OLLVM移植与使用详解<\/h1>

1. OLLVM简介<\/h2>
OLLVM(Obfuscator-LLVM)是一个基于LLVM框架的代码混淆工具，主要用于增强代码的安全性，防止逆向工程分析。它提供了三种主要的混淆功能：<\/p>
指令替换(Instruction Substitution)<\/li>
虚假控制流(Bogus Control Flow)<\/li>
控制流平坦化(Control Flow Flattening)<\/li> <\/ol>
2. OLLVM移植到LLVM-14.0.6<\/h2>

2.1 移植步骤<\/h3>
获取OLLVM项目<\/strong>：<\/p>
git clone https:\/\/github.com\/buffcow\/ollvm-project
<\/span><\/span><\/code><\/pre><\/li>

添加头文件<\/strong>：<\/p>

在llvm\/include\/llvm\/Transforms<\/code>文件夹下创建Obfuscation<\/code>目录<\/li>
按照[commit](llvm support obfuscator)中的内容逐个添加头文件<\/li>
<\/ul>
<\/li>

添加源文件<\/strong>：<\/p>

在llvm\/lib\/Transforms<\/code>文件夹下创建Obfuscation<\/code>目录<\/li>
按照[commit](llvm support obfuscator)中的内容逐个添加源文件<\/li>
<\/ul>
<\/li>

修改支持文件及配置<\/strong>：<\/p>

按照[commit](llvm support obfuscator)对LLVM项目中相关文件进行补充或修改<\/li>
<\/ul>
<\/li>
<\/ol>
2.2 编译OLLVM<\/h3>
mkdir build
<\/span><\/span>sudo cmake -S llvm -B build -G Ninja -DLLVM_ENABLE_PROJECTS=<\/span>"clang"<\/span> -DCMAKE_BUILD_TYPE=<\/span>Release -DLLVM_INCLUDE_TESTS=<\/span>OFF -DLLVM_ENABLE_NEW_PASS_MANAGER=<\/span>OFF
<\/span><\/span>sudo cmake --build build -j4
<\/span><\/span><\/code><\/pre>编译完成后，可在build\/bin<\/code>文件夹中查看生成的工具。<\/p>
3. OLLVM混淆功能详解<\/h2>
3.1 指令替换(Instruction Substitution)<\/h3>
功能<\/strong>：随机选择一种功能上等效但更复杂的指令序列替换标准二元运算符。<\/p>
编译选项<\/strong>：<\/p>

-mllvm -sub<\/code>：激活指令替换操作<\/li>
-mllvm -sub_loop=3<\/code>：在函数上应用3次，默认值为1<\/li>
<\/ul>
替换规则示例<\/strong>：<\/p>


算术运算：<\/p>

a = b + c<\/code> 替换为：
a =<\/span> b -<\/span> (-<\/span>c)
<\/span><\/span>\/\/ 或
<\/span><\/span><\/span><\/span>a =<\/span> -<\/span>(-<\/span>b +<\/span> (-<\/span>c))
<\/span><\/span>\/\/ 或
<\/span><\/span><\/span><\/span>r =<\/span> rand(); a =<\/span> b +<\/span> r; a =<\/span> a +<\/span> c; a =<\/span> a -<\/span> r
<\/span><\/span>\/\/ 或
<\/span><\/span><\/span><\/span>r =<\/span> rand(); a =<\/span> b -<\/span> r; a =<\/span> a +<\/span> b; a =<\/span> a +<\/span> r
<\/span><\/span><\/code><\/pre><\/li>
a = b - c<\/code> 替换为：
a =<\/span> -<\/span>(-<\/span>b +<\/span> c)
<\/span><\/span>\/\/ 或
<\/span><\/span><\/span><\/span>r =<\/span> rand(); a =<\/span> b +<\/span> r; a =<\/span> a -<\/span> c; a =<\/span> a -<\/span> r
<\/span><\/span>\/\/ 或
<\/span><\/span><\/span><\/span>r =<\/span> rand(); a =<\/span> b -<\/span> r; a =<\/span> a -<\/span> c; a =<\/span> a +<\/span> r
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>

逻辑运算：<\/p>

a = b & c<\/code> 替换为 a = (b ^ ~c) & b<\/code><\/li>
a = b | c<\/code> 替换为 a = (b & c) | (b ^ c)<\/code><\/li>
a = a ^ b<\/code> 替换为 a = (~a & b) | (a & ~b)<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
源码分析<\/strong>：<\/p>

Substitution<\/code>类继承自LLVM中的FunctionPass<\/code>类<\/li>
覆盖runOnFunction<\/code>实现混淆逻辑<\/li>
toObfuscate<\/code>函数根据传入的flag和其他参数决定是否混淆函数<\/li>
substitute<\/code>方法执行实际的混淆逻辑<\/li>
<\/ul>
3.2 虚假控制流(Bogus Control Flow)<\/h3>
功能<\/strong>：在程序的控制流图(CFG)中引入虚假的分支和基本块。<\/p>
编译选项<\/strong>：<\/p>

-mllvm -bcf<\/code>：激活虚假控制流<\/li>
-mllvm -bcf_loop=3<\/code>：对基本块混淆操作连续进行3次<\/li>
-mllvm -bcf_prob=40<\/code>：操作发生的概率为40%<\/li>
<\/ul>
示例<\/strong>：<\/p>
#include<\/span> <stdlib.h><\/span>
<\/span><\/span><\/span><\/span>int<\/span> main<\/span>(int<\/span> argc, char<\/span> **<\/span>argv) {
<\/span><\/span>    int<\/span> a =<\/span> atoi(argv[1<\/span>]);
<\/span><\/span>    if<\/span> (a ==<\/span> 0<\/span>) return<\/span> 1<\/span>;
<\/span><\/span>    else<\/span> return<\/span> 10<\/span>;
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>源码分析<\/strong>：<\/p>

BogusControlFlow<\/code>类继承自FunctionPass<\/code><\/li>
bogus<\/code>函数：

将函数的所有basicblock存放到list容器<\/li>
使用while循环调用addBogusFlow<\/code>函数对选中的basicblock增加虚假控制流<\/li>
<\/ul>
<\/li>
addBogusFlow<\/code>函数：

使用getFirstNonPHIOrDbgOrLifetime<\/code>找到第一个有效指令地址<\/li>
使用splitBasicBlock<\/code>将一个basicblock一分为二<\/li>
使用createAlteredBasicBlock<\/code>拷贝生成"altered basicblock"<\/li>
设置跳转条件，创建分支跳转指令<\/li>
<\/ul>
<\/li>
doF<\/code>函数：

遍历Module内的所有指令<\/li>
将所有的FCMP_TRUE分支指令替换为永真式<\/li>
<\/ul>
<\/li>
<\/ul>
3.3 控制流平坦化(Control Flow Flattening)<\/h3>
功能<\/strong>：把程序原有逻辑转化成多个case-swich的扁平状结构。<\/p>
编译选项<\/strong>：<\/p>

-mllvm -fla<\/code>：激活控制流平坦化功能<\/li>
-mllvm -split<\/code>：激活基本块分裂<\/li>
-mllvm -split_num=3<\/code>：使每个基本块上分裂3次<\/li>
<\/ul>
实现原理<\/strong>：<\/p>

创建循环入口基本块(loopEntry)和循环出口基本块(loopEnd)<\/li>
创建switch-default基本块(swDefault)<\/li>
创建switch指令，根据条件决定跳转方向<\/li>
将函数原有基本块添加到switch-case语句中<\/li>
修改基本块之间的跳转关系<\/li>
<\/ol>
4. OLLVM移植到NDK<\/h2>
4.1 移植步骤<\/h3>


覆盖NDK目录<\/strong>：<\/p>

将LLVM中的bin<\/code>、lib<\/code>、include<\/code>目录覆盖NDK的toolchains\/llvm\/prebuilt\/linux-86_64\/<\/code>目录下对应目录<\/li>
<\/ul>
<\/li>

覆盖clang目录<\/strong>：<\/p>

将toolchains\/llvm\/prebuilt\/linux-86_64\/lib64<\/code>目录下的clang<\/code>文件夹覆盖到toolchains\/llvm\/prebuilt\/linux-86_64\/lib<\/code>目录下<\/li>
<\/ul>
<\/li>
<\/ol>
4.2 CMake配置<\/h3>
在cpp<\/code>目录下的CMakeLists.txt<\/code>中添加混淆配置：<\/p>
set(CMAKE_C_FLAGS<\/span> "${CMAKE_C_FLAGS} -mllvm -bcf -mllvm -bcf_loop=3 -mllvm -fla -mllvm -split -mllvm -split_num=3"<\/span>)
<\/span><\/span><\/span><\/span>set(CMAKE_CXX_FLAGS<\/span> "${CMAKE_CXX_FLAGS} -mllvm -bcf -mllvm -bcf_loop=3 -mllvm -fla -mllvm -split -mllvm -split_num=3"<\/span>)
<\/span><\/span><\/span><\/code><\/pre>5. LLVM Pass操作对象结构<\/h2>
OLLVM混淆操作主要针对以下LLVM IR结构：<\/p>

Module<\/strong>：对应C\/C++文件<\/li>
Function<\/strong>：对应C\/C++代码中的函数<\/li>
BasicBlock<\/strong>：每个函数被划分为若干基本块，一个block只有一个入口和一个出口<\/li>
Instruction<\/strong>：具体的指令<\/li>
<\/ol>
6. 总结<\/h2>
OLLVM提供了强大的代码混淆能力，通过指令替换、虚假控制流和控制流平坦化等技术，可以有效增加逆向工程的难度。移植到特定版本的LLVM和NDK需要仔细处理文件结构和编译配置。在实际应用中，可以根据安全需求选择适当的混淆选项和参数组合。<\/p>