::And, bo->getOperand(0), opr, "", bo); + + // ~b + BinaryOperator *op2 = BinaryOperator::CreateNot(bo->getOperand(1), "", bo); + + // ~b & r + op2 = BinaryOperator::Create(Instruction::And, op2, co, "", bo); + + // b & ~r + BinaryOperator *op3 = + BinaryOperator::Create(Instruction::And, bo->getOperand(1), opr, "", bo); + + // (~a & r) | (a & ~r) + op = BinaryOperator::Create(Instruction::Or, op, op1, "", bo); + + // (~b & r) | (b & ~r) + op1 = BinaryOperator::Create(Instruction::Or, op2, op3, "", bo); + + // ((~a & r) | (a & ~r)) ^ ((~b & r) | (b & ~r)) + op = BinaryOperator::Create(Instruction::Xor, op, op1, "", bo); + bo->replaceAllUsesWith(op); +} + +SubstitutionPass *llvm::createSubstitutionPass(bool flag) { + return new SubstitutionPass(flag); +} diff --git a/llvm/lib/Passes/Obfuscation/Substitution.h b/llvm/lib/Passes/Obfuscation/Substitution.h new file mode 100644 index 0000000000..5ee66a8777 --- /dev/null +++ b/llvm/lib/Passes/Obfuscation/Substitution.h @@ -0,0 +1,96 @@ +//===- SubstitutionIncludes.h - Substitution Obfuscation pass-------------------------===// +// +// The LLVM Compiler Infrastructure +// +// This file is distributed under the University of Illinois Open Source +// License. See LICENSE.TXT for details. +// +//===----------------------------------------------------------------------===// +// +// This file contains includes and defines for the substitution pass +// +//===----------------------------------------------------------------------===// + +#ifndef _SUBSTITUTIONS_H_ +#define _SUBSTITUTIONS_H_ + + +// LLVM include +#include "llvm/Pass.h" +#include "llvm/IR/Function.h" +#include "llvm/ADT/Statistic.h" +#include "llvm/IR/PassManager.h" //new Pass +#include "llvm/Transforms/IPO.h" +#include "llvm/IR/Instructions.h" +#include "llvm/IR/Module.h" +#include "llvm/Support/CommandLine.h" +#include "CryptoUtils.h" + +// Namespace +using namespace llvm; + +#define NUMBER_ADD_SUBST 4 +#define NUMBER_SUB_SUBST 3 +#define NUMBER_AND_SUBST 2 +#define NUMBER_OR_SUBST 2 +#define NUMBER_XOR_SUBST 2 + +namespace llvm { + class SubstitutionPass : public PassInfoMixin { + public: + bool flag; + void (SubstitutionPass::*funcAdd[NUMBER_ADD_SUBST])(BinaryOperator *bo); + void (SubstitutionPass::*funcSub[NUMBER_SUB_SUBST])(BinaryOperator *bo); + void (SubstitutionPass::*funcAnd[NUMBER_AND_SUBST])(BinaryOperator *bo); + void (SubstitutionPass::*funcOr[NUMBER_OR_SUBST])(BinaryOperator *bo); + void (SubstitutionPass::*funcXor[NUMBER_XOR_SUBST])(BinaryOperator *bo); + + SubstitutionPass(bool flag) { + this->flag = flag; + funcAdd[0] = &SubstitutionPass::addNeg; + funcAdd[1] = &SubstitutionPass::addDoubleNeg; + funcAdd[2] = &SubstitutionPass::addRand; + funcAdd[3] = &SubstitutionPass::addRand2; + + funcSub[0] = &SubstitutionPass::subNeg; + funcSub[1] = &SubstitutionPass::subRand; + funcSub[2] = &SubstitutionPass::subRand2; + + funcAnd[0] = &SubstitutionPass::andSubstitution; + funcAnd[1] = &SubstitutionPass::andSubstitutionRand; + + funcOr[0] = &SubstitutionPass::orSubstitution; + funcOr[1] = &SubstitutionPass::orSubstitutionRand; + + funcXor[0] = &SubstitutionPass::xorSubstitution; + funcXor[1] = &SubstitutionPass::xorSubstitutionRand; + } + + PreservedAnalyses run(Function &F, FunctionAnalysisManager &AM); + bool substitute(Function *f); + + void addNeg(BinaryOperator *bo); + void addDoubleNeg(BinaryOperator *bo); + void addRand(BinaryOperator *bo); + void addRand2(BinaryOperator *bo); + + void subNeg(BinaryOperator *bo); + void subRand(BinaryOperator *bo); + void subRand2(BinaryOperator *bo); + + void andSubstitution(BinaryOperator *bo); + void andSubstitutionRand(BinaryOperator *bo); + + void orSubstitution(BinaryOperator *bo); + void orSubstitutionRand(BinaryOperator *bo); + + void xorSubstitution(BinaryOperator *bo); + void xorSubstitutionRand(BinaryOperator *bo); + + static bool isRequired() { return true; } // ֱӷtrue + }; + SubstitutionPass *createSubstitutionPass(bool flag); // ָ +} // namespace llvm + +#endif + diff --git a/llvm/lib/Passes/Obfuscation/Utils.cpp b/llvm/lib/Passes/Obfuscation/Utils.cpp new file mode 100644 index 0000000000..e4345f11ff --- /dev/null +++ b/llvm/lib/Passes/Obfuscation/Utils.cpp @@ -0,0 +1,350 @@ +/** + * @file Utils.cpp + * @author SsageParuders + * @brief 本代码参考原OLLVM项目:https://github.com/obfuscator-llvm/obfuscator + * 感谢地球人前辈的指点 + * @version 0.1 + * @date 2022-07-14 + * + * @copyright Copyright (c) 2022 + * + */ +#include "Utils.h" +#include "llvm/IR/IntrinsicInst.h" + +using namespace llvm; +using std::vector; + +LLVMContext *CONTEXT = nullptr; +bool obf_function_name_cmd = false; + +/** + * @brief 参考资料:https://www.jianshu.com/p/0567346fd5e8 + * 作用是读取llvm.global.annotations中的annotation值 从而实现过滤函数 + * 只对单独某功能开启PASS + * @param f + * @return std::string + */ +std::string llvm::readAnnotate(Function *f) { // 取自原版ollvm项目 + std::string annotation = ""; + /* Get annotation variable */ + GlobalVariable *glob = + f->getParent()->getGlobalVariable("llvm.global.annotations"); + if (glob != NULL) { + /* Get the array */ + if (ConstantArray *ca = dyn_cast(glob->getInitializer())) { + for (unsigned i = 0; i < ca->getNumOperands(); ++i) { + /* Get the struct */ + if (ConstantStruct *structAn = + dyn_cast(ca->getOperand(i))) { + if (ConstantExpr *expr = + dyn_cast(structAn->getOperand(0))) { + /* + * If it's a bitcast we can check if the annotation is concerning + * the current function + */ + if (expr->getOpcode() == Instruction::BitCast && + expr->getOperand(0) == f) { + ConstantExpr *note = cast(structAn->getOperand(1)); + /* + * If it's a GetElementPtr, that means we found the variable + * containing the annotations + */ + if (note->getOpcode() == Instruction::GetElementPtr) { + if (GlobalVariable *annoteStr = + dyn_cast(note->getOperand(0))) { + if (ConstantDataSequential *data = + dyn_cast( + annoteStr->getInitializer())) { + if (data->isString()) { + annotation += data->getAsString().lower() + " "; + } + } + } + } + } + } + } + } + } + } + return (annotation); +} + +/** + * @brief 从注解中获取函数注解 + * 解决在llvm15+上读取不到注解 (测试版本在LLVM-18.0.1) + * @param F + * @return std::string + */ +std::string getFunctionAnnotation(Function *F) { + Module *M = F->getParent(); + // 查找名为 "llvm.global.annotations" 的全局变量 + GlobalVariable *GA = M->getNamedGlobal("llvm.global.annotations"); + if (!GA) + return ""; // 如果没有注解,返回空字符串 + // 解析 llvm.global.annotations + if (ConstantArray *CA = dyn_cast(GA->getInitializer())) { + for (unsigned i = 0; i < CA->getNumOperands(); ++i) { + if (ConstantStruct *CS = dyn_cast(CA->getOperand(i))) { + // 第一个元素是被注解的函数 + if (Function *AnnotatedFunction = + dyn_cast(CS->getOperand(0)->stripPointerCasts())) { + if (AnnotatedFunction == F) { + // 第二个元素是注解字符串的全局变量 + if (GlobalVariable *GV = dyn_cast( + CS->getOperand(1)->stripPointerCasts())) { + if (ConstantDataArray *Anno = + dyn_cast(GV->getInitializer())) { + return Anno->getAsCString().str(); + } + } + } + } + } + } + } + + return ""; // 如果没有找到对应函数的注解,返回空字符串 +} + +/** + * @brief 用于判断是否开启混淆 + * + * @param flag + * @param f + * @param attribute + * @return true + * @return false + */ +bool llvm::toObfuscate(bool flag, Function *f, + std::string const &attribute) { // 取自原版ollvm项目 + std::string attr = attribute; + std::string attrNo = "no" + attr; + // Check if declaration + if (f->isDeclaration()) { + return false; + } + // Check external linkage + if (f->hasAvailableExternallyLinkage() != 0) { + return false; + } + // outs() << "[Soule] function: " << f->getName().str() << " # annotation: " + // << readAnnotate(f) << "\n"; + // + // We have to check the nofla flag first + // Because .find("fla") is true for a string like "fla" or + // "nofla" + if (getFunctionAnnotation(f).find(attrNo) != + std::string::npos) { // 是否禁止开启XXX + return false; + } + // If fla annotations + if (getFunctionAnnotation(f).find(attr) != std::string::npos) { // 是否开启XXX + return true; + } + // 由于Visual Studio无法传入annotation, + // 增加一个使用函数名匹配是否单独开关的功能 + if (obf_function_name_cmd == true) { // 开启使用函数名匹配混淆功能开关 + if (f->getName().find("_" + attrNo + "_") != StringRef::npos) { + outs() << "[Soule] " << attrNo << ".function: " << f->getName().str() + << "\n"; + return false; + } + if (f->getName().find("_" + attr + "_") != StringRef::npos) { + outs() << "[Soule] " << attr << ".function: " << f->getName().str() + << "\n"; + return true; + } + } + // If fla flag is set + if (flag == true) { // 开启PASS + return true; + } + return false; +} + + +static bool valueEscapes(const Instruction &Inst) { + if (!Inst.getType()->isSized()) + return false; + + const BasicBlock *BB = Inst.getParent(); + for (const User *U : Inst.users()) { + const Instruction *UI = cast(U); + if (UI->getParent() != BB || isa(UI)) + return true; + } + return false; +} + +/** LLVM\llvm\lib\Transforms\Scalar\Reg2Mem.cpp + * @brief 修复PHI指令和逃逸变量 + * + * @param F + */ +void llvm::fixStack(Function &F) { + // Insert all new allocas into entry block. + BasicBlock *BBEntry = &F.getEntryBlock(); + assert(pred_empty(BBEntry) && + "Entry block to function must not have predecessors!"); + + // Find first non-alloca instruction and create insertion point. This is + // safe if block is well-formed: it always have terminator, otherwise + // we'll get and assertion. + BasicBlock::iterator I = BBEntry->begin(); + while (isa(I)) + ++I; + + CastInst *AllocaInsertionPoint = new BitCastInst( + Constant::getNullValue(Type::getInt32Ty(F.getContext())), + Type::getInt32Ty(F.getContext()), "fix_stack_point", &*I); + + // Find the escaped instructions. But don't create stack slots for + // allocas in entry block. + std::list WorkList; + for (Instruction &I : instructions(F)) + if (!(isa(I) && I.getParent() == BBEntry) && valueEscapes(I)) + WorkList.push_front(&I); + + // Demote escaped instructions + //NumRegsDemoted += WorkList.size(); + for (Instruction *I : WorkList) + DemoteRegToStack(*I, false, AllocaInsertionPoint->getIterator()); //fix for llvm 19 + + WorkList.clear(); + + // Find all phi's + for (BasicBlock &BB : F) + for (auto &Phi : BB.phis()) + WorkList.push_front(&Phi); + + // Demote phi nodes + //NumPhisDemoted += WorkList.size(); + for (Instruction *I : WorkList) + DemotePHIToStack(cast(I), AllocaInsertionPoint->getIterator()); //fix for llvm19 +} + +/** + * @brief + * + * @param Func + */ +void llvm::FixFunctionConstantExpr(Function *Func) { + // Replace ConstantExpr with equal instructions + // Otherwise replacing on Constant will crash the compiler + for (BasicBlock &BB : *Func) { + FixBasicBlockConstantExpr(&BB); + } +} +/** + * @brief + * + * @param BB + */ +void llvm::FixBasicBlockConstantExpr(BasicBlock *BB) { + // Replace ConstantExpr with equal instructions + // Otherwise replacing on Constant will crash the compiler + // Things to note: + // - Phis must be placed at BB start so CEs must be placed prior to current BB + assert(!BB->empty() && "BasicBlock is empty!"); + assert((BB->getParent() != NULL) && "BasicBlock must be in a Function!"); + Instruction *FunctionInsertPt = + &*(BB->getParent()->getEntryBlock().getFirstInsertionPt()); + // Instruction* LocalBBInsertPt=&*(BB.getFirstInsertionPt()); + for (Instruction &I : *BB) { + if (isa(I) || isa(I)) { + continue; + } + for (unsigned i = 0; i < I.getNumOperands(); i++) { + if (ConstantExpr *C = dyn_cast(I.getOperand(i))) { + Instruction *InsertPt = &I; + IRBuilder IRB(InsertPt); + if (isa(I)) { + IRB.SetInsertPoint(FunctionInsertPt); + } + Instruction *Inst = IRB.Insert(C->getAsInstruction()); + I.setOperand(i, Inst); + } + } + } +} + +/** + * @brief 随机字符串 + * + * @param len + * @return string + */ +string llvm::rand_str(int len) { + string str; + char c = 'O'; + int idx; + for (idx = 0; idx < len; idx++) { + + switch ((rand() % 3)) { + case 1: + c = 'O'; + break; + case 2: + c = '0'; + break; + default: + c = 'o'; + break; + } + str.push_back(c); + } + return str; +} + +// LLVM-MSVC有这个函数, 官方版LLVM没有 (LLVM:17.0.6 | LLVM-MSVC:3.2.6) +void llvm::LowerConstantExpr(Function &F) { + SmallPtrSet WorkList; + + for (inst_iterator It = inst_begin(F), E = inst_end(F); It != E; ++It) { + Instruction *I = &*It; + + if (isa(I) || isa(I) || + isa(I) || isa(I)) + continue; + if (auto *II = dyn_cast(I)) { + if (II->getIntrinsicID() == Intrinsic::eh_typeid_for) { + continue; + } + } + + for (unsigned int i = 0; i < I->getNumOperands(); ++i) { + if (isa(I->getOperand(i))) + WorkList.insert(I); + } + } + + while (!WorkList.empty()) { + auto It = WorkList.begin(); + Instruction *I = *It; + WorkList.erase(*It); + + if (PHINode *PHI = dyn_cast(I)) { + for (unsigned int i = 0; i < PHI->getNumIncomingValues(); ++i) { + Instruction *TI = PHI->getIncomingBlock(i)->getTerminator(); + if (ConstantExpr *CE = + dyn_cast(PHI->getIncomingValue(i))) { + Instruction *NewInst = CE->getAsInstruction(); + NewInst->insertBefore(TI); + PHI->setIncomingValue(i, NewInst); + WorkList.insert(NewInst); + } + } + } else { + for (unsigned int i = 0; i < I->getNumOperands(); ++i) { + if (ConstantExpr *CE = dyn_cast(I->getOperand(i))) { + Instruction *NewInst = CE->getAsInstruction(); + NewInst->insertBefore(I); + I->replaceUsesOfWith(CE, NewInst); + WorkList.insert(NewInst); + } + } + } + } +} diff --git a/llvm/lib/Passes/Obfuscation/Utils.h b/llvm/lib/Passes/Obfuscation/Utils.h new file mode 100644 index 0000000000..d0431b3744 --- /dev/null +++ b/llvm/lib/Passes/Obfuscation/Utils.h @@ -0,0 +1,39 @@ +#ifndef LLVM_UTILS_H +#define LLVM_UTILS_H +// LLVM libs +#include "llvm/IR/Module.h" +#include "llvm/IR/Function.h" +#include "llvm/IR/NoFolder.h" +#include "llvm/IR/IRBuilder.h" +#include "llvm/IR/InstIterator.h" +#include "llvm/IR/Instructions.h" +#include "llvm/Transforms/Utils/Local.h" +#include "llvm/Transforms/Utils/Cloning.h" +#include "llvm/Transforms/Utils/ValueMapper.h" +// System libs +#include +#include +#include +#include +#include +// 常用宏定义 +#define INIT_CONTEXT(F) CONTEXT=&F.getContext() +#define TYPE_I32 Type::getInt32Ty(*CONTEXT) +#define CONST_I32(V) ConstantInt::get(TYPE_I32, V, false) +#define CONST(T, V) ConstantInt::get(T, V) +extern llvm::LLVMContext *CONTEXT; +// fla和bcf在混淆部分函数时会报错, 所以无法用命令行开启整体混淆 +// 而且Visual Studio似乎没法把 annotate 传给LLVM, 只能用函数名控制 +extern bool obf_function_name_cmd; +using namespace std; +namespace llvm{ + std::string readAnnotate(Function *f); // 读取llvm.global.annotations中的annotation值 + bool toObfuscate(bool flag, llvm::Function *f, std::string const &attribute); // 判断是否开启混淆 + void fixStack(Function &F); // 修复PHI指令和逃逸变量 + void FixBasicBlockConstantExpr(BasicBlock *BB); + void FixFunctionConstantExpr(Function *Func); + string rand_str(int len); + // LLVM-MSVC有这个函数, 官方版LLVM没有 (LLVM:17.0.6 | LLVM-MSVC:3.2.6) + void LowerConstantExpr(Function &F); +} +#endif // LLVM_UTILS_H \ No newline at end of file diff --git a/llvm/lib/Passes/Obfuscation/compat/CallSite.h b/llvm/lib/Passes/Obfuscation/compat/CallSite.h new file mode 100644 index 0000000000..d75a9da421 --- /dev/null +++ b/llvm/lib/Passes/Obfuscation/compat/CallSite.h @@ -0,0 +1,767 @@ +// TypeART library +// +// Copyright (c) 2017-2022 TypeART Authors +// Distributed under the BSD 3-Clause license. +// (See accompanying file LICENSE.txt or copy at +// https://opensource.org/licenses/BSD-3-Clause) +// +// Project home: https://github.com/tudasc/TypeART +// +// SPDX-License-Identifier: BSD-3-Clause +// + +// Compatibility for Clang v10 and higher. +// In Clang 11 the CallSite.h was removed, therefore we copied the Clang v10 version of the header into the TypeART +// project, see https://github.com/llvm/llvm-project + +#ifndef COMPAT_LLVM_IR_CALLSITE_H +#define COMPAT_LLVM_IR_CALLSITE_H + +#pragma GCC diagnostic push +#pragma GCC diagnostic ignored "-Wshadow" +//===- CallSite.h - Abstract Call & Invoke instrs ---------------*- C++ -*-===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception +// +//===----------------------------------------------------------------------===// + +//#include "llvm/ADT/Optional.h"// Soule.llvm17.update: Legacy alias of llvm::Optional to std::optional +#include "llvm/ADT/PointerIntPair.h" +#include "llvm/ADT/iterator_range.h" +#include "llvm/IR/Attributes.h" +#include "llvm/IR/CallingConv.h" +#include "llvm/IR/Function.h" +#include "llvm/IR/InstrTypes.h" +#include "llvm/IR/Instruction.h" +#include "llvm/IR/Instructions.h" +#include "llvm/IR/Use.h" +#include "llvm/IR/User.h" +#include "llvm/IR/Value.h" +#include "llvm/Support/Casting.h" + +#include +#include +#include + +namespace llvm { + +namespace Intrinsic { +typedef unsigned ID; +} + +template +class CallSiteBase { + protected: + PointerIntPair I; + + CallSiteBase() = default; + CallSiteBase(CallTy* CI) : I(CI, 1) { + assert(CI); + } + CallSiteBase(InvokeTy* II) : I(II, 0) { + assert(II); + } + CallSiteBase(CallBrTy* CBI) : I(CBI, 2) { + assert(CBI); + } + explicit CallSiteBase(ValTy* II) { + *this = get(II); + } + + private: + /// This static method is like a constructor. It will create an appropriate + /// call site for a Call, Invoke or CallBr instruction, but it can also create + /// a null initialized CallSiteBase object for something which is NOT a call + /// site. + static CallSiteBase get(ValTy* V) { + if (InstrTy* II = dyn_cast(V)) { + if (II->getOpcode() == Instruction::Call) + return CallSiteBase(static_cast(II)); + if (II->getOpcode() == Instruction::Invoke) + return CallSiteBase(static_cast(II)); + if (II->getOpcode() == Instruction::CallBr) + return CallSiteBase(static_cast(II)); + } + return CallSiteBase(); + } + + public: + /// Return true if a CallInst is enclosed. + bool isCall() const { + return I.getInt() == 1; + } + + /// Return true if a InvokeInst is enclosed. !I.getInt() may also signify a + /// NULL instruction pointer, so check that. + bool isInvoke() const { + return getInstruction() && I.getInt() == 0; + } + + /// Return true if a CallBrInst is enclosed. + bool isCallBr() const { + return I.getInt() == 2; + } + + InstrTy* getInstruction() const { + return I.getPointer(); + } + InstrTy* operator->() const { + return I.getPointer(); + } + explicit operator bool() const { + return I.getPointer(); + } + + /// Get the basic block containing the call site. + BBTy* getParent() const { + return getInstruction()->getParent(); + } + + /// Return the pointer to function that is being called. + ValTy* getCalledValue() const { + assert(getInstruction() && "Not a call, invoke or callbr instruction!"); + return *getCallee(); + } + + /// Return the function being called if this is a direct call, otherwise + /// return null (if it's an indirect call). + FunTy* getCalledFunction() const { + return dyn_cast(getCalledValue()); + } + + /// Return true if the callsite is an indirect call. + bool isIndirectCall() const { + const Value* V = getCalledValue(); + if (!V) + return false; + if (isa(V) || isa(V)) + return false; + if (const CallBase* CB = dyn_cast(getInstruction())) + if (CB->isInlineAsm()) + return false; + return true; + } + +// Soule + /* /// Set the callee to the specified value. Unlike the function of the same + /// name on CallBase, does not modify the type! + void setCalledFunction(Value* V) { + const auto elem_type = [&V]() { +#if LLVM_VERSION_MAJOR > 13 + return V->getType()->getPointerElementType(); +#else + return cast(V->getType())->getElementType(); +#endif + }; + assert(getInstruction() && "Not a call, callbr, or invoke instruction!"); + + // assert(elem_type() == cast(getInstruction())->getFunctionType() && + // "New callee type does not match FunctionType on call"); + *getCallee() = V; + }*/ + + /// Return the intrinsic ID of the intrinsic called by this CallSite, + /// or Intrinsic::not_intrinsic if the called function is not an + /// intrinsic, or if this CallSite is an indirect call. + Intrinsic::ID getIntrinsicID() const { + if (auto* F = getCalledFunction()) + return F->getIntrinsicID(); + // Don't use Intrinsic::not_intrinsic, as it will require pulling + // Intrinsics.h into every header that uses CallSite. + return static_cast(0); + } + + /// Determine whether the passed iterator points to the callee operand's Use. + bool isCallee(Value::const_user_iterator UI) const { + return isCallee(&UI.getUse()); + } + + /// Determine whether this Use is the callee operand's Use. + bool isCallee(const Use* U) const { + return getCallee() == U; + } + + /// Determine whether the passed iterator points to an argument operand. + bool isArgOperand(Value::const_user_iterator UI) const { + return isArgOperand(&UI.getUse()); + } + + /// Determine whether the passed use points to an argument operand. + bool isArgOperand(const Use* U) const { + assert(getInstruction() == U->getUser()); + return arg_begin() <= U && U < arg_end(); + } + + /// Determine whether the passed iterator points to a bundle operand. + bool isBundleOperand(Value::const_user_iterator UI) const { + return isBundleOperand(&UI.getUse()); + } + + /// Determine whether the passed use points to a bundle operand. + bool isBundleOperand(const Use* U) const { + assert(getInstruction() == U->getUser()); + if (!hasOperandBundles()) + return false; + unsigned OperandNo = U - (*this)->op_begin(); + return getBundleOperandsStartIndex() <= OperandNo && OperandNo < getBundleOperandsEndIndex(); + } + + /// Determine whether the passed iterator points to a data operand. + bool isDataOperand(Value::const_user_iterator UI) const { + return isDataOperand(&UI.getUse()); + } + + /// Determine whether the passed use points to a data operand. + bool isDataOperand(const Use* U) const { + return data_operands_begin() <= U && U < data_operands_end(); + } + + ValTy* getArgument(unsigned ArgNo) const { + assert(arg_begin() + ArgNo < arg_end() && "Argument # out of range!"); + return *(arg_begin() + ArgNo); + } + + void setArgument(unsigned ArgNo, Value* newVal) { + assert(getInstruction() && "Not a call, invoke or callbr instruction!"); + assert(arg_begin() + ArgNo < arg_end() && "Argument # out of range!"); + getInstruction()->setOperand(ArgNo, newVal); + } + + /// Given a value use iterator, returns the argument that corresponds to it. + /// Iterator must actually correspond to an argument. + unsigned getArgumentNo(Value::const_user_iterator I) const { + return getArgumentNo(&I.getUse()); + } + + /// Given a use for an argument, get the argument number that corresponds to + /// it. + unsigned getArgumentNo(const Use* U) const { + assert(getInstruction() && "Not a call, invoke or callbr instruction!"); + assert(isArgOperand(U) && "Argument # out of range!"); + return U - arg_begin(); + } + + /// The type of iterator to use when looping over actual arguments at this + /// call site. + using arg_iterator = IterTy; + + iterator_range args() const { + return make_range(arg_begin(), arg_end()); + } + bool arg_empty() const { + return arg_end() == arg_begin(); + } + unsigned arg_size() const { + return unsigned(arg_end() - arg_begin()); + } + + /// Given a value use iterator, return the data operand corresponding to it. + /// Iterator must actually correspond to a data operand. + unsigned getDataOperandNo(Value::const_user_iterator UI) const { + return getDataOperandNo(&UI.getUse()); + } + + /// Given a use for a data operand, get the data operand number that + /// corresponds to it. + unsigned getDataOperandNo(const Use* U) const { + assert(getInstruction() && "Not a call, invoke or callbr instruction!"); + assert(isDataOperand(U) && "Data operand # out of range!"); + return U - data_operands_begin(); + } + + /// Type of iterator to use when looping over data operands at this call site + /// (see below). + using data_operand_iterator = IterTy; + + /// data_operands_begin/data_operands_end - Return iterators iterating over + /// the call / invoke / callbr argument list and bundle operands. For invokes, + /// this is the set of instruction operands except the invoke target and the + /// two successor blocks; for calls this is the set of instruction operands + /// except the call target; for callbrs the number of labels to skip must be + /// determined first. + + IterTy data_operands_begin() const { + assert(getInstruction() && "Not a call or invoke instruction!"); + return cast(getInstruction())->data_operands_begin(); + } + IterTy data_operands_end() const { + assert(getInstruction() && "Not a call or invoke instruction!"); + return cast(getInstruction())->data_operands_end(); + } + iterator_range data_ops() const { + return make_range(data_operands_begin(), data_operands_end()); + } + bool data_operands_empty() const { + return data_operands_end() == data_operands_begin(); + } + unsigned data_operands_size() const { + return std::distance(data_operands_begin(), data_operands_end()); + } + + /// Return the type of the instruction that generated this call site. + Type* getType() const { + return (*this)->getType(); + } + + /// Return the caller function for this call site. + FunTy* getCaller() const { + return (*this)->getParent()->getParent(); + } + + /// Tests if this call site must be tail call optimized. Only a CallInst can + /// be tail call optimized. + bool isMustTailCall() const { + return isCall() && cast(getInstruction())->isMustTailCall(); + } + + /// Tests if this call site is marked as a tail call. + bool isTailCall() const { + return isCall() && cast(getInstruction())->isTailCall(); + } + +#define CALLSITE_DELEGATE_GETTER(METHOD) \ + InstrTy* II = getInstruction(); \ + return isCall() ? cast(II)->METHOD \ + : isCallBr() ? cast(II)->METHOD \ + : cast(II)->METHOD + +#define CALLSITE_DELEGATE_SETTER(METHOD) \ + InstrTy* II = getInstruction(); \ + if (isCall()) \ + cast(II)->METHOD; \ + else if (isCallBr()) \ + cast(II)->METHOD; \ + else \ + cast(II)->METHOD + + + unsigned getNumArgOperands() const { + #if LLVM_VERSION_MAJOR >= 14 + CALLSITE_DELEGATE_GETTER(arg_size()); + #else + CALLSITE_DELEGATE_GETTER(getNumArgOperands()); + #endif + } + + ValTy* getArgOperand(unsigned i) const { + CALLSITE_DELEGATE_GETTER(getArgOperand(i)); + } + + ValTy* getReturnedArgOperand() const { + CALLSITE_DELEGATE_GETTER(getReturnedArgOperand()); + } + + bool isInlineAsm() const { + return cast(getInstruction())->isInlineAsm(); + } + + /// Get the calling convention of the call. + CallingConv::ID getCallingConv() const { + CALLSITE_DELEGATE_GETTER(getCallingConv()); + } + /// Set the calling convention of the call. + void setCallingConv(CallingConv::ID CC) { + CALLSITE_DELEGATE_SETTER(setCallingConv(CC)); + } + + FunctionType* getFunctionType() const { + CALLSITE_DELEGATE_GETTER(getFunctionType()); + } + + void mutateFunctionType(FunctionType* Ty) const { + CALLSITE_DELEGATE_SETTER(mutateFunctionType(Ty)); + } + + /// Get the parameter attributes of the call. + AttributeList getAttributes() const { + CALLSITE_DELEGATE_GETTER(getAttributes()); + } + /// Set the parameter attributes of the call. + void setAttributes(AttributeList PAL) { + CALLSITE_DELEGATE_SETTER(setAttributes(PAL)); + } + + void addAttribute(unsigned i, Attribute::AttrKind Kind) { + CALLSITE_DELEGATE_SETTER(addAttribute(i, Kind)); + } + + void addAttribute(unsigned i, Attribute Attr) { + CALLSITE_DELEGATE_SETTER(addAttribute(i, Attr)); + } + + void addParamAttr(unsigned ArgNo, Attribute::AttrKind Kind) { + CALLSITE_DELEGATE_SETTER(addParamAttr(ArgNo, Kind)); + } + + void removeAttribute(unsigned i, Attribute::AttrKind Kind) { + CALLSITE_DELEGATE_SETTER(removeAttribute(i, Kind)); + } + + void removeAttribute(unsigned i, StringRef Kind) { + CALLSITE_DELEGATE_SETTER(removeAttribute(i, Kind)); + } + + void removeParamAttr(unsigned ArgNo, Attribute::AttrKind Kind) { + CALLSITE_DELEGATE_SETTER(removeParamAttr(ArgNo, Kind)); + } + + /// Return true if this function has the given attribute. + bool hasFnAttr(Attribute::AttrKind Kind) const { + CALLSITE_DELEGATE_GETTER(hasFnAttr(Kind)); + } + + /// Return true if this function has the given attribute. + bool hasFnAttr(StringRef Kind) const { + CALLSITE_DELEGATE_GETTER(hasFnAttr(Kind)); + } + + /// Return true if this return value has the given attribute. + bool hasRetAttr(Attribute::AttrKind Kind) const { + CALLSITE_DELEGATE_GETTER(hasRetAttr(Kind)); + } + + /// Return true if the call or the callee has the given attribute. + bool paramHasAttr(unsigned ArgNo, Attribute::AttrKind Kind) const { + CALLSITE_DELEGATE_GETTER(paramHasAttr(ArgNo, Kind)); + } + + Attribute getAttribute(unsigned i, Attribute::AttrKind Kind) const { + CALLSITE_DELEGATE_GETTER(getAttribute(i, Kind)); + } + + Attribute getAttribute(unsigned i, StringRef Kind) const { + CALLSITE_DELEGATE_GETTER(getAttribute(i, Kind)); + } + + /// Return true if the data operand at index \p i directly or indirectly has + /// the attribute \p A. + /// + /// Normal call, invoke or callbr arguments have per operand attributes, as + /// specified in the attribute set attached to this instruction, while operand + /// bundle operands may have some attributes implied by the type of its + /// containing operand bundle. + bool dataOperandHasImpliedAttr(unsigned i, Attribute::AttrKind Kind) const { + CALLSITE_DELEGATE_GETTER(dataOperandHasImpliedAttr(i, Kind)); + } + + /// Extract the alignment of the return value. + unsigned getRetAlignment() const { + CALLSITE_DELEGATE_GETTER(getRetAlignment()); + } + + /// Extract the alignment for a call or parameter (0=unknown). + unsigned getParamAlignment(unsigned ArgNo) const { + CALLSITE_DELEGATE_GETTER(getParamAlignment(ArgNo)); + } + + /// Extract the byval type for a call or parameter (nullptr=unknown). + Type* getParamByValType(unsigned ArgNo) const { + CALLSITE_DELEGATE_GETTER(getParamByValType(ArgNo)); + } + + /// Extract the number of dereferenceable bytes for a call or parameter + /// (0=unknown). + uint64_t getDereferenceableBytes(unsigned i) const { + CALLSITE_DELEGATE_GETTER(getDereferenceableBytes(i)); + } + + /// Extract the number of dereferenceable_or_null bytes for a call or + /// parameter (0=unknown). + uint64_t getDereferenceableOrNullBytes(unsigned i) const { + CALLSITE_DELEGATE_GETTER(getDereferenceableOrNullBytes(i)); + } + + /// Determine if the return value is marked with NoAlias attribute. + bool returnDoesNotAlias() const { + CALLSITE_DELEGATE_GETTER(returnDoesNotAlias()); + } + + /// Return true if the call should not be treated as a call to a builtin. + bool isNoBuiltin() const { + CALLSITE_DELEGATE_GETTER(isNoBuiltin()); + } + + /// Return true if the call requires strict floating point semantics. + bool isStrictFP() const { + CALLSITE_DELEGATE_GETTER(isStrictFP()); + } + + /// Return true if the call should not be inlined. + bool isNoInline() const { + CALLSITE_DELEGATE_GETTER(isNoInline()); + } + void setIsNoInline(bool Value = true) { + CALLSITE_DELEGATE_SETTER(setIsNoInline(Value)); + } + + /// Determine if the call does not access memory. + bool doesNotAccessMemory() const { + CALLSITE_DELEGATE_GETTER(doesNotAccessMemory()); + } + void setDoesNotAccessMemory() { + CALLSITE_DELEGATE_SETTER(setDoesNotAccessMemory()); + } + + /// Determine if the call does not access or only reads memory. + bool onlyReadsMemory() const { + CALLSITE_DELEGATE_GETTER(onlyReadsMemory()); + } + void setOnlyReadsMemory() { + CALLSITE_DELEGATE_SETTER(setOnlyReadsMemory()); + } + + /// Determine if the call does not access or only writes memory. + bool doesNotReadMemory() const { + CALLSITE_DELEGATE_GETTER(doesNotReadMemory()); + } + void setDoesNotReadMemory() { + CALLSITE_DELEGATE_SETTER(setDoesNotReadMemory()); + } + + /// Determine if the call can access memory only using pointers based + /// on its arguments. + bool onlyAccessesArgMemory() const { + CALLSITE_DELEGATE_GETTER(onlyAccessesArgMemory()); + } + void setOnlyAccessesArgMemory() { + CALLSITE_DELEGATE_SETTER(setOnlyAccessesArgMemory()); + } + + /// Determine if the function may only access memory that is + /// inaccessible from the IR. + bool onlyAccessesInaccessibleMemory() const { + CALLSITE_DELEGATE_GETTER(onlyAccessesInaccessibleMemory()); + } + void setOnlyAccessesInaccessibleMemory() { + CALLSITE_DELEGATE_SETTER(setOnlyAccessesInaccessibleMemory()); + } + + /// Determine if the function may only access memory that is + /// either inaccessible from the IR or pointed to by its arguments. + bool onlyAccessesInaccessibleMemOrArgMem() const { + CALLSITE_DELEGATE_GETTER(onlyAccessesInaccessibleMemOrArgMem()); + } + void setOnlyAccessesInaccessibleMemOrArgMem() { + CALLSITE_DELEGATE_SETTER(setOnlyAccessesInaccessibleMemOrArgMem()); + } + + /// Determine if the call cannot return. + bool doesNotReturn() const { + CALLSITE_DELEGATE_GETTER(doesNotReturn()); + } + void setDoesNotReturn() { + CALLSITE_DELEGATE_SETTER(setDoesNotReturn()); + } + + /// Determine if the call cannot unwind. + bool doesNotThrow() const { + CALLSITE_DELEGATE_GETTER(doesNotThrow()); + } + void setDoesNotThrow() { + CALLSITE_DELEGATE_SETTER(setDoesNotThrow()); + } + + /// Determine if the call can be duplicated. + bool cannotDuplicate() const { + CALLSITE_DELEGATE_GETTER(cannotDuplicate()); + } + void setCannotDuplicate() { + CALLSITE_DELEGATE_SETTER(setCannotDuplicate()); + } + + /// Determine if the call is convergent. + bool isConvergent() const { + CALLSITE_DELEGATE_GETTER(isConvergent()); + } + void setConvergent() { + CALLSITE_DELEGATE_SETTER(setConvergent()); + } + void setNotConvergent() { + CALLSITE_DELEGATE_SETTER(setNotConvergent()); + } + + unsigned getNumOperandBundles() const { + CALLSITE_DELEGATE_GETTER(getNumOperandBundles()); + } + + bool hasOperandBundles() const { + CALLSITE_DELEGATE_GETTER(hasOperandBundles()); + } + + unsigned getBundleOperandsStartIndex() const { + CALLSITE_DELEGATE_GETTER(getBundleOperandsStartIndex()); + } + + unsigned getBundleOperandsEndIndex() const { + CALLSITE_DELEGATE_GETTER(getBundleOperandsEndIndex()); + } + + unsigned getNumTotalBundleOperands() const { + CALLSITE_DELEGATE_GETTER(getNumTotalBundleOperands()); + } + + OperandBundleUse getOperandBundleAt(unsigned Index) const { + CALLSITE_DELEGATE_GETTER(getOperandBundleAt(Index)); + } + + std::optional getOperandBundle(StringRef Name) const { // Soule.llvm17.update + CALLSITE_DELEGATE_GETTER(getOperandBundle(Name)); + } + + std::optional getOperandBundle(uint32_t ID) const { // Soule.llvm17.update + CALLSITE_DELEGATE_GETTER(getOperandBundle(ID)); + } + + unsigned countOperandBundlesOfType(uint32_t ID) const { + CALLSITE_DELEGATE_GETTER(countOperandBundlesOfType(ID)); + } + + bool isBundleOperand(unsigned Idx) const { + CALLSITE_DELEGATE_GETTER(isBundleOperand(Idx)); + } + + IterTy arg_begin() const { + CALLSITE_DELEGATE_GETTER(arg_begin()); + } + + IterTy arg_end() const { + CALLSITE_DELEGATE_GETTER(arg_end()); + } + +#undef CALLSITE_DELEGATE_GETTER +#undef CALLSITE_DELEGATE_SETTER + + void getOperandBundlesAsDefs(SmallVectorImpl& Defs) const { + // Since this is actually a getter that "looks like" a setter, don't use the + // above macros to avoid confusion. + cast(getInstruction())->getOperandBundlesAsDefs(Defs); + } + + /// Determine whether this data operand is not captured. + bool doesNotCapture(unsigned OpNo) const { + return dataOperandHasImpliedAttr(OpNo + 1, Attribute::NoCapture); + } + + /// Determine whether this argument is passed by value. + bool isByValArgument(unsigned ArgNo) const { + return paramHasAttr(ArgNo, Attribute::ByVal); + } + + /// Determine whether this argument is passed in an alloca. + bool isInAllocaArgument(unsigned ArgNo) const { + return paramHasAttr(ArgNo, Attribute::InAlloca); + } + + /// Determine whether this argument is passed by value or in an alloca. + bool isByValOrInAllocaArgument(unsigned ArgNo) const { + return paramHasAttr(ArgNo, Attribute::ByVal) || paramHasAttr(ArgNo, Attribute::InAlloca); + } + + /// Determine if there are is an inalloca argument. Only the last argument can + /// have the inalloca attribute. + bool hasInAllocaArgument() const { + return !arg_empty() && paramHasAttr(arg_size() - 1, Attribute::InAlloca); + } + + bool doesNotAccessMemory(unsigned OpNo) const { + return dataOperandHasImpliedAttr(OpNo + 1, Attribute::ReadNone); + } + + bool onlyReadsMemory(unsigned OpNo) const { + return dataOperandHasImpliedAttr(OpNo + 1, Attribute::ReadOnly) || + dataOperandHasImpliedAttr(OpNo + 1, Attribute::ReadNone); + } + + bool doesNotReadMemory(unsigned OpNo) const { + return dataOperandHasImpliedAttr(OpNo + 1, Attribute::WriteOnly) || + dataOperandHasImpliedAttr(OpNo + 1, Attribute::ReadNone); + } + + /// Return true if the return value is known to be not null. + /// This may be because it has the nonnull attribute, or because at least + /// one byte is dereferenceable and the pointer is in addrspace(0). + bool isReturnNonNull() const { + if (hasRetAttr(Attribute::NonNull)) + return true; + else if (getDereferenceableBytes(AttributeList::ReturnIndex) > 0 && + !NullPointerIsDefined(getCaller(), getType()->getPointerAddressSpace())) + return true; + + return false; + } + + /// Returns true if this CallSite passes the given Value* as an argument to + /// the called function. + bool hasArgument(const Value* Arg) const { + for (arg_iterator AI = this->arg_begin(), E = this->arg_end(); AI != E; ++AI) + if (AI->get() == Arg) + return true; + return false; + } + + private: + IterTy getCallee() const { + return cast(getInstruction())->op_end() - 1; + } +}; + +class CallSite : public CallSiteBase { + public: + CallSite() = default; + CallSite(CallSiteBase B) : CallSiteBase(B) { + } + CallSite(CallInst* CI) : CallSiteBase(CI) { + } + CallSite(InvokeInst* II) : CallSiteBase(II) { + } + CallSite(CallBrInst* CBI) : CallSiteBase(CBI) { + } + explicit CallSite(Instruction* II) : CallSiteBase(II) { + } + explicit CallSite(Value* V) : CallSiteBase(V) { + } + + bool operator==(const CallSite& CS) const { + return I == CS.I; + } + bool operator!=(const CallSite& CS) const { + return I != CS.I; + } + bool operator<(const CallSite& CS) const { + return getInstruction() < CS.getInstruction(); + } + + private: + friend struct DenseMapInfo; + + User::op_iterator getCallee() const; +}; + +/// Establish a view to a call site for examination. +class ImmutableCallSite : public CallSiteBase<> { + public: + ImmutableCallSite() = default; + ImmutableCallSite(const CallInst* CI) : CallSiteBase(CI) { + } + ImmutableCallSite(const InvokeInst* II) : CallSiteBase(II) { + } + ImmutableCallSite(const CallBrInst* CBI) : CallSiteBase(CBI) { + } + explicit ImmutableCallSite(const Instruction* II) : CallSiteBase(II) { + } + explicit ImmutableCallSite(const Value* V) : CallSiteBase(V) { + } + ImmutableCallSite(CallSite CS) : CallSiteBase(CS.getInstruction()) { + } +}; + +} // namespace llvm +#pragma GCC diagnostic pop + +#endif // LLVM_IR_CALLSITE_H \ No newline at end of file diff --git a/llvm/lib/Passes/PassBuilder.cpp b/llvm/lib/Passes/PassBuilder.cpp index 000594f0e7..019b6e3ccb 100644 --- a/llvm/lib/Passes/PassBuilder.cpp +++ b/llvm/lib/Passes/PassBuilder.cpp @@ -290,6 +290,17 @@ #include "llvm/Transforms/Vectorize/VectorCombine.h" #include +// 导入 Obfuscation 相关头文件 +#include "Obfuscation/BogusControlFlow.h" // 虚假控制流 +#include "Obfuscation/Flattening.h" // 控制流平坦化 +#include "Obfuscation/SplitBasicBlock.h" // 基本块分割 +#include "Obfuscation/Substitution.h" // 指令替换 +#include "Obfuscation/StringEncryption.h" // 字符串加密 +#include "Obfuscation/IndirectGlobalVariable.h" // 间接全局变量 +#include "Obfuscation/IndirectBranch.h" // 间接跳转 +#include "Obfuscation/IndirectCall.h" // 间接调用 +#include "Obfuscation/Utils.h" // 为了控制函数名混淆开关 (bool obf_function_name_cmd;) + using namespace llvm; static const Regex DefaultAliasRegex( @@ -360,6 +371,21 @@ class TriggerVerifierErrorPass } // namespace + + +// 添加命令行支持 +static cl::opt s_obf_split("split", cl::init(false), cl::desc("SplitBasicBlock: split_num=3(init)")); +static cl::opt s_obf_sobf("sobf", cl::init(false), cl::desc("String Obfuscation")); +static cl::opt s_obf_fla("fla", cl::init(false), cl::desc("Flattening")); +static cl::opt s_obf_sub("sub", cl::init(false), cl::desc("Substitution: sub_loop")); +static cl::opt s_obf_bcf("bcf", cl::init(false), cl::desc("BogusControlFlow: application number -bcf_loop=x must be x > 0")); +static cl::opt s_obf_ibr("ibr", cl::init(false), cl::desc("Indirect Branch")); +static cl::opt s_obf_igv("igv", cl::init(false), cl::desc("Indirect Global Variable")); +static cl::opt s_obf_icall("icall", cl::init(false), cl::desc("Indirect Call")); +static cl::opt s_obf_fn_name_cmd("fncmd", cl::init(false), cl::desc("use function name control obfuscation(_ + command + _ | example: function_fla_bcf_)")); + + + PassBuilder::PassBuilder(TargetMachine *TM, PipelineTuningOptions PTO, std::optional PGOOpt, PassInstrumentationCallbacks *PIC) @@ -402,6 +428,29 @@ PassBuilder::PassBuilder(TargetMachine *TM, PipelineTuningOptions PTO, PIC->addClassToPassName(PASS_NAME::name(), NAME); #include "llvm/CodeGen/MachinePassRegistry.def" } + + // 注册 Obfuscation 相关 Pass + this->registerPipelineStartEPCallback( + [](llvm::ModulePassManager &MPM, + llvm::OptimizationLevel Level) { + outs() << "[OLLVM] run.PipelineStartEPCallback\n"; + obf_function_name_cmd = s_obf_fn_name_cmd; + if (obf_function_name_cmd) { + outs() << "[OLLVM] enable function name control obfuscation(_ + command + _ | example: function_fla_)\n"; + } + MPM.addPass(StringEncryptionPass(s_obf_sobf)); // 先进行字符串加密 出现字符串加密基本块以后再进行基本块分割和其他混淆 加大解密难度 + llvm::FunctionPassManager FPM; + FPM.addPass(IndirectCallPass(s_obf_icall)); // 间接调用 + FPM.addPass(SplitBasicBlockPass(s_obf_split)); // 优先进行基本块分割 + FPM.addPass(FlatteningPass(s_obf_fla)); // 对于控制流平坦化 + FPM.addPass(SubstitutionPass(s_obf_sub)); // 指令替换 + FPM.addPass(BogusControlFlowPass(s_obf_bcf)); // 虚假控制流 + MPM.addPass(createModuleToFunctionPassAdaptor(std::move(FPM))); + MPM.addPass(IndirectBranchPass(s_obf_ibr)); // 间接指令 理论上间接指令应该放在最后 + MPM.addPass(IndirectGlobalVariablePass(s_obf_igv)); // 间接全局变量 + MPM.addPass(RewriteSymbolPass()); // 根据yaml信息 重命名特定symbols + } + ); } void PassBuilder::registerModuleAnalyses(ModuleAnalysisManager &MAM) {