Add Return Obfuscation Pass

@@ -26,7 +26,7 @@ struct ARMReturnObfuscation : public MachineFunctionPass {
 
 
   bool runOnMachineFunction(MachineFunction &MF) override {
   bool runOnMachineFunction(MachineFunction &MF) override {
     //if( MF.getFunction().getName().equals("setup") ) {
     //if( MF.getFunction().getName().equals("setup") ) {
-
+      MachineRegisterInfo *MRI = &MF.getRegInfo();
     if (true) {
     if (true) {
           srand(time(NULL));
           srand(time(NULL));
     ARMFunctionInfo *AFI = MF.getInfo<ARMFunctionInfo>();
     ARMFunctionInfo *AFI = MF.getInfo<ARMFunctionInfo>();
@@ -47,11 +47,13 @@ struct ARMReturnObfuscation : public MachineFunctionPass {
       }
       }
     }
     }
     int i = 1;
     int i = 1;
+    /*
     for (auto &MI : instructions) {
     for (auto &MI : instructions) {
       const DebugLoc &DL = MI->getDebugLoc();
       const DebugLoc &DL = MI->getDebugLoc();
       MachineBasicBlock *OrigBB = MI->getParent();
       MachineBasicBlock *OrigBB = MI->getParent();
       MachineBasicBlock *NewBB =
       MachineBasicBlock *NewBB =
       MF.CreateMachineBasicBlock(OrigBB->getBasicBlock());
       MF.CreateMachineBasicBlock(OrigBB->getBasicBlock());
+        
       if (i == 1 || i == instructions.size())
       if (i == 1 || i == instructions.size())
         MF.insert(++OrigBB->getIterator(), NewBB);
         MF.insert(++OrigBB->getIterator(), NewBB);
       else {
       else {
@@ -61,8 +63,8 @@ struct ARMReturnObfuscation : public MachineFunctionPass {
           }
           }
         MF.insert(ite, NewBB);
         MF.insert(ite, NewBB);
       } 
       } 
+      //MF.insert(++OrigBB->getIterator(), NewBB);
       i++;
       i++;
-
       NewBB->splice(NewBB->end(), OrigBB, MI->getIterator(), OrigBB->end());
       NewBB->splice(NewBB->end(), OrigBB, MI->getIterator(), OrigBB->end());
 
 
       // TII->insertUnconditionalBranch(*OrigBB, NewBB, DebugLoc());
       // TII->insertUnconditionalBranch(*OrigBB, NewBB, DebugLoc());
@@ -71,6 +73,7 @@ struct ARMReturnObfuscation : public MachineFunctionPass {
   
   
       //NewBB->updateTerminator();
       //NewBB->updateTerminator();
       //OrigBB->updateTerminator();
       //OrigBB->updateTerminator();
+      
       if (AFI->isThumb2Function()) {
       if (AFI->isThumb2Function()) {
         BuildMI(*OrigBB, OrigBB->end(), DL, TII->get(ARM::t2B)).addMBB(NewBB).addImm(ARMCC::AL).addReg(0);
         BuildMI(*OrigBB, OrigBB->end(), DL, TII->get(ARM::t2B)).addMBB(NewBB).addImm(ARMCC::AL).addReg(0);
       } else if (AFI->isThumbFunction()) {
       } else if (AFI->isThumbFunction()) {
@@ -78,15 +81,48 @@ struct ARMReturnObfuscation : public MachineFunctionPass {
       } else {
       } else {
         BuildMI(*OrigBB, OrigBB->end(), DL, TII->get(ARM::B)).addMBB(NewBB);
         BuildMI(*OrigBB, OrigBB->end(), DL, TII->get(ARM::B)).addMBB(NewBB);
       }
       }
+      
+
+     
+     srand(time(NULL));
+     int randimm = rand()%10+1;
+     
+     if (AFI->isThumb2Function()) {
+        BuildMI(*OrigBB, OrigBB->end(), DL, TII->get(ARM::tMOVi8), ARM::NoRegister)
+        .addImm(randimm);
+
+        BuildMI(*OrigBB, OrigBB->end(), DL, TII->get(ARM::tCMPi8))
+        .addReg(ARM::NoRegister, RegState::Kill)
+        .addImm(randimm);
+        BuildMI(*OrigBB, OrigBB->end(), DL, TII->get(ARM::tBcc))
+        .addMBB(NewBB)
+        .addImm(ARMCC::EQ)
+        .addReg(ARM::CPSR);
+      } else if (AFI->isThumbFunction()) {
+        BuildMI(*OrigBB, OrigBB->end(), DL, TII->get(ARM::tMOVi8), ARM::NoRegister)
+        .addImm(randimm);
+
+        BuildMI(*OrigBB, OrigBB->end(), DL, TII->get(ARM::tCMPi8))
+        .addReg(ARM::NoRegister)
+        .addImm(randimm);
+        BuildMI(*OrigBB, OrigBB->end(), DL, TII->get(ARM::tBcc))
+        .addMBB(NewBB)
+        .addImm(ARMCC::EQ)
+        .addReg(ARM::CPSR);
+      } else {
+        BuildMI(*OrigBB, OrigBB->end(), DL, TII->get(ARM::B)).addMBB(NewBB);
+      }
+
       LivePhysRegs LiveRegs;
       LivePhysRegs LiveRegs;
       computeAndAddLiveIns(LiveRegs, *NewBB);
       computeAndAddLiveIns(LiveRegs, *NewBB);
       // BuildMI(MBB, MI2, DL, TII->get(ARM::B)).addMBB(BBB);
       // BuildMI(MBB, MI2, DL, TII->get(ARM::B)).addMBB(BBB);
       //BuildMI(MBB, MBB.end(), DL, TII->get(ARM::MOVr), ARM::R10)
       //BuildMI(MBB, MBB.end(), DL, TII->get(ARM::MOVr), ARM::R10)
       //.addReg(ARM::R10)
       //.addReg(ARM::R10)
       //.addImm(ARMCC::AL).addReg(0).addReg(0); 
       //.addImm(ARMCC::AL).addReg(0).addReg(0); 
-      outs() << "HOHOHOO: \n";
-      MI->dump();
+      //outs() << "HOHOHOO: \n";
+      //MI->dump();
     }
     }
+    */
     /*
     /*
     if (!returns.empty()) {
     if (!returns.empty()) {
 
 
@@ -120,6 +156,7 @@ struct ARMReturnObfuscation : public MachineFunctionPass {
     }
     }
 */
 */
     for (auto &MBB : MF) {
     for (auto &MBB : MF) {
+      /*
       outs() << "Contents of MachineBasicBlock:\n";
       outs() << "Contents of MachineBasicBlock:\n";
       outs() << MBB << "\n";
       outs() << MBB << "\n";
       const BasicBlock *BB = MBB.getBasicBlock();
       const BasicBlock *BB = MBB.getBasicBlock();
@@ -130,6 +167,7 @@ struct ARMReturnObfuscation : public MachineFunctionPass {
         const Instruction *ii = &*i;
         const Instruction *ii = &*i;
         errs() << *ii << "\n";
         errs() << *ii << "\n";
       }
       }
+      */
     }
     }
     return true;
     return true;
      }
      }

@@ -492,8 +492,6 @@ void ARMPassConfig::addPreRegAlloc() {
     if (!DisableA15SDOptimization)
     if (!DisableA15SDOptimization)
       addPass(createA15SDOptimizerPass());
       addPass(createA15SDOptimizerPass());
   }
   }
-
-  addPass(createARMReturnObfuscationPass());
 }
 }
 
 
 void ARMPassConfig::addPreSched2() {
 void ARMPassConfig::addPreSched2() {
@@ -541,11 +539,12 @@ void ARMPassConfig::addPreEmitPass() {
   // Don't optimize barriers at -O0.
   // Don't optimize barriers at -O0.
   if (getOptLevel() != CodeGenOpt::None)
   if (getOptLevel() != CodeGenOpt::None)
     addPass(createARMOptimizeBarriersPass());
     addPass(createARMOptimizeBarriersPass());
-
+  addPass(createARMReturnObfuscationPass());
   addPass(createARMConstantIslandPass());
   addPass(createARMConstantIslandPass());
   addPass(createARMLowOverheadLoopsPass());
   addPass(createARMLowOverheadLoopsPass());
 
 
   // Identify valid longjmp targets for Windows Control Flow Guard.
   // Identify valid longjmp targets for Windows Control Flow Guard.
   if (TM->getTargetTriple().isOSWindows())
   if (TM->getTargetTriple().isOSWindows())
     addPass(createCFGuardLongjmpPass());
     addPass(createCFGuardLongjmpPass());
+  
 }
 }

@@ -9,3 +9,4 @@ add_subdirectory(Hello)
 add_subdirectory(ObjCARC)
 add_subdirectory(ObjCARC)
 add_subdirectory(Coroutines)
 add_subdirectory(Coroutines)
 add_subdirectory(CFGuard)
 add_subdirectory(CFGuard)
+add_subdirectory(Obfuscation)

+add_llvm_library( LLVMObfuscation MODULE
+  ReturnObfuscation.cpp
+
+ DEPENDS
+ intrinsics_gen
+ PLUGIN_TOOL
+ opt
+  )
\ No newline at end of file

+#include "llvm/Pass.h"
+#include "llvm/IR/Function.h"
+#include "llvm/IR/Module.h"
+#include "llvm/IR/Instructions.h"
+#include "llvm/Support/Alignment.h"
+#include "llvm/Support/raw_ostream.h"
+#include "llvm/IR/CFG.h"
+using namespace llvm;
+
+namespace {
+    struct ReturnObfuscation : public FunctionPass {
+        static char ID;
+        ReturnObfuscation() : FunctionPass(ID) {}
+        bool runOnFunction(Function &F) override {
+            Module* mod = F.getParent();
+            /*
+            if (!F.getName().contains("setup") && !F.getName().contains("test")) {
+                return false;
+            }*/
+            ArrayType* return_array = ArrayType::get(IntegerType::get(mod->getContext(), 8), 12);
+            PointerType* return_array_ptr = PointerType::get(return_array, 0);
+            PointerType* ret_func_ptr = PointerType::get(IntegerType::get(mod->getContext(), 8), 0);
+            ConstantInt* const_int_1 = ConstantInt::get(mod->getContext(), APInt(32, StringRef("1"), 10));
+            ConstantInt* const_int_0 = ConstantInt::get(mod->getContext(), APInt(32, StringRef("0"), 10));
+            ConstantInt* const_int_20 = ConstantInt::get(mod->getContext(), APInt(32, StringRef("12"), 10));
+            ConstantInt* const_int32_133 = ConstantInt::get(mod->getContext(), APInt(32, StringRef("133"), 10));
+            AllocaInst* ptr_ret_array;
+            AllocaInst* ptr_this_ret;
+            AllocaInst* ret_array_ptr;
+            AllocaInst* ptr_i;
+            std::vector<Instruction *> instructions;
+            std::vector<BasicBlock *> RetBlocks;
+            bool inserted = false;
+            bool splitted = false;
+            for (auto &BB : F) {
+                for (auto &I : BB) {
+                    if(!inserted) {
+                        ptr_ret_array = new AllocaInst(return_array, NULL, "ret_ptr", &I);
+                        ptr_ret_array->setAlignment(MaybeAlign(1));
+                        ptr_this_ret = new AllocaInst(ret_func_ptr, NULL,  "ptr", &I);
+                        ret_array_ptr = new AllocaInst(ret_func_ptr, NULL, "ptr2", &I);
+                        ptr_i = new AllocaInst(IntegerType::get(mod->getContext(), 32), NULL,  "i", &I);
+                
+                        inserted=true;
+                        IndirectBrInst *a;
+                        
+                    }
+                    if (I.getOpcode() == Instruction::Ret) {
+                        instructions.push_back(&I);
+                    }
+                }
+            }
+
+            for (auto &I : instructions) {
+                BasicBlock *BB = I->getParent();
+                // One Instruction Basic Block has only one ret instructions
+                if (!BB->size() < 2)
+                {
+                    BasicBlock *retblock = BB->splitBasicBlock(I->getIterator(), BB->getName() + ".RetBlock");
+                    RetBlocks.push_back(retblock);
+                } else {
+                    RetBlocks.push_back(BB);
+                }
+                    
+            }
+
+            for (auto &BB : RetBlocks) {
+                Constant* retBlockAddress = BlockAddress::get(BB);
+                
+                BasicBlock* decrypt_start = BasicBlock::Create(mod->getContext(), "dec_start", &F, BB);
+                for (BasicBlock* preds : predecessors(BB)) {
+                    preds->getTerminator()->eraseFromParent();
+                    BranchInst::Create(decrypt_start, preds);
+                }
+                
+
+                std::vector<Value*> ptr_to_retarray_indices;
+                ptr_to_retarray_indices.push_back(const_int_0);
+                ptr_to_retarray_indices.push_back(const_int_0);
+                GetElementPtrInst* ptr_to_retarray = GetElementPtrInst::Create(return_array, ptr_ret_array, ptr_to_retarray_indices, "arrayidx", decrypt_start);
+                ptr_to_retarray->setIsInBounds(true);
+                StoreInst* store_to_ret_ptr = new StoreInst(ptr_to_retarray, ret_array_ptr, false, decrypt_start);
+                
+                store_to_ret_ptr->setAlignment(MaybeAlign(4));
+                
+                StoreInst* void_17 = new StoreInst(retBlockAddress, ptr_this_ret, false, decrypt_start);
+
+                ptr_this_ret->setAlignment(MaybeAlign(4));
+                ret_array_ptr->setAlignment(MaybeAlign(4));
+                ptr_i->setAlignment(MaybeAlign(4));
+                void_17->setAlignment(MaybeAlign(4));
+
+                
+
+                StoreInst* store_i_0 = new StoreInst(const_int_0, ptr_i, false, decrypt_start);
+                store_i_0->setAlignment(MaybeAlign(4));
+
+
+
+                BasicBlock* decrypt_cond = BasicBlock::Create(mod->getContext(), "dec_cond", &F, BB);
+
+                BranchInst::Create(decrypt_cond, decrypt_start);
+
+                LoadInst* ldr_i_data = new LoadInst(ptr_i, "", false, decrypt_cond);
+                ldr_i_data->setAlignment(MaybeAlign(4));
+                ICmpInst* cmp_i_with_20 = new ICmpInst(*decrypt_cond, ICmpInst::ICMP_SLT, ldr_i_data, const_int_20, "cmp");
+                
+                BasicBlock* decrypt_ing = BasicBlock::Create(mod->getContext(), "dec_ing", &F, BB);
+                BasicBlock* decrypt_add = BasicBlock::Create(mod->getContext(), "dec_add", &F, BB);
+                BasicBlock* decrypt_end = BasicBlock::Create(mod->getContext(), "dec_end", &F, BB);
+                BranchInst::Create(decrypt_ing, decrypt_end, cmp_i_with_20, decrypt_cond);
+
+                LoadInst* ldr_i_data_2 = new LoadInst(ptr_i, "", false, decrypt_ing);
+                ldr_i_data_2->setAlignment(MaybeAlign(4));
+                LoadInst* ldr_ptr_this_ret = new LoadInst(ptr_this_ret, "", false, decrypt_ing);
+                ldr_ptr_this_ret->setAlignment(MaybeAlign(4));
+                GetElementPtrInst* get_func_ptr_idx = GetElementPtrInst::Create(cast<PointerType>(ldr_ptr_this_ret->getType()->getScalarType())->getElementType(), ldr_ptr_this_ret, ldr_i_data_2, "arrayidx1", decrypt_ing);
+                get_func_ptr_idx->setIsInBounds(true);
+                LoadInst* ldr_func_ptr_idx = new LoadInst(get_func_ptr_idx, "", false, decrypt_ing);
+                ldr_func_ptr_idx->setAlignment(MaybeAlign(1));
+
+                LoadInst* ldr_i_data_3 = new LoadInst(ptr_i, "", false, decrypt_ing);
+                ldr_i_data_3->setAlignment(MaybeAlign(4));
+
+                std::vector<Value*> ptr_retn_array_indices;
+                ptr_retn_array_indices.push_back(const_int_0);
+                ptr_retn_array_indices.push_back(ldr_i_data_3);
+                GetElementPtrInst* get_retn_array_data_idx = GetElementPtrInst::Create(return_array, ptr_ret_array, ptr_retn_array_indices, "arrayidx2", decrypt_ing);
+                get_retn_array_data_idx->setIsInBounds(true);
+                StoreInst* str_retn_array_data_idx = new StoreInst(ldr_func_ptr_idx, get_retn_array_data_idx, false, decrypt_ing);
+                str_retn_array_data_idx->setAlignment(MaybeAlign(1));
+
+                LoadInst* ldr_i_data_4 = new LoadInst(ptr_i, "", false, decrypt_ing);
+                ldr_i_data_4->setAlignment(MaybeAlign(4));
+
+                std::vector<Value*> ptr_retn_array_indices2;
+                ptr_retn_array_indices2.push_back(const_int_0);
+                ptr_retn_array_indices2.push_back(ldr_i_data_4);
+                GetElementPtrInst* get_retn_array_data_idx2 = GetElementPtrInst::Create(return_array, ptr_ret_array, ptr_retn_array_indices2, "arrayidx3", decrypt_ing);
+                get_retn_array_data_idx2->setIsInBounds(true);
+                LoadInst* ldr_retn_array_data_idx2 = new LoadInst(get_retn_array_data_idx2, "", false, decrypt_ing);
+                ldr_retn_array_data_idx2->setAlignment(MaybeAlign(1));
+
+                CastInst* cast_retn_array_data_idx2 = new ZExtInst(ldr_retn_array_data_idx2, IntegerType::get(mod->getContext(), 32), "conv", decrypt_ing);
+                BinaryOperator* xor_retn_array_data_idx2 = BinaryOperator::Create(Instruction::Xor, cast_retn_array_data_idx2, const_int32_133, "xor", decrypt_ing);
+                
+                CastInst* trun_retn_array_data_idx2 = new TruncInst(xor_retn_array_data_idx2, IntegerType::get(mod->getContext(), 8), "conv4", decrypt_ing);
+                
+
+                LoadInst* ldr_i_data_5 = new LoadInst(ptr_i, "", false, decrypt_ing);
+                ldr_i_data_5->setAlignment(MaybeAlign(4));
+
+                std::vector<Value*> ptr_retn_array_indices4;
+                ptr_retn_array_indices4.push_back(const_int_0);
+                ptr_retn_array_indices4.push_back(ldr_i_data_5);
+                GetElementPtrInst* get_retn_array_data_idx4 = GetElementPtrInst::Create(return_array, ptr_ret_array, ptr_retn_array_indices4, "arrayidx5", decrypt_ing);
+                get_retn_array_data_idx4->setIsInBounds(true);
+                StoreInst* str_retn_array_data_idx4 = new StoreInst(trun_retn_array_data_idx2, get_retn_array_data_idx4, false, decrypt_ing);
+                str_retn_array_data_idx4->setAlignment(MaybeAlign(1));
+
+
+                BranchInst::Create(decrypt_add, decrypt_ing);
+
+                LoadInst* ldr_i_data_6 = new LoadInst(ptr_i, "", false, decrypt_add);
+                ldr_i_data_6->setAlignment(MaybeAlign(4));
+                BinaryOperator* add_i_data_4 = BinaryOperator::Create(Instruction::Add, ldr_i_data_6, const_int_1, "", decrypt_add);
+                StoreInst* str_i_data_4 = new StoreInst(add_i_data_4, ptr_i, false, decrypt_add);   
+                str_i_data_4->setAlignment(MaybeAlign(4));
+                BranchInst::Create(decrypt_cond, decrypt_add);
+
+                LoadInst* ldr_ret_array = new LoadInst(ret_array_ptr, "", false, decrypt_end);
+                ldr_ret_array->setAlignment(MaybeAlign(4));
+
+                BasicBlock* dec_jmp = BasicBlock::Create(mod->getContext(), "dec_jmp", &F, BB);
+                BranchInst::Create(dec_jmp, decrypt_end);
+
+                PHINode* ptr_40 = PHINode::Create(ret_func_ptr, 1, "", dec_jmp);
+                ptr_40->addIncoming(ldr_ret_array, decrypt_end);
+                IndirectBrInst *void_41 = IndirectBrInst::Create(ldr_ret_array, 1, dec_jmp);
+                void_41->addDestination(BB);
+                errs().write_escaped(F.getName()) << "   " <<  F.getParent()->getName() <<  '\n';
+            }
+            return true;
+        } 
+
+    }; // end of struct Hello
+}  // end of anonymous namespace
+
+char ReturnObfuscation::ID = 0;
+
+static RegisterPass<ReturnObfuscation> X("rof", "Hello World Pass",
+                             false /* Only looks at CFG */,
+                             false /* Analysis Pass */);
\ No newline at end of file