The latest articles on DEV Community by lich0 (@lich0). https://dev.to/lich0 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3754029%2Fdf0129d1-b008-432c-99ad-bbb8992d0d8b.png https://dev.to/lich0 en lich0 Mon, 16 Mar 2026 08:39:45 +0000 https://dev.to/lich0/sllvm-a-unique-ollvm-based-obfuscator-3k8c https://dev.to/lich0/sllvm-a-unique-ollvm-based-obfuscator-3k8c <p><a href="https://github.com/lich4/sllvm" rel="noopener noreferrer">https://github.com/lich4/sllvm</a></p> <h2> Supported Systems and Architectures </h2> <ul> <li> <strong>Host Systems</strong>: Planned support for <code>macOS</code>/<code>Linux</code>; no current plans for <code>Windows</code>.</li> <li> <strong>Target Systems</strong>: Planned support for <code>macOS</code>/<code>iOS</code>/<code>Android</code>.</li> <li> <strong>Architectures</strong>: Both Host and Target support <code>X64</code> and <code>ARM64</code>.</li> <li> <strong>Languages</strong>: Supports <code>C</code>, <code>C++</code>, <code>Objective-C</code>, <code>Objective-C++</code>, <code>Swift</code>, <code>Rust</code>, <code>Golang</code>, etc.</li> </ul> <h2> Obfuscation Capabilities </h2> <ul> <li>Data Encryption <ul> <li> CE Constant Encryption (String obfuscation).</li> </ul> </li> <li>Control Flow Obfuscation <ul> <li> FLA Control Flow Flattening.</li> <li> BCF Bogus Control Flow.</li> <li> ECF Novel Control Flow obfuscation.</li> </ul> </li> <li>Function-Level Obfuscation <ul> <li> FW Function Wrapper (Function nesting).</li> <li> FCC Function Calling Convention obfuscation.</li> </ul> </li> <li>Instruction-Level Obfuscation <ul> <li> IBR Indirect Branch.</li> <li> ICALL Indirect Call.</li> <li> IGV Indirect Global Variable reference.</li> <li> SVC Supervisor Call (System call) obfuscation.</li> <li> SPLIT Instruction Splitting.</li> </ul> </li> <li>其他 <ul> <li> INLINE Function Inlining.</li> <li> SEC Anti-debugging/Security protection.</li> </ul> </li> </ul> <h3> SLLVM Features </h3> <p>SLLVM was developed to address limitations in the OLLVM lineage (Hikari, Hikari-LLVM15, Pluto, Polaris-Obfuscator, goron, Arkari, o-mvll, etc.):</p> <ul> <li> <strong>Release Compatibility</strong>: Obfuscation is not reverted by the compiler during <code>Release</code> builds.</li> <li> <strong>Anti-Analysis</strong>: Resists "Read-Only Data Segment" attacks in IDA Pro; if data segments are marked read-only, obfuscation remains intact.</li> <li> <strong>Hardening</strong>: Removes common OLLVM signatures to resist specialized scripts, symbolic execution (Angr), and AI-based deobfuscation.</li> <li> <strong>Stability</strong>: Avoids compilation hangs and memory exhaustion often seen in other variants when processing large <code>header-only</code> libraries.</li> </ul> <h2> Configuration </h2> <p>In many real-world projects, fully obfuscating the entire codebase is often impractical due to the following reasons:</p> <ul> <li> <strong>Project Scale and Dependencies</strong>: Large projects or those utilizing numerous <code>header-only</code> libraries may end up obfuscating unnecessary code, resulting in excessively large binary sizes.</li> <li> <strong>Compilation Overhead</strong>: For massive projects with complex dependencies, applying flattening (or other methods) to unnecessary code can lead to extremely long compilation times or even system hangs.</li> <li> <strong>Performance Impact</strong>: Obfuscating complex algorithms can significantly increase runtime latency; typically, control flow flattening adds over 10% to execution time.</li> <li> <strong>Compliance Issues</strong>: Excessive obfuscation may violate the submission policies of platforms like the <code>AppStore</code> or <code>GooglePlay</code>.</li> </ul> <p>In practice, it is often necessary to apply different levels of obfuscation based on the importance of specific modules or functions. This requires a configuration strategy to specify which targets receive which type of obfuscation. Traditional open-source <code>OLLVM</code> implementations usually manage strategies through the following methods:</p> <ul> <li> <strong>Command-line Arguments</strong>: Specifying parameters for specific modules (e.g., <code>-llvm -fla</code>), which is compatible with all compiler front-ends supporting LLVM flags.</li> <li> <strong>Environment Variables</strong>: Defining obfuscation parameters via the system environment.</li> <li> <strong>Function Annotations</strong>: Using attributes like <code>__attribute((__annotate__(("fla"))))</code> (or the modern syntax <code>[[clang::annotate("fla")]]</code>); however, this is restricted to <code>C/C++</code> and is not supported by <code>Objective-C or</code> other languages.</li> <li> <strong>Marker Functions</strong>: Designating specific functions as markers, as shown below; this method provides support for <code>Objective-C</code>.</li> </ul> <p>All of the aforementioned methods have their limitations—they either require intrusive code changes, fail to provide control at the function level, or are restricted to specific languages. This project utilizes a configuration file (<code>sllvm.json</code>) to define which functions and modules should be obfuscated, ensuring compatibility with the majority of compiler frontends and programming languages.</p> <h3> Primary/Secondary Fields </h3> <ul> <li> <code>log_level</code> Global logging level. String type, optional. Defaults to no logging. Possible values: <code>info</code> | <code>debug</code> </li> <li> <code>src_root</code> Source file root path. String type, optional. Defaults to the current directory; typically does not need to be specified.</li> <li> <code>policies</code> A list of strategies, divided into Module-level and Function-level policies. Module-level policies contain module and policy fields but no func field. Function-level policies include <code>module</code>, <code>func</code>, and <code>policy</code> fields. <ul> <li> <code>module</code> A regular expression used to match module paths.</li> <li> <code>func</code> regular expression used to match function names. <code>C++</code> functions are demangled before matching.</li> <li> <code>policy</code> String type; must correspond to a key defined in <code>policy_map</code>.</li> </ul> </li> <li> <code>policy_map</code> A strategy index referenced by <code>policies</code>. Each strategy name maps to a dictionary containing the following fields: <ul> <li> <code>base</code> The name of a base policy to inherit from (module or function level). String type, optional. Value must be a key in <code>policy_map</code>.</li> <li> <code>dump</code> Types of intermediate code to output (saved in the <code>sllvm_dump</code> directory). Applies to module or function levels. String array, defaults to empty. Possible values: <code>ir</code>, <code>mmd</code>, <code>asm</code>.</li> <li> <code>enable_std</code> Enables obfuscation for <code>C++</code> standard library functions. Module-level policy. Boolean type, optional. Disabled by default to minimize compatibility issues.</li> </ul> </li> </ul> <h3> Function-level Policy </h3> <ul> <li> <code>enable_ce</code> Enables <code>CE</code> obfuscation. <ul> <li> <code>ce_size_min</code> Minimum string length.</li> <li> <code>ce_size_max</code> Maximum string length.</li> <li> <code>ce_algo</code> Encryption/decryption algorithm.</li> <li> <code>ce_mode_stack</code> Enables stack-based string decryption.</li> </ul> </li> <li> <code>enable_fla</code> Enables <code>FLA</code> obfuscation. <ul> <li> <code>fla_prob</code> Obfuscation probability for BasicBlocks.</li> <li> <code>fla_force_reg</code> Increases obfuscation strength.</li> <li> <code>fla_use_igv</code> Increases obfuscation strength.</li> <li> <code>fla_use_dyn</code> Increases obfuscation strength.</li> <li> <code>fla_use_rcf</code> Increases obfuscation strength.</li> <li> <code>fla_blk_size</code> Increases obfuscation strength.</li> <li> <code>fla_invoke_op</code> Compatibility for exception handling.</li> </ul> </li> <li> <code>enable_bcf</code> Enables <code>BCF</code> obfuscation. <ul> <li> <code>bcf_prob</code> Obfuscation probability for BasicBlocks.</li> <li> <code>bcf_complex</code> Expression complexity.</li> <li> <code>bcf_use_var</code> Uses variables to construct expressions.</li> </ul> </li> <li> <code>enable_ecf</code> Enables <code>ECF</code> obfuscation. <ul> <li> <code>ecf_prob</code> Obfuscation probability for BasicBlocks.</li> </ul> </li> <li> <code>enable_fw</code> Enables <code>FW</code> obfuscation. <ul> <li> <code>fw_loop_min</code> Minimum number of function nesting layers.</li> <li> <code>fw_loop_max</code> Maximum number of function nesting layers.</li> <li> <code>fw_exclude</code> Sub-functions to exclude.</li> </ul> </li> <li> <code>enable_fcc</code> Enables <code>FCC</code> obfuscation. <ul> <li> <code>fcc_num</code> Number of randomized calling conventions (Module-level).</li> <li> <code>fcc_type</code> Type of customized calling convention (Module-level).</li> <li> <code>fcc_narg_reg</code> Maximum number of parameters passed via registers (Module-level).</li> </ul> </li> <li> <code>enable_ibr</code> Enables <code>IBR</code> obfuscation. <ul> <li> <code>ibr_prob</code> Obfuscation probability for BasicBlocks.</li> <li> <code>ibr_use_igv</code> Increases obfuscation strength.</li> <li> <code>ibr_use_dyn</code> Increases obfuscation strength.</li> </ul> </li> <li> <code>enable_icall</code> Enables <code>ICALL</code> obfuscation. <ul> <li> <code>icall_use_igv</code> Increases obfuscation strength (Enabled by default).</li> <li> <code>icall_use_dyn</code> Increases obfuscation strength.</li> </ul> </li> <li> <code>enable_igv</code> Enables <code>IGV</code> obfuscation. <ul> <li> <code>igv_use_dyn</code> Increases obfuscation strength.</li> </ul> </li> <li> <code>enable_svc</code> Enables <code>SVC</code> obfuscation. <ul> <li> <code>svc_usr_ir</code> Increases obfuscation strength.</li> </ul> </li> <li> <code>enable_split</code> Enables <code>SPLIT</code> obfuscation. <ul> <li> <code>split_maxsize</code> Maximum number of instructions per split segment.</li> </ul> </li> <li> <code>enable_inline</code> Enables <code>INLINE</code> obfuscation.</li> <li> <code>enable_sec</code> Enables <code>SEC</code> obfuscation. <ul> <li> <code>sec_ad_prob</code> Insertion probability for function anti-debugging logic.</li> <li> <code>sec_usr_ir</code> Increases obfuscation strength.</li> </ul> </li> </ul> <p>A typical SLLVM configuration file sllvm.json is as follows::<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"log_level"</span><span class="p">:</span><span class="w"> </span><span class="s2">"info"</span><span class="p">,</span><span class="w"> </span><span class="nl">"policy_map"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"mod_pol"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"dump"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"ir"</span><span class="p">],</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"func_pol"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"enable_ce"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"ce_size_min"</span><span class="p">:</span><span class="w"> </span><span class="mi">5</span><span class="p">,</span><span class="w"> </span><span class="nl">"ce_size_max"</span><span class="p">:</span><span class="w"> </span><span class="mi">128</span><span class="p">,</span><span class="w"> </span><span class="nl">"ce_algo"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"policies"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"desc"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Module-level policy"</span><span class="p">,</span><span class="w"> </span><span class="nl">"module"</span><span class="p">:</span><span class="w"> </span><span class="s2">".*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"policy"</span><span class="p">:</span><span class="w"> </span><span class="s2">"mod_pol"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"desc"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Function-level policy"</span><span class="p">,</span><span class="w"> </span><span class="nl">"module"</span><span class="p">:</span><span class="w"> </span><span class="s2">".*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"func"</span><span class="p">:</span><span class="w"> </span><span class="s2">".*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"policy"</span><span class="p">:</span><span class="w"> </span><span class="s2">"func_pol"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Supported Obfuscation Methods </h2> <h3> String Encryption </h3> <p>Currently, <code>SLLVM</code>'s <code>CE</code> supports arm64/arm64e, <code>Objective-C</code> constant strings, and stack-based decryption via <code>ce_mode_stack</code>. Unlike <code>Hikari</code>, which performs module-level obfuscation, <code>SLLVM</code> operates at the function level. This allows users to obfuscate all strings within specific functions, which is particularly useful for handling <code>header-only</code>libraries.</p> <p>Key differences from Hikari:</p> <ul> <li>Supports encryption algorithms beyond simple XOR.</li> <li>Supports stack-based decryption(<code>ce_mode_stack</code>)</li> </ul> <h4> <code>ce_algo</code> </h4> <p>Used to configure the encryption/decryption algorithm. SLLVM currently supports 30 algorithms with complexity ranging from XOR to AES-level. Setting this value to 100 will select a random algorithm.</p> <h4> <code>ce_mode_stack</code> </h4> <p>This setting controls whether strings are decrypted on the stack. If <code>ce_mode_stack</code> is disabled, <code>SLLVM</code> utilizes the same approach as Hikari. The table below compares <code>Hikari</code>'s method, <code>SLLVM</code>'s S-mode (stack), and <code>C++</code> template metaprogramming-based string obfuscation:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th></th> <th><code>Hikari</code></th> <th> <code>SLLVM</code>S-Mode</th> <th>C++ Template Metaprogramming</th> </tr> </thead> <tbody> <tr> <td>Encryption Location</td> <td>Static Area</td> <td>Static Area</td> <td>Static Area / Immediate</td> </tr> <tr> <td>Decryption Timing</td> <td>Function Prologue</td> <td>Function Prologue</td> <td>Before Reference</td> </tr> <tr> <td>Decryption Location</td> <td>Static Area</td> <td>Stack Area</td> <td>Stack Area</td> </tr> <tr> <td>Requires Source Change</td> <td>N</td> <td>N</td> <td>Y</td> </tr> <tr> <td>Complex Algorithms</td> <td>Supported</td> <td>Supported</td> <td>Not Suitable</td> </tr> </tbody> </table></div> <p>Notes:</p> <ul> <li>Decryption Timing: <code>Hikari</code> decrypts once at the function prologue. While some other <code>OLLVM-based</code> projects decrypt in an initialization function, that method has the disadvantage of plaintext appearing in the static area immediately after decryption.</li> <li>Language Support: <code>C++</code> template methods are limited to <code>C++</code>. While languages like <code>Rust</code> have third-party libraries for similar results, all such methods require manual changes to the source code.</li> </ul> <p>Important: Most <code>OLLVM</code> variants do not implement stack-based decryption because string constants are static data, making it difficult for the IR layer to determine if a string might "escape." In SLLVM, enabling <code>ce_mode_stack</code> demotes strings from static data to stack data, which requires specific handling.</p> <h4> Showcase </h4> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span><span class="o">**</span> <span class="n">argv</span><span class="p">)</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">"hello sllvm</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>CE Static Area<br><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftnfsce5c1ra9rtftijw7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftnfsce5c1ra9rtftijw7.png" alt="CE Static Area" width="600" height="595"></a></p> <p>CE Stack Area<br><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhtwleoedu76mnthplbvy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhtwleoedu76mnthplbvy.png" alt="CE Stack Area" width="600" height="516"></a></p> <h3> Control Flow Flattening </h3> <p>Transforms control flow from sequential execution into a switch-case loop structure. Key differences from <code>Hikari</code> include:</p> <ul> <li> <strong>Signature Weakening</strong>: Significantly reduces common <code>FLA</code> patterns, such as state variables, in-degrees, dispatcher blocks, and single-loop structures.</li> <li> <strong>Exception Handling</strong>: While Hikari cannot handle functions with exception handling, <code>SLLVM</code> allows you to choose a specific handling method via the <code>fla_invoke_op</code> parameter.</li> </ul> <h4> 展示 </h4> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span><span class="o">**</span> <span class="n">argv</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="n">argc</span> <span class="o">&lt;=</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">"not possible</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="n">argc</span> <span class="o">==</span> <span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">"no args</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">"%d args</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">argc</span> <span class="o">-</span> <span class="mi">1</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>FLA Full<br><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh7n79q84oth5jrbvooip.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh7n79q84oth5jrbvooip.png" alt="FLA Full" width="600" height="1518"></a></p> <h3> Bogus Control Flow </h3> <p>Inserts "always-false" conditional branches into the sequential control flow. Key differences from <code>Hikari</code> include:</p> <ul> <li> <strong>Release Stability</strong>: The obfuscation is not reverted or optimized away by the compiler during <code>Release</code> builds.</li> <li> <strong>Resilience to Static Analysis</strong>: Resists "read-only data segment" attacks; the obfuscation remains intact even if the data segment is set to read-only in <code>IDA Pro</code> (this feature relies on <code>bcf_use_var</code>).</li> </ul> <h4> Showcase </h4> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span><span class="o">**</span> <span class="n">argv</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="n">argc</span> <span class="o">&lt;=</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">"not possible</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="n">argc</span> <span class="o">==</span> <span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">"no args</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">"%d args</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">argc</span> <span class="o">-</span> <span class="mi">1</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>BCF Constant<br><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy8hbhz6xg6q9n6vq05re.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy8hbhz6xg6q9n6vq05re.png" alt="BCF Constant" width="600" height="367"></a></p> <p>BCF Variable<br><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn9rwyjy8xrmcfs8n2c09.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn9rwyjy8xrmcfs8n2c09.png" alt="BCF Variable" width="600" height="467"></a></p> <h3> Novel Control Flow </h3> <p>A brand-new obfuscation approach designed to counter tracing and symbolic execution by tools like Angr.</p> <h3> Function Wrapper </h3> <p>Performs nesting on sub-functions directly called by the designated function. Key difference from <code>Hikari</code>:</p> <ul> <li>The obfuscation is not reverted or optimized away by the compiler during <code>Release</code> builds.</li> </ul> <h3> Calling Convention Obfuscation </h3> <p>Converts standard C calling conventions into randomized ones, altering the registers used for parameters and return values. Currently, this is partially implemented for ARM64.</p> <ul> <li> <code>fcc_num</code> Specifies the number of randomized calling conventions.</li> <li> <code>fcc_type</code> Specifies the type of customized calling convention, with the following values: <ul> <li>0 Uses only registers <code>X0~X8</code> </li> <li>1 Uses only integer registers.</li> <li>2 Uses only floating-point registers.</li> <li>10 Uses any available registers.</li> </ul> </li> <li> <code>fcc_narg_reg</code> Specifies the maximum number of parameters passed via registers; remaining parameters are passed via the stack.</li> </ul> <h4> Showcase </h4> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="k">static</span> <span class="kt">int</span> <span class="nf">test</span><span class="p">(</span><span class="kt">int</span> <span class="n">a0</span><span class="p">,</span> <span class="kt">int</span> <span class="n">a1</span><span class="p">,</span> <span class="kt">int</span> <span class="n">a2</span><span class="p">,</span> <span class="kt">int</span> <span class="n">a3</span><span class="p">,</span> <span class="kt">int</span> <span class="n">a4</span><span class="p">)</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">"a0=%d</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">a0</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"a1=%d</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">a1</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"a2=%d</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">a2</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"a3=%d</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">a3</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"a4=%d</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">a4</span><span class="p">);</span> <span class="k">return</span> <span class="n">a0</span> <span class="o">+</span> <span class="n">a1</span> <span class="o">+</span> <span class="n">a2</span> <span class="o">+</span> <span class="n">a3</span> <span class="o">+</span> <span class="n">a4</span><span class="p">;</span> <span class="p">}</span> <span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span><span class="o">**</span> <span class="n">argv</span><span class="p">)</span> <span class="p">{</span> <span class="n">test</span><span class="p">(</span><span class="n">argv</span><span class="p">[</span><span class="mi">0</span><span class="p">][</span><span class="mi">0</span><span class="p">],</span> <span class="n">argv</span><span class="p">[</span><span class="mi">0</span><span class="p">][</span><span class="mi">1</span><span class="p">],</span> <span class="n">argv</span><span class="p">[</span><span class="mi">0</span><span class="p">][</span><span class="mi">2</span><span class="p">],</span> <span class="n">argv</span><span class="p">[</span><span class="mi">0</span><span class="p">][</span><span class="mi">3</span><span class="p">],</span> <span class="n">argv</span><span class="p">[</span><span class="mi">0</span><span class="p">][</span><span class="mi">4</span><span class="p">]);</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>FCC using<code>X8(X8,X1,X6,...)</code><br><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmsr6ivf54ec8t0xthtn9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmsr6ivf54ec8t0xthtn9.png" alt="FCC_BASE" width="600" height="838"></a></p> <p>FCC using<code>D26(D26,D2,X15,...)</code><br><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5pwn02u4ej8xz1v655l4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5pwn02u4ej8xz1v655l4.png" alt="FCC_FULL" width="600" height="860"></a></p> <h3> Indirect Branch </h3> <p>Key differences from Hikari:</p> <ul> <li>The obfuscation is not reverted by the compiler when compiling in <code>Release</code> mode.</li> <li> <code>ibr_use_igv</code> is similar to <code>Hikari</code>'s <code>indibran-enc-jump-target</code>. When combined with <code>ibr_use_dyn</code>, it further enhances the obfuscation strength.</li> </ul> <h4> Showcase </h4> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span><span class="o">**</span> <span class="n">argv</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="n">argc</span> <span class="o">&lt;=</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">"not possible</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="n">argc</span> <span class="o">==</span> <span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">"no args</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">"%d args</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">argc</span> <span class="o">-</span> <span class="mi">1</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>IBR Full<br><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyods24h56rv5d1523qvb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyods24h56rv5d1523qvb.png" alt="IBR Full" width="600" height="308"></a></p> <h3> System Call Obfuscation </h3> <p>Converts standard system call functions into direct <code>SVC</code> (Supervisor Call) instructions.</p> <h4> Showcase </h4> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span><span class="o">**</span> <span class="n">argv</span><span class="p">)</span> <span class="p">{</span> <span class="kt">int</span> <span class="n">r</span> <span class="o">=</span> <span class="n">access</span><span class="p">(</span><span class="s">"/tmp/1.txt"</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"r=%d</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">r</span><span class="p">);</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>SVC Base <br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw56s6g8gwklwbqrgnofx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw56s6g8gwklwbqrgnofx.png" alt="SVC基础" width="600" height="519"></a></p> <p>SVC Custom1<br><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwihcd2zwo7p8ynog77fi.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwihcd2zwo7p8ynog77fi.png" alt="SVC Custom1" width="600" height="164"></a></p> <h3> Instruction Splitting </h3> <p>Splits a function's instructions and scatters them across random addresses throughout the entire module.</p> <h4> Showcase </h4> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="kt">void</span> <span class="nf">test</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="n">argc</span> <span class="o">&lt;=</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">"not possible</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="n">argc</span> <span class="o">==</span> <span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">"no arg</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">"%d args</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">argc</span> <span class="o">-</span> <span class="mi">1</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="k">const</span> <span class="kt">char</span><span class="o">**</span> <span class="n">argv</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="n">argc</span> <span class="o">&lt;=</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">"not possible</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="n">argc</span> <span class="o">==</span> <span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">"no arg</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="n">argc</span> <span class="o">==</span> <span class="mi">2</span><span class="p">)</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">"1 arg</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">"%d args</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">argc</span> <span class="o">-</span> <span class="mi">1</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>SPLIT Full<br><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0ha8p6y43qwtn67n05p8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0ha8p6y43qwtn67n05p8.png" alt="SPLIT Full" width="800" height="596"></a></p> <h3> Function Inlining </h3> <p>Inlines all sub-functions called by a specified function into the current function's body.</p> <h3> Security Protection </h3> <p>Inserts anti-debugging logic directly into the specified functions.</p> llvm ollvm lich0 Sat, 14 Feb 2026 04:14:57 +0000 https://dev.to/lich0/why-lich4ollvm-pass-deserves-attention-17ho https://dev.to/lich0/why-lich4ollvm-pass-deserves-attention-17ho <h2> Why <code>lich4/ollvm-pass</code> is worth attention among “hundreds of OLLVM open-source projects” </h2> <p><a href="https://github.com/lich4/ollvm-pass" rel="noopener noreferrer">GitHub - lich4/ollvm-pass: Independent hikari</a></p> <p>If you’ve been looking for OLLVM (Obfuscator-LLVM) related projects recently, you’ve probably run into a reality: <strong>there are tons of open-source repos, but not many that actually bring something new</strong>. Many projects mainly port classic implementations to newer LLVM/Clang versions—useful, but limited when it comes to real-world engineering adoption and <em>controllable obfuscation</em>.</p> <p><strong><code>lich4/ollvm-pass</code></strong>, however, has a very clear positioning: <strong>based on LLVM NewPassManager, it turns original OLLVM + Hikari-style implementations into standalone “passes,” and fills in what production use most often lacks— a policy system and Xcode integration.</strong> </p> <h2> 1) Most mainstream OLLVM projects focus on “version compatibility,” not “engineering enhancements” </h2> <p>Common open-source OLLVM projects include:</p> <ul> <li> <strong>obfuscator-llvm/obfuscator</strong>: the earliest public Obfuscator-LLVM, implementing classic features such as substitution / bogus control flow / flattening.</li> <li> <strong>HikariObfuscator/Hikari</strong>: extends Obfuscator with string encryption, split basic blocks, function wrapping / call obfuscation, etc.</li> <li> <strong>KomiMoe/Arkari</strong> (goron family): more focused on indirect calls/branches and adapts to newer LLVM.</li> <li> <strong>za233/Polaris-Obfuscator</strong>: adds some MIR-level obfuscation beyond IR (e.g., dirty bytes, MIR instruction substitution).</li> <li> <strong>open-obfuscator/o-mvll</strong>: emphasizes “Python-driven + pass manager,” with broad feature coverage.</li> </ul> <p>The issue is: <strong>many derivative repos mainly add “compatibility with newer LLVM versions.”</strong> But in real engineering scenarios—“obfuscate only key modules/functions,” “don’t explode build time,” “don’t increase app store release risk”—they often don’t provide a systematic solution. </p> <h2> 2) From “patching LLVM source” to “dynamic passes”: the modern way to do OLLVM </h2> <p>In the early days (LLVM 3.x era), OLLVM often meant <strong>directly modifying LLVM’s source</strong>, largely because the ecosystem and mechanisms weren’t mature. Today, <strong>most IR-level obfuscation can be done via pass plugins.</strong></p> <p>A simplified evolution of LLVM’s pass mechanism:</p> <ul> <li>LLVM 5–12: primarily <strong>LegacyPassManager</strong> </li> <li>LLVM 13–14: Legacy by default, also supports <strong>NewPassManager</strong> </li> <li>LLVM 15–present: <strong>NewPassManager</strong> by default</li> </ul> <h3> Engineering advantages of dynamic passes (pass plugins) </h3> <p>This is one of the core values emphasized by <code>lich4/ollvm-pass</code>:</p> <ul> <li> <strong>Avoid the massive cost of building LLVM/Clang</strong>: you can use the LLVM already installed on your system (Homebrew/apt, etc.) as long as the <strong>major Clang version matches</strong>.</li> <li> <strong>Fast build and iteration</strong>: the output is typically just a few-MB dynamic library, not a hundreds-of-MB clang binary or multi-GB toolchain.</li> <li> <strong>Better developer experience</strong>: writing passes, running them, validating IR output—iteration is faster and the barrier is lower.</li> </ul> <p>That said, it’s important to acknowledge the boundaries: <strong>passes are hard to cover MIR/MC-level obfuscation</strong> (which is why projects like Polaris add MIR-level enhancements). </p> <h2> 3) What <code>lich4/ollvm-pass</code> does: not “yet another port,” but a production-usable pass-based solution </h2> <p>The project description is straightforward: based on <strong>LLVM NewPassManager</strong>, it turns <strong>original OLLVM + Hikari</strong> into independent passes, verifying that “IR-level obfuscation can be implemented as standalone passes,” and it’s tested on <strong>macOS 15 + LLVM 15–19</strong>.</p> <p>More importantly, it completes two capabilities that matter a lot for real adoption:</p> <h3> a) A “policy syntax”: precisely control obfuscation down to module/function via <code>policy.json</code> </h3> <p>In real projects, many teams aren’t unwilling to obfuscate everything—they <strong>can’t</strong>:</p> <ul> <li>The project/dependencies are huge; obfuscating irrelevant code bloats artifacts</li> <li>Heavy obfuscation (like flattening) slows builds drastically or even causes stalls</li> <li>After obfuscation, runtime overhead can become obvious for complex algorithms (flattening often causes ~10% level overhead)</li> <li>Over-obfuscation may increase compliance/review risk for App Store / Google Play (these points are explicitly mentioned in the README)</li> </ul> <p>So in practice, <strong>“controllable obfuscation” matters more than “obfuscation exists.”</strong> Traditional open-source OLLVM controls are often either too coarse (module-only), too intrusive (requires code changes), or limited by language (e.g., annotations that mainly work for C/C++).</p> <p><strong><code>ollvm-pass</code>’s approach:</strong> use a <code>policy.json</code> in the working directory to declare rules—compatible with most frontends and languages—distinguishing module-level and function-level strategies; also supports “forward override,” optional field comments, IR dump, and other engineering features.</p> <p>You can think of it as: <strong>upgrading obfuscation switches from compiler flags / code intrusion to an auditable, reusable, version-controllable policy configuration</strong>—critical for large, multi-module, multi-language builds (especially on mobile). </p> <h3> b) Xcode integration: a realistic integration path for iOS/macOS projects </h3> <p>Many people hit the same pitfall: <strong>open-source clang ≠ Apple clang shipped with Xcode</strong>; pass plugins don’t always “just work” inside Xcode. <code>ollvm-pass</code> provides three practical routes in its README:</p> <ol> <li>In Xcode, set <code>CC</code> to open-source clang and add <code>-fpass-plugin</code> in <code>Other C Flags</code> </li> <li>In Xcode, set <code>CC</code> to a script: first <code>clang -emit-llvm</code> to produce bitcode, then run passes with <code>opt</code>, then <code>clang -c</code> to output an object file (the repo provides the author’s script <code>xcode_cc.sh</code>), and notes this is more friendly for <strong>arm64e</strong> compatibility</li> <li>Build a dynamic pass specifically for Apple clang (hard: must handle symbol conflicts; better for LLVM experts)</li> </ol> <p>The value here is: it doesn’t just say “it’s theoretically possible”—it lays out <strong>real, workable engineering integration paths</strong>, including ready-to-use scaffolding (scripts). </p> <h2> Who is this for? </h2> <ul> <li>You don’t want to build a multi-GB toolchain just for one OLLVM setup, and you want <strong>“compile the pass in minutes, validate immediately.”</strong> </li> <li>You need <strong>“obfuscate only key modules/functions”</strong> in a real production codebase, and you want policies that are versioned and auditable</li> <li>You target iOS/macOS (Xcode / Apple clang ecosystem) and want a practical integration path</li> </ul> <p>If OLLVM is “just for running a demo,” then many porting repos are enough. But if you want it <strong>in production—controllable and maintainable—</strong>then the direction of <strong>pass-based + policy-based + Xcode-adapted</strong> like <strong><code>lich4/ollvm-pass</code></strong> is much closer to an engineering-grade answer. </p> <h2> References </h2> <ol> <li><a href="https://github.com/lich4/ollvm-pass" rel="noopener noreferrer">GitHub - lich4/ollvm-pass: Independent hikari</a></li> <li><a href="https://github.com/lich4/awesome-ollvm" rel="noopener noreferrer">GitHub - lich4/awesome-ollvm: List of (truly) awesome Obfuscator-LLVMs and IDA deobfuscation plugins</a></li> <li><a href="https://lich4.github.io/cpp_posts/20240826_ollvm/" rel="noopener noreferrer">OLLVM learning | Chao’s blog</a></li> </ol> github opensource security tooling