There are various approaches in client protection technology, including packing, obfuscation, anti-decompilation and tamper detection. In this presentation, we examine the advantages and disadvantages of these approaches, and introduce our compiler-type client protection tool DeClang.
In previous research so far, there are many open source obfuscation projects based on LLVM. However, these projects are mostly in the experimental stage, with various drawbacks such as lurking bugs, lack of ARM support, and inapplicability to mobile apps' build flow. DeClang overcomes these problems and will be partly open sourced as a working-level obfuscation compiler.
In this presentation, we will analyze the Unity build flow and explain how to incorporate DeClang into the Unity build flow.I will also show you how to find and fix a long-standing bug in the obfuscator-llvm project to make it a working-level obfuscator.
Through this presentation, we would like to make it possible for anyone to easily protect mobile apps.
2. CODE BLUE 2020
Self Introduction
≫ Security Engineer at DeNA Co., Ltd.
≫ Reverse Engineering / Developing / SOC / Application
Pentesting / Cloud Security etc.
≫ CISSP
≫ Contacts
− GitHub: https://www.github.com/nevermoe
− Twitter: @nevermoecom
2
3. CODE BLUE 2020
Agenda
≫ Motivation
≫ DeClang Introduction & Features
≫ An O-LLVM Bug & Fix
≫ Conclusion
3
4. CODE BLUE 2020
Motivation
≫ Game cheating, app hacking is everywhere
− Memory Hacking
− Time Hacking
− Network Traffic Tampering
− Binary Tampering
− Hooking
− Assets dumping
− etc.
4
5. CODE BLUE 2020
Motivation
≫ Commercial anti-hacking solutions are expensive
− Packer
− Anti-hacking Library
− Obfuscation Compiler
5
6. CODE BLUE 2020
Motivation
≫ Can we create a free, open sourced anti-hacking solution?
− You can’t open source a packer or an anti-hacking library.
− But you can open source an obfuscation compiler partly.
6
* Other reasons: https://www.slideshare.net/dena_tech/declang-clang-dena-techcon-2020
7. CODE BLUE 2020
Motivation
≫ That is DeClang
− An anti-hacking compiler partly open sourced.
− Based on LLVM project and extended Obfuscator-LLVM:
https://github.com/obfuscator-llvm/obfuscator
− Free to secure your apps and games. (Apache License 2.0)
− https://github.com/DeNA/DeClang
7
8. CODE BLUE 2020
Motivation
≫ Why DeClang?
− Compatible with Unity build flow, mobile apps build flow.
− Cross-platform
• Host
➢ Windows / OSX / Linux
• Target
➢ X86 / X64 / ARM / AArch64
➢ Elf / Mach-O / PE
➢ Windows / OSX / Linux / Android / iOS
• Build Flow
➢ Unity / Cocos2d / NDK / Xcode / Make / Visual Studio
8
10. CODE BLUE 2020
DeClang Introduction
≫ Unity build flow
Unity C# C++
IL2CPP
iOS
APK
Apple Clang
(Xcode)
NDK Clang
IPA
10
Android
11. CODE BLUE 2020
DeClang Introduction
≫ How to integrate with DeClang?
Unity C# C++
IL2CPP
iOS
APK
Apple Clang
(Xcode)
NDK Clang
IPA
11
Android
12. CODE BLUE 2020
DeClang Introduction
≫ Simply replace official Clang with DeClang!
− For Android, replace the Clang binary.
− For iOS, set the CC and CXX environment variable.
Unity C# C++
IL2CPP
iOS
APK
DeClang
(Xcode)
NDK DeClang
IPA
Android
12
13. CODE BLUE 2020
DeClang Introduction
≫ How to pass config parameters to compiler?
− Pass -mllvm -fla to compiler
− Add __attribute((__annotate__(("fla")))) to functions in
source file
13
14. CODE BLUE 2020
DeClang Introduction
≫ How to pass config parameters to compiler?
− Pass -mllvm -fla to compiler
− Add __attribute((__annotate__(("fla")))) to functions in
source file
≫ You cannot control parameters passed to NDK in Unity
build flow
≫ It’s difficult to modify C++ files generated by IL2CPP
every time
😕
14
15. CODE BLUE 2020
DeClang Introduction
≫ How to pass config parameters to compiler?
− Set environment variable DECLANG_HOME & pass
parameters by $DECLANG_HOME/.DeClang/config.json
− Flexible: All the setup can be done in shell / powershell
scripts. So it’s easy to integrate DeClang into CI.
15
17. CODE BLUE 2020
DeClang’s Feature
≫ Control Flow Flattening & Split Basic Blocks (Originated from O-LLVM)
17
18. CODE BLUE 2020
≫ Control Flow Flattening & Split Basic Blocks (Originated from O-LLVM)
DeClang’s Feature
18
19. CODE BLUE 2020
DeClang’s Feature
{
"overall_obfuscation": 100 // obfuscation percentage
}
//config.json:
≫ Indirect Branch (Original Feature)
− It is globally applied so you don’t bother selecting target
functions.
− However it is weaker.
19
20. CODE BLUE 2020
DeClang’s Feature
≫ Indirect Branch (Original Feature)
– These code blocks belong to a
single function but IDA recognizes
them as different functions.
– As a result, IDA fails to decompile
these codes.
20
21. CODE BLUE 2020
DeClang’s Feature
21
≫ Other O-LLVM features can be ported to DeClang easily
− Instruction Substitution
− Bogus Control Flow
22. CODE BLUE 2020
DeClang’s Feature
22
≫ Features that are not open sourced
− Function-level anti-tamper
− Global anti-tamper
− Root / Jailbreak / Emulator detection
− global-metadata encryption
23. CODE BLUE 2020
≫ Function-level anti-tamper
DeClang’s Feature
foo bar
23
24. CODE BLUE 2020
≫ Insert tamper detection at the beginning of the function
DeClang’s Feature
foo bar
tamper detecttamper detection
24
26. CODE BLUE 2020
≫ Detecting tamper mutually
DeClang’s Feature
baz
tamper detect
tamper detect
tam
perdetect
tam
perdetect
tamper detection
tamper detection
foo
tamper detection
bar
tamper detection
26
27. CODE BLUE 2020
≫ Detecting tamper mutually
DeClang’s Feature
baz
tamper detect
tamper detect
tam
perdetect
tam
perdetect
tamper detection
tamper detection
foo
tamper detection
bar
tamper detection
Hacker have to remove all
tamper detection at once!
27
33. CODE BLUE 2020
≫ Flattening Logic ③: What if bb1 ends with “br bb3”?
An O-LLVM Bug
bb1 (prologue)
bb2
bb3
bb4 (epilogue)
bb1 (prologue)
switchVar = 0x1
bb2
switchVar = 0x3
bb3
switchVar = 0x1
switch bb
bb4 (epilogue)
if switchVar == 0x1 if switchVar == 0x2
if switchVar == 0x3
33
34. CODE BLUE 2020
bb1 (prologue)
switchVar = 0x1
bb2
switchVar = 0x3
bb3
switchVar = 0x1
switch bb
bb4 (epilogue)
if switchVar == 0x1 if switchVar == 0x2
if switchVar == 0x3
≫ Flattening Logic ③: What if bb1 ends with “br bb3”?
An O-LLVM Bug
https://github.com/obfuscator-llvm/obfuscator/blob/llvm-4.0/lib/Transforms/Obfuscation/Flattening.cpp#L119-L122
bb1(prologue)
bb2
bb3
bb4 (epilogue) bb4 (epilogue)
O-LLVM always assume first
bb (bb2) in switch will be
executed first.
34
35. CODE BLUE 2020
≫ How could this happen?
− Usually prologue will only branch to the bb indexed next
to it (if the branch instruction is not conditional).
An O-LLVM Bug
bb1 (prologue)
bb2
bb3
bb4 (epilogue)
Normal Case
35
36. CODE BLUE 2020
An O-LLVM Bug
≫ How could this happen?
− However if you write a messy code with a lot of goto...
36
Abnormal Case
bb1 (prologue)
bb2
bb3
bb4 (epilogue)