[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Tinycc-devel] TCC Code and Data Scramble
From: |
Emil |
Subject: |
[Tinycc-devel] TCC Code and Data Scramble |
Date: |
Fri, 30 Apr 2010 13:50:05 +0100 |
Hello list,
This might be of some interest to someone who wants to make the reverse
engineering of his software much harder. I have added scrambling for
both generated code and data in TCC for i386.
You can obfuscate all calls and long jumps, the parameters passed to
external functions, parameters passed to local functions, the stack, the
functions prolog and epilog. You can also encrypt your code data section
by XORing it with a LFSR.
http://nic.ath.cx/~emil/download.html
http://uglyduck.ath.cx/~emil/download.html
With the 'x' switch the compiler heavily pollutes the generated code
making it larger and slower. The purpose of this operation is to
obfuscate the generated code and make reverse engineering harder.
The 'x' switch by itself will enable all the scramble options. You may
select individual scrambling features by listing them after the '-x':
- 'c' obfuscate all calls
- 'j' obfuscate all long jumps
- 'f' obfuscate parameters passed to external (library) functions
- 'p' obfuscate parameters passed to local functions
- 's' obfuscate the stack (size of local variables and their references)
- 'b' obfuscate functions prolog
- 'e' obfuscate functions epilog (returns are replaced with jumps)
- 'd' encrypt data segment with a LFSR
The LFSR initial value as well as the unscrambling code is different
with every compile. TCC generates read only objects in the data section
(rather than rodata) so all your strings will be encrypted.
Code obfuscation is mainly achieved by inserting random data between
genuine operations. This tricks disassemblers because they will try to
disassemble the random data. They will miss real opcodes due to variable
size garbage instructions engulfing the former ones. All addressing is
changed to offset addressing using a variable base (usually in ebx).
This prevents disassemblers to generate any cross-references for both
functions and data.
The scrambling functionality is a patch against a stripped down version
of tcc 0.9.25 which handles exclusively only i386 code. Both the Linux
version and the cross-compiled version which generates Windows code work.
The current release passes tcctest with all scrambling switches enabled.
If you want to compile this compiler for a Windows platform you will
probably fail (mainly because I'm using /dev/urandom). I have no plans
to make it work for Windows because I'm not interested in that platform.
You can generate Windows code from Linux with the cross-compiler.
Generating static executables was broken on my Debian system (with stock
tcc 0.9.25) so I've patched this version to use dietlibc. This has the
advantage of making small executables which run on any kernel version
(the bloated libc checks kernel versions and refuses to run even if you
don't need any of the 2.6 functionality). The -run switch (used for C
scripting) now creates (in memory) static versions of your C. This is
faster and the program occupies less space. You you don't want statically
linked scripts you'll have to use -rdynamic with the -run switch.
--
Regards,
Emil
--
All my encrypted documents are safe because I use a super long passphrase.
It's supercalifragilisticexpialidocious or something like that.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Tinycc-devel] TCC Code and Data Scramble,
Emil <=