GithubHelp home page GithubHelp logo

hikari-llvm15's Introduction

Hikari-LLVM15

A fork of HikariObfuscator [WIP]

English | 中文

原项目链接

https://github.com/HikariObfuscator/Hikari

构建

https://llvm.org/docs/GettingStarted.html#getting-the-source-code-and-building-llvm

如果你使用MacOS, 可直接从actions中下载

Swift混淆支持

由于Xcode的LLVM相比原版LLVM有大量闭源改动,Hanabi在Xcode 15起已无法编译Swift。

使用Swift Toolchain

需要注意的是添加混淆参数的位置是在Swift Compiler - Other Flags中的Other Swift Flags,并且是在前面加-Xllvm,而不是-mllvm。 关闭优化的地方在Swift Compiler - Code Generation中的Optimization Level,设置为 No Optimization [-Onone] 。由于swift语言的特性,如果混淆swift不关闭优化,字符串混淆可能会失效

每次修改Other Swift Flags后编译前需要先Shift+Command+K(Clean Build Folder),因为Swift并不会像OC一样检测到项目cflag的修改就会重新编译

PreCompiled IR

PreCompiled IR是指自定义的LLVM Bitcode文件,可以通过在存在回调函数的源文件的编译命令(C Flags)中加上-emit-llvm生成,然后放到指定位置即可

一些修改

AntiClassDump

arm64e支持

BogusControlFlow

跳过包含MustTailCall的基本块以避免错误

跳过presplit coroutine和包含CoroBeginInst的基本块以支持swift

修复了消失的不透明谓词

Flattening

跳过presplit coroutine以支持swift

间接修改状态变量,可以使部分脚本无法正常反混淆(如d810)

FunctionCallObfuscate

将只会在启用混淆的地方混淆Objc Call,而不是整个模块

FunctionWrapper

跳过一些目前无法处理的函数以支持swift

支持混淆包含byval的函数(可能?)

SplitBasicBlocks

修复了可能的堆污染错误

StringEncryption

支持加密在结构体和数组中的字符串

支持加密Rust字符串

arm64e支持

Substitution

添加更多pattern

IndirectBranch

运行后会重排列基本块的顺序

默认启用基于栈的跳转,可以使静态分析更困难

混淆选项

这里只会介绍修改的部分,原项目存在的功能请自行前往https://github.com/HikariObfuscator/Hikari/wiki/查看

AntiClassDump

-acd-rename-methodimp

重命名在IDA中显示的方法函数名称(修改为ACDMethodIMP),不是修改方法名。默认关闭

AntiHooking

整体开启这个功能会使生成的二进制文件大小急剧膨胀,建议只在部分函数开启这个功能(toObfuscate)

支持检测Objective-C运行时Hook。如果检测到就会调用AHCallBack函数(从PreCompiled IR获取),如果不存在AHCallBack,就会退出程序。

InlineHook检测目前只支持arm64,在函数中插入代码检测当前函数是否被Hook,如果检测到就会调用AHCallBack函数(从PreCompiled IR获取),如果不存在AHCallBack,就会退出程序。

-enable-antihook

启用AntiHooking。默认关闭

-ah_inline

检测当前函数是否被inline hook。默认开启

-ah_objcruntime

检测当前函数是否被runtime hook。默认开启

-ah_antirebind

使生成的文件无法被fishhook重绑定符号。默认关闭

-adhexrirpath

AntiHooking PreCompiled IR文件的路径

AntiDebugging

自动在函数中进行反调试,如果有InitADB和ADBCallBack函数(从PreCompiled IR获取),就会调用ADBInit函数,如果不存在InitADB和ADBCallBack函数并且是Apple ARM64平台,就会自动在void返回类型的函数中插入内联汇编反调试,否则不做处理。

-enable-adb

启用AntiDebugging。默认关闭

-adb_prob

每个函数被添加反调试的概率。默认为40

-adbextirpath

AntiDebugging PreCompiled IR文件的路径

StringEncryption

-strcry_prob

每个字符串中每个byte被加密的概率。默认为100。

BogusControlFlow

-bcf_onlyjunkasm

在虚假块中只插入花指令

-bcf_junkasm

在虚假块中插入花指令,干扰IDA对函数的识别。默认关闭

-bcf_junkasm_minnum

在虚假块中花指令的最小数量。默认为2

-bcf_junkasm_maxnum

在虚假块中花指令的最大数量。默认为4

-bcf_createfunc

使用函数封装不透明谓词。默认关闭

ConstantEncryption

修改自https://iosre.com/t/llvm-llvm/11132

对能够处理的指令中使用的常量数字(ConstantInt)进行异或加密

-enable-constenc

启用ConstantEncryption。默认关闭

-constenc_times

ConstantEncryption在每个函数混淆的次数。默认为1

-constenc_togv

将常量数字(ConstantInt)替换为全局变量,以及把类型为整数的二进制运算符(BinaryOperator)的运算结果替换为全局变量。默认关闭

-constenc_togv_prob

每个常量数字(ConstantInt)被替换为全局变量的概率。默认为50

-constenc_subxor

替换ConstantEncryption的异或运算,使其变得更加复杂

-constenc_subxor_prob

每个异或运算被替换为替换为相等的更加复杂运算的概率。默认为40

IndirectBranch

-indibran-use-stack

将跳转表的地址在Entry Block加载到栈中,每个基本块再从栈中读取。默认开启

-indibran-enc-jump-target

加密跳转表和索引。默认关闭

Functions Annotations

支持的选项

C++/C 函数

例如你有多个函数,你只想在函数int foo() 开启indibran-use-stack

int foo() __attribute((__annotate__(("indibran_use_stack"))));
int foo() {
   return 2;
}

例如你想在函数int foo() 关闭indibran-use-stack

int foo() __attribute((__annotate__(("noindibran_use_stack"))));
int foo() {
   return 2;
}

例如对于函数int foo(),你想将bcf_prob设置为100

int foo() __attribute((__annotate__(("bcf_prob=100"))));
int foo() {
   return 2;
}
ObjC 方法

例如你想像C/C++例子中那样开启indibran-use-stack :

#ifdef __cplusplus
extern "C" {
#endif
void hikari_indibran_use_stack(void);
#ifdef __cplusplus
}
#endif

@implementation foo2 : NSObject
+ (void)foo {
  hikari_indibran_use_stack();
  NSLog(@"FOOOO2");
}
@end

例如对于方法+ (void)foo,你想将bcf_prob设置为100:

#ifdef __cplusplus
extern "C" {
#endif
void hikari_bcf_prob(uint32_t);
#ifdef __cplusplus
}
#endif

@implementation foo2 : NSObject
+ (void)foo {
  hikari_bcf_prob(100);
  NSLog(@"FOOOO2");
}
@end
选项
  • ah_inline 
  • ah_objcruntime
  • ah_antirebind  
  • bcf_prob
  • bcf_loop
  • bcf_cond_compl   
  • bcf_onlyjunkasm
  • bcf_junkasm
  • bcf_junkasm_maxnum
  • bcf_junkasm_minnum
  • bcf_createfunc
  • constenc_subxor
  • constenc_togv
  • constenc_togv_prob
  • constenc_subxor_prob
  • constenc_times
  • fw_prob
  • indibran_use_stack
  • indibran_enc_jump_target
  • split_num
  • strcry_prob
  • sub_loop
  • sub_prob

新支持的标志

  • adb Anti Debugging
  • antihook Anti Hooking
  • constenc Constant Encryption

许可

https://github.com/HikariObfuscator/Hikari#license

hikari-llvm15's People

Contributors

61bcdefg avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

hikari-llvm15's Issues

Can't compile Hanabi lib

I m trying to compile Hanabi according the instructions in the following repository, but I don't understand how to do it

Comment improvements in the commits

Hi. Could you, please, put more details in the commits?
I just back to check updates in your project and noticed that each commit is just "update submodule"
At the same time, some commits can have tons of changes. It is difficult to track what changes are refactored code and what is the bug fixes/improvements. The commit can be "all in one".

`constenc` crashes compiler on llvm-16

  PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace, preprocessed source, and associated run script.
  Stack dump:
  0.	Program arguments: D:/Android/SDK/ndk/25.2.9519655/build/../toolchains/llvm/prebuilt/windows-x86_64/bin/clang++.exe -target i686-none-linux-android27 -fdata-sections -ffunction-sections -fstack-protector-strong -funwind-tables -no-canonical-prefixes --sysroot D:/Android/SDK/ndk/25.2.9519655/build/../toolchains/llvm/prebuilt/windows-x86_64/sysroot -g -Wno-invalid-command-line-argument -Wno-unused-command-line-argument -fno-exceptions -fno-rtti -fPIC -O2 -Wall -Wextra -fno-stack-protector -fomit-frame-pointer -Wno-builtin-macro-redefined -Oz -Wno-unused -Wno-unused-parameter -fvisibility=hidden -fvisibility-inlines-hidden -fno-unwind-tables -fno-asynchronous-unwind-tables -mllvm -enable-strcry -mllvm -enable-bcfobf -mllvm -enable-subobf -mllvm -acd-rename-methodimp -mllvm -enable-constenc -std=c++20 -Wformat -Werror=format-security -Werror -D_FORTIFY_SOURCE=2 -DNDEBUG -IC:/Users/loves/.gradle/caches/transforms-3/5f8d078397952c9893b464476cf43a11/transformed/cxx-1.2.0/prefab/modules/cxx/include -Ijni -D__FILE__=__FILE_NAME__ -DANDROID -DVERSION_CODE=141 -DVERSION_NAME=0.6 -nostdinc++ -c -MMD -MP -MF build/intermediates/cxx/Release/3s2a1y2v/obj/local/x86/objs/main.o.d -fcolor-diagnostics -o build/intermediates/cxx/Release/3s2a1y2v/obj/local/x86/objs/main.o jni/main.cpp
  1.	<eof> parser at end of file
  2.	Code generation
  3.	Running pass 'Function Pass Manager' on module 'jni/main.cpp'.
  4.	Running pass 'X86 DAG->DAG Instruction Selection' on function '@_ZN7main15FixHelloWorldTERKN5lsplt2v27MapInfoE'
  Exception Code: 0xC0000005
   #0 0x00007ff75aea03bc llvm::DAGTypeLegalizer::IntegerExpandSetCCOperands(llvm::SDValue&, llvm::SDValue&, llvm::ISD::CondCode&, llvm::SDLoc const&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x21503bc)
   #1 0x00007ff75ae371c9 llvm::DAGTypeLegalizer::ExpandIntOp_SETCC(llvm::SDNode*) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x20e71c9)
   #2 0x00007ff75ae670e5 llvm::DAGTypeLegalizer::ExpandIntegerOperand(llvm::SDNode*, unsigned int) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x21170e5)
   #3 0x00007ff75aec01b4 llvm::DAGTypeLegalizer::run() (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x21701b4)
   #4 0x00007ff75aa1e938 llvm::SelectionDAG::LegalizeTypes() (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x1cce938)
   #5 0x00007ff75afc0ed2 llvm::SelectionDAGISel::CodeGenAndEmitDAG() (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x2270ed2)
   #6 0x00007ff75afc36cc llvm::SelectionDAGISel::SelectAllBasicBlocks(llvm::Function const&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x22736cc)
   #7 0x00007ff75afc5adf llvm::SelectionDAGISel::runOnMachineFunction(llvm::MachineFunction&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x2275adf)
   #8 0x00007ff75a1e08fd (anonymous namespace)::X86DAGToDAGISel::runOnMachineFunction(llvm::MachineFunction&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x14908fd)
   #9 0x00007ff75b0f3268 llvm::MachineFunctionPass::runOnFunction(llvm::Function&) (.part.0) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x23a3268)
  #10 0x00007ff75aaf7e67 llvm::FPPassManager::runOnFunction(llvm::Function&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x1da7e67)
  #11 0x00007ff75aaf7b03 llvm::FPPassManager::runOnModule(llvm::Module&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x1da7b03)
  #12 0x00007ff75b479688 llvm::legacy::PassManagerImpl::run(llvm::Module&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x2729688)
  #13 0x00007ff75ba8fbe8 clang::EmitBackendOutput(clang::DiagnosticsEngine&, clang::HeaderSearchOptions const&, clang::CodeGenOptions const&, clang::TargetOptions const&, clang::LangOptions const&, llvm::StringRef, llvm::Module*, clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream>>) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x2d3fbe8)
  #14 0x00007ff759086409 clang::BackendConsumer::HandleTranslationUnit(clang::ASTContext&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x336409)
  #15 0x00007ff75c7d6201 clang::ParseAST(clang::Sema&, bool, bool) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x3a86201)
  #16 0x00007ff75b94fe29 clang::FrontendAction::Execute() (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x2bffe29)
  #17 0x00007ff75ba65088 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x2d15088)
  #18 0x00007ff75beff0eb clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x31af0eb)
  #19 0x00007ff75964cb88 cc1_main(llvm::ArrayRef<char const*>, char const*, void*) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x8fcb88)
  #20 0x00007ff759726d22 ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x9d6d22)
  #21 0x00007ff75aa8b3c9 void llvm::function_ref<void ()>::callback_fn<clang::Parser::ParseDeclarationAfterDeclaratorAndAttributes(clang::Declarator&, clang::Parser::ParsedTemplateInfo const&, clang::Parser::ForRangeInit*)::'lambda0'()>(long long) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x1d3b3c9)
  #22 0x00007ff75b1803ff llvm::CrashRecoveryContext::RunSafely(llvm::function_ref<void ()>) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x24303ff)
  #23 0x00007ff75cf7e253 clang::driver::CC1Command::Execute(llvm::ArrayRef<std::optional<llvm::StringRef>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, bool*) const (.part.0) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x422e253)
  #24 0x00007ff75cfb7b4c clang::driver::Compilation::ExecuteCommand(clang::driver::Command const&, clang::driver::Command const*&, bool) const (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x4267b4c)
  #25 0x00007ff75cfb7926 clang::driver::Compilation::ExecuteJobs(clang::driver::JobList const&, llvm::SmallVectorImpl<std::pair<int, clang::driver::Command const*>>&, bool) const (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x4267926)
  #26 0x00007ff75c4b5dbd clang::driver::Driver::ExecuteCompilation(clang::driver::Compilation&, llvm::SmallVectorImpl<std::pair<int, clang::driver::Command const*>>&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x3765dbd)
  #27 0x00007ff7596046ae clang_main(int, char**) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x8b46ae)
  #28 0x00007ff758d512ee __tmainCRTStartup C:/M/mingw-w64-crt-git/src/mingw-w64/mingw-w64-crt/crt/crtexe.c:273:8
  #29 0x00007ff758d51406 mainCRTStartup C:/M/mingw-w64-crt-git/src/mingw-w64/mingw-w64-crt/crt/crtexe.c:195:3
  #30 0x00007ff9d650269d (C:\WINDOWS\System32\KERNEL32.DLL+0x1269d)
  #31 0x00007ff9d7c2a9f8 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x5a9f8)
  clang++: error: clang frontend command failed due to signal (use -v to see invocation)
  clang version 16.0.0
  Target: i686-none-linux-android27
  Thread model: posix
  InstalledDir: D:/Android/SDK/ndk/25.2.9519655/build/../toolchains/llvm/prebuilt/windows-x86_64/bin
  clang++: note: diagnostic msg: 
  ********************

Constant encryption crash

System: Ubuntu 22.0.4 Server
when calling with -mllvm enable-constenc
0. Program arguments: /usr/local/bin/clang-15 -cc1 -triple x86_64-unknown-linux-gnu -emit-obj --mrelax-relocations -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name ipaddress.c -static-define -mrelocation-model pic -pic-level 2 -pic-is-pie -mframe-pointer=none -fmath-errno -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -mllvm -treat-scalable-fixed-error-as-warning -debugger-tuning=gdb -fcoverage-compilation-dir=/home/ta1on/code/watchtower -resource-dir /usr/local/lib/clang/15.0.2 -internal-isystem /usr/local/lib/clang/15.0.2/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/9/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -O3 -Wall -fdebug-compilation-dir=/home/ta1on/code/watchtower -ferror-limit 19 -pthread -fgnuc-version=4.2.1 -fcolor-diagnostics -vectorize-loops -vectorize-slp -mllvm -enable-constenc -mllvm -enable-subobf -mllvm -enable-cffobf -mllvm -enable-bcfobf -mllvm -enable-splitobf -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /tmp/ipaddress-e160ec.o -x c ipaddress.c

  1. parser at end of file
  2. Optimizer
    #0 0x000055985cfcc784 PrintStackTraceSignalHandler(void*) Signals.cpp:0:0
    #1 0x000055985cfc9fe4 SignalHandler(int) Signals.cpp:0:0
    #2 0x00007fea0eb8f420 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x14420)
    #3 0x000055985d182471 eliminateDeadSwitchCases(llvm::SwitchInst*, llvm::DomTreeUpdater*, llvm::AssumptionCache*, llvm::DataLayout const&) SimplifyCFG.cpp:0:0
    #4 0x000055985d19cf6c (anonymous namespace)::SimplifyCFGOpt::simplifySwitch(llvm::SwitchInst*, llvm::IRBuilder<llvm::ConstantFolder, llvm::IRBuilderDefaultInserter>&) SimplifyCFG.cpp:0:0
    #5 0x000055985d1a0c2b llvm::simplifyCFG(llvm::BasicBlock*, llvm::TargetTransformInfo const&, llvm::DomTreeUpdater*, llvm::SimplifyCFGOptions const&, llvm::ArrayRefllvm::WeakVH) (/usr/local/bin/clang-15+0x3a14c2b)
    #6 0x000055985ce9e855 iterativelySimplifyCFG(llvm::Function&, llvm::TargetTransformInfo const&, llvm::DomTreeUpdater*, llvm::SimplifyCFGOptions const&) SimplifyCFGPass.cpp:0:0
    #7 0x000055985ce9f6be simplifyFunctionCFGImpl(llvm::Function&, llvm::TargetTransformInfo const&, llvm::DominatorTree*, llvm::SimplifyCFGOptions const&) SimplifyCFGPass.cpp:0:0
    #8 0x000055985cea096f llvm::SimplifyCFGPass::run(llvm::Function&, llvm::AnalysisManagerllvm::Function&) (/usr/local/bin/clang-15+0x371496f)
    #9 0x000055985b27d096 llvm::detail::PassModel<llvm::Function, llvm::SimplifyCFGPass, llvm::PreservedAnalyses, llvm::AnalysisManagerllvm::Function>::run(llvm::Function&, llvm::AnalysisManagerllvm::Function&) (/usr/local/bin/clang-15+0x1af1096)
    #10 0x000055985ac00858 llvm::detail::PassModel<llvm::Function, llvm::PassManager<llvm::Function, llvm::AnalysisManagerllvm::Function>, llvm::PreservedAnalyses, llvm::AnalysisManagerllvm::Function>::run(llvm::Function&, llvm::AnalysisManagerllvm::Function&) (/usr/local/bin/clang-15+0x1474858)
    #11 0x000055985c7b4193 llvm::ModuleToFunctionPassAdaptor::run(llvm::Module&, llvm::AnalysisManagerllvm::Module&) (/usr/local/bin/clang-15+0x3028193)
    #12 0x000055985abf4fa6 llvm::detail::PassModel<llvm::Module, llvm::ModuleToFunctionPassAdaptor, llvm::PreservedAnalyses, llvm::AnalysisManagerllvm::Module>::run(llvm::Module&, llvm::AnalysisManagerllvm::Module&) (/usr/local/bin/clang-15+0x1468fa6)
    #13 0x000055985c7b36e2 llvm::PassManager<llvm::Module, llvm::AnalysisManagerllvm::Module>::run(llvm::Module&, llvm::AnalysisManagerllvm::Module&) (/usr/local/bin/clang-15+0x30276e2)
    #14 0x000055985d370ad3 (anonymous namespace)::EmitAssemblyHelper::RunOptimizationPipeline(clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_deletellvm::raw_pwrite_stream>&, std::unique_ptr<llvm::ToolOutputFile, std::default_deletellvm::ToolOutputFile>&) (.constprop.0) BackendUtil.cpp:0:0
    #15 0x000055985d373cd9 clang::EmitBackendOutput(clang::DiagnosticsEngine&, clang::HeaderSearchOptions const&, clang::CodeGenOptions const&, clang::TargetOptions const&, clang::LangOptions const&, llvm::StringRef, llvm::Module*, clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_deletellvm::raw_pwrite_stream>) (/usr/local/bin/clang-15+0x3be7cd9)
    #16 0x000055985e1ea248 clang::BackendConsumer::HandleTranslationUnit(clang::ASTContext&) (/usr/local/bin/clang-15+0x4a5e248)
    #17 0x000055985f088e09 clang::ParseAST(clang::Sema&, bool, bool) (/usr/local/bin/clang-15+0x58fce09)
    #18 0x000055985e1e9835 clang::CodeGenAction::ExecuteAction() (/usr/local/bin/clang-15+0x4a5d835)
    #19 0x000055985daf1da1 clang::FrontendAction::Execute() (/usr/local/bin/clang-15+0x4365da1)
    #20 0x000055985da79aa3 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (/usr/local/bin/clang-15+0x42edaa3)
    #21 0x000055985dbd06ab clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (/usr/local/bin/clang-15+0x44446ab)
    #22 0x000055985a925e34 cc1_main(llvm::ArrayRef<char const*>, char const*, void*) (/usr/local/bin/clang-15+0x1199e34)
    #23 0x000055985a91f3db ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&) driver.cpp:0:0
    #24 0x000055985a9219c0 clang_main(int, char**) (/usr/local/bin/clang-15+0x11959c0)
    #25 0x00007fea0e60d083 __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:342:3

`-cffobf` crashes the compiler when EH function used

CFLAGS: -enable-cffobf

  Stack dump:
  0.	Program arguments: D:/Android/SDK/ndk/25.2.9519655/build/../toolchains/llvm/prebuilt/windows-x86_64/bin/clang++.exe -target x86_64-none-linux-android27 -fdata-sections -ffunction-sections -fstack-protector-strong -funwind-tables -no-canonical-prefixes --sysroot D:/Android/SDK/ndk/25.2.9519655/build/../toolchains/llvm/prebuilt/windows-x86_64/sysroot -g -Wno-invalid-command-line-argument -Wno-unused-command-line-argument -fno-exceptions -fno-rtti -fPIC -O2 -Wall -Wextra -fno-stack-protector -fomit-frame-pointer -Wno-builtin-macro-redefined -Oz -Wno-unused -Wno-unused-parameter -fvisibility=hidden -fvisibility-inlines-hidden -fno-unwind-tables -fno-asynchronous-unwind-tables -mllvm -enable-strcry -mllvm -enable-bcfobf -mllvm -enable-cffobf -std=c++20 -Wformat -Werror=format-security -Werror -D_FORTIFY_SOURCE=2 -DNDEBUG -IC:/Users/loves/.gradle/caches/transforms-3/5f8d078397952c9893b464476cf43a11/transformed/cxx-1.2.0/prefab/modules/cxx/include -Ijni -D__FILE__=__FILE_NAME__ -DANDROID -DVERSION_CODE=141 -DVERSION_NAME=0.6 -nostdinc++ -c -MMD -MP -MF build/intermediates/cxx/Release/3s2a1y2v/obj/local/x86_64/objs/main.o.d -fcolor-diagnostics -o build/intermediates/cxx/Release/3s2a1y2v/obj/local/x86_64/objs/main.o jni/main.cpp
  1.	<eof> parser at end of file
  2.	Optimizer
  Exception Code: 0xC0000005
   #0 0x00007ff759cec6de sink(llvm::Instruction&, llvm::LoopInfo*, llvm::DominatorTree*, llvm::Loop const*, llvm::ICFLoopSafetyInfo*, llvm::MemorySSAUpdater&, llvm::OptimizationRemarkEmitter*) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0xf9c6de)
   #1 0x00007ff75a901505 llvm::sinkRegion(llvm::DomTreeNodeBase<llvm::BasicBlock>*, llvm::AAResults*, llvm::LoopInfo*, llvm::DominatorTree*, llvm::TargetLibraryInfo*, llvm::TargetTransformInfo*, llvm::Loop*, llvm::MemorySSAUpdater&, llvm::ICFLoopSafetyInfo*, llvm::SinkAndHoistLICMFlags&, llvm::OptimizationRemarkEmitter*, llvm::Loop*) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x1bb1505)
   #2 0x00007ff75a5e5432 (anonymous namespace)::LoopInvariantCodeMotion::runOnLoop(llvm::Loop*, llvm::AAResults*, llvm::LoopInfo*, llvm::DominatorTree*, llvm::AssumptionCache*, llvm::TargetLibraryInfo*, llvm::TargetTransformInfo*, llvm::ScalarEvolution*, llvm::MemorySSA*, llvm::OptimizationRemarkEmitter*, bool) (.part.0) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x1895432)
   #3 0x00007ff75b525525 llvm::LICMPass::run(llvm::Loop&, llvm::AnalysisManager<llvm::Loop, llvm::LoopStandardAnalysisResults&>&, llvm::LoopStandardAnalysisResults&, llvm::LPMUpdater&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x27d5525)
   #4 0x00007ff759241dd5 llvm::detail::PassModel<llvm::Loop, llvm::LICMPass, llvm::PreservedAnalyses, llvm::AnalysisManager<llvm::Loop, llvm::LoopStandardAnalysisResults&>, llvm::LoopStandardAnalysisResults&, llvm::LPMUpdater&>::run(llvm::Loop&, llvm::AnalysisManager<llvm::Loop, llvm::LoopStandardAnalysisResults&>&, llvm::LoopStandardAnalysisResults&, llvm::LPMUpdater&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x4f1dd5)
   #5 0x00007ff75a95cd0d std::optional<llvm::PreservedAnalyses> llvm::PassManager<llvm::Loop, llvm::AnalysisManager<llvm::Loop, llvm::LoopStandardAnalysisResults&>, llvm::LoopStandardAnalysisResults&, llvm::LPMUpdater&>::runSinglePass<llvm::Loop, std::unique_ptr<llvm::detail::PassConcept<llvm::Loop, llvm::AnalysisManager<llvm::Loop, llvm::LoopStandardAnalysisResults&>, llvm::LoopStandardAnalysisResults&, llvm::LPMUpdater&>, std::default_delete<llvm::detail::PassConcept<llvm::Loop, llvm::AnalysisManager<llvm::Loop, llvm::LoopStandardAnalysisResults&>, llvm::LoopStandardAnalysisResults&, llvm::LPMUpdater&>>>>(llvm::Loop&, std::unique_ptr<llvm::detail::PassConcept<llvm::Loop, llvm::AnalysisManager<llvm::Loop, llvm::LoopStandardAnalysisResults&>, llvm::LoopStandardAnalysisResults&, llvm::LPMUpdater&>, std::default_delete<llvm::detail::PassConcept<llvm::Loop, llvm::AnalysisManager<llvm::Loop, llvm::LoopStandardAnalysisResults&>, llvm::LoopStandardAnalysisResults&, llvm::LPMUpdater&>>>&, llvm::AnalysisManager<llvm::Loop, llvm::LoopStandardAnalysisResults&>&, llvm::LoopStandardAnalysisResults&, llvm::LPMUpdater&, llvm::PassInstrumentation&) (.isra.0) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x1c0cd0d)
   #6 0x00007ff75a95da4d llvm::PassManager<llvm::Loop, llvm::AnalysisManager<llvm::Loop, llvm::LoopStandardAnalysisResults&>, llvm::LoopStandardAnalysisResults&, llvm::LPMUpdater&>::runWithoutLoopNestPasses(llvm::Loop&, llvm::AnalysisManager<llvm::Loop, llvm::LoopStandardAnalysisResults&>&, llvm::LoopStandardAnalysisResults&, llvm::LPMUpdater&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x1c0da4d)
   #7 0x00007ff75a95db51 llvm::PassManager<llvm::Loop, llvm::AnalysisManager<llvm::Loop, llvm::LoopStandardAnalysisResults&>, llvm::LoopStandardAnalysisResults&, llvm::LPMUpdater&>::run(llvm::Loop&, llvm::AnalysisManager<llvm::Loop, llvm::LoopStandardAnalysisResults&>&, llvm::LoopStandardAnalysisResults&, llvm::LPMUpdater&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x1c0db51)
   #8 0x00007ff75b29de93 llvm::FunctionToLoopPassAdaptor::run(llvm::Function&, llvm::AnalysisManager<llvm::Function>&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x254de93)
   #9 0x00007ff759241b11 llvm::detail::PassModel<llvm::Function, llvm::FunctionToLoopPassAdaptor, llvm::PreservedAnalyses, llvm::AnalysisManager<llvm::Function>>::run(llvm::Function&, llvm::AnalysisManager<llvm::Function>&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x4f1b11)
  #10 0x00007ff7590219e1 llvm::detail::PassModel<llvm::Function, llvm::PassManager<llvm::Function, llvm::AnalysisManager<llvm::Function>>, llvm::PreservedAnalyses, llvm::AnalysisManager<llvm::Function>>::run(llvm::Function&, llvm::AnalysisManager<llvm::Function>&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x2d19e1)
  #11 0x00007ff75b2cf742 llvm::CGSCCToFunctionPassAdaptor::run(llvm::LazyCallGraph::SCC&, llvm::AnalysisManager<llvm::LazyCallGraph::SCC, llvm::LazyCallGraph&>&, llvm::LazyCallGraph&, llvm::CGSCCUpdateResult&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x257f742)
  #12 0x00007ff7592424a5 llvm::detail::PassModel<llvm::LazyCallGraph::SCC, llvm::CGSCCToFunctionPassAdaptor, llvm::PreservedAnalyses, llvm::AnalysisManager<llvm::LazyCallGraph::SCC, llvm::LazyCallGraph&>, llvm::LazyCallGraph&, llvm::CGSCCUpdateResult&>::run(llvm::LazyCallGraph::SCC&, llvm::AnalysisManager<llvm::LazyCallGraph::SCC, llvm::LazyCallGraph&>&, llvm::LazyCallGraph&, llvm::CGSCCUpdateResult&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x4f24a5)
  #13 0x00007ff75a95c781 llvm::PassManager<llvm::LazyCallGraph::SCC, llvm::AnalysisManager<llvm::LazyCallGraph::SCC, llvm::LazyCallGraph&>, llvm::LazyCallGraph&, llvm::CGSCCUpdateResult&>::run(llvm::LazyCallGraph::SCC&, llvm::AnalysisManager<llvm::LazyCallGraph::SCC, llvm::LazyCallGraph&>&, llvm::LazyCallGraph&, llvm::CGSCCUpdateResult&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x1c0c781)
  #14 0x00007ff758f5f5f5 llvm::detail::PassModel<llvm::LazyCallGraph::SCC, llvm::PassManager<llvm::LazyCallGraph::SCC, llvm::AnalysisManager<llvm::LazyCallGraph::SCC, llvm::LazyCallGraph&>, llvm::LazyCallGraph&, llvm::CGSCCUpdateResult&>, llvm::PreservedAnalyses, llvm::AnalysisManager<llvm::LazyCallGraph::SCC, llvm::LazyCallGraph&>, llvm::LazyCallGraph&, llvm::CGSCCUpdateResult&>::run(llvm::LazyCallGraph::SCC&, llvm::AnalysisManager<llvm::LazyCallGraph::SCC, llvm::LazyCallGraph&>&, llvm::LazyCallGraph&, llvm::CGSCCUpdateResult&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x20f5f5)
  #15 0x00007ff75b1e3575 llvm::DevirtSCCRepeatedPass::run(llvm::LazyCallGraph::SCC&, llvm::AnalysisManager<llvm::LazyCallGraph::SCC, llvm::LazyCallGraph&>&, llvm::LazyCallGraph&, llvm::CGSCCUpdateResult&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x2493575)
  #16 0x00007ff758f5f5c5 llvm::detail::PassModel<llvm::LazyCallGraph::SCC, llvm::DevirtSCCRepeatedPass, llvm::PreservedAnalyses, llvm::AnalysisManager<llvm::LazyCallGraph::SCC, llvm::LazyCallGraph&>, llvm::LazyCallGraph&, llvm::CGSCCUpdateResult&>::run(llvm::LazyCallGraph::SCC&, llvm::AnalysisManager<llvm::LazyCallGraph::SCC, llvm::LazyCallGraph&>&, llvm::LazyCallGraph&, llvm::CGSCCUpdateResult&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x20f5c5)
  #17 0x00007ff75b370516 llvm::ModuleToPostOrderCGSCCPassAdaptor::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x2620516)
  #18 0x00007ff75b2807d7 llvm::ModuleInlinerWrapperPass::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x25307d7)
  #19 0x00007ff759242571 llvm::detail::PassModel<llvm::Module, llvm::ModuleInlinerWrapperPass, llvm::PreservedAnalyses, llvm::AnalysisManager<llvm::Module>>::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x4f2571)
  #20 0x00007ff758f195c1 llvm::PassManager<llvm::Module, llvm::AnalysisManager<llvm::Module>>::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x1c95c1)
  #21 0x00007ff75a38792d (anonymous namespace)::EmitAssemblyHelper::RunOptimizationPipeline(clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream>>&, std::unique_ptr<llvm::ToolOutputFile, std::default_delete<llvm::ToolOutputFile>>&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x163792d)
  #22 0x00007ff75ba8e39d clang::EmitBackendOutput(clang::DiagnosticsEngine&, clang::HeaderSearchOptions const&, clang::CodeGenOptions const&, clang::TargetOptions const&, clang::LangOptions const&, llvm::StringRef, llvm::Module*, clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream>>) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x2d3e39d)
  #23 0x00007ff759086409 clang::BackendConsumer::HandleTranslationUnit(clang::ASTContext&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x336409)
  #24 0x00007ff75c7d6201 clang::ParseAST(clang::Sema&, bool, bool) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x3a86201)
  #25 0x00007ff75b94fe29 clang::FrontendAction::Execute() (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x2bffe29)
  #26 0x00007ff75ba65088 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x2d15088)
  #27 0x00007ff75beff0eb clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x31af0eb)
  #28 0x00007ff75964cb88 cc1_main(llvm::ArrayRef<char const*>, char const*, void*) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x8fcb88)
  #29 0x00007ff759726d22 ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x9d6d22)
  #30 0x00007ff75aa8b3c9 void llvm::function_ref<void ()>::callback_fn<clang::Parser::ParseDeclarationAfterDeclaratorAndAttributes(clang::Declarator&, clang::Parser::ParsedTemplateInfo const&, clang::Parser::ForRangeInit*)::'lambda0'()>(long long) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x1d3b3c9)
  #31 0x00007ff75b1803ff llvm::CrashRecoveryContext::RunSafely(llvm::function_ref<void ()>) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x24303ff)
  #32 0x00007ff75cf7e253 clang::driver::CC1Command::Execute(llvm::ArrayRef<std::optional<llvm::StringRef>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, bool*) const (.part.0) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x422e253)
  #33 0x00007ff75cfb7b4c clang::driver::Compilation::ExecuteCommand(clang::driver::Command const&, clang::driver::Command const*&, bool) const (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x4267b4c)
  #34 0x00007ff75cfb7926 clang::driver::Compilation::ExecuteJobs(clang::driver::JobList const&, llvm::SmallVectorImpl<std::pair<int, clang::driver::Command const*>>&, bool) const (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x4267926)
  #35 0x00007ff75c4b5dbd clang::driver::Driver::ExecuteCompilation(clang::driver::Compilation&, llvm::SmallVectorImpl<std::pair<int, clang::driver::Command const*>>&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x3765dbd)
  #36 0x00007ff7596046ae clang_main(int, char**) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x8b46ae)
  #37 0x00007ff758d512ee __tmainCRTStartup C:/M/mingw-w64-crt-git/src/mingw-w64/mingw-w64-crt/crt/crtexe.c:273:8
  #38 0x00007ff758d51406 mainCRTStartup C:/M/mingw-w64-crt-git/src/mingw-w64/mingw-w64-crt/crt/crtexe.c:195:3
  #39 0x00007ff9d650269d (C:\WINDOWS\System32\KERNEL32.DLL+0x1269d)
  #40 0x00007ff9d7c2a9f8 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x5a9f8)
  clang++: error: clang frontend command failed due to signal (use -v to see invocation)
  clang version 16.0.0
  Target: x86_64-none-linux-android27
  Thread model: posix
  InstalledDir: D:/Android/SDK/ndk/25.2.9519655/build/../toolchains/llvm/prebuilt/windows-x86_64/bin
  clang++: note: diagnostic msg: 
  ********************
  
  PLEASE ATTACH THE FOLLOWING FILES TO THE BUG REPORT:
  Preprocessed source(s) and associated run script(s) are located at:
  clang++: note: diagnostic msg: C:/Users/loves/AppData/Local/Temp/main-a2580b.cpp
  clang++: note: diagnostic msg: C:/Users/loves/AppData/Local/Temp/main-a2580b.sh
  clang++: note: diagnostic msg: 
  
  ********************

with -O0 still crashes on arm64:

  Exception Code: 0xC0000005
   #0 0x00007ff75b2f996b llvm::getDefSrcRegIgnoringCopies(llvm::Register, llvm::MachineRegisterInfo const&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x25a996b)
   #1 0x00007ff75b1ca326 llvm::getDefIgnoringCopies(llvm::Register, llvm::MachineRegisterInfo const&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x247a326)
   #2 0x00007ff75c9f9348 (anonymous namespace)::AArch64InstructionSelector::selectAddrModeWRO(llvm::MachineOperand&, unsigned int) const (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x3ca9348)
   #3 0x00007ff75c9f98f3 std::optional<llvm::SmallVector<std::function<void (llvm::MachineInstrBuilder&)>, 4u>> (anonymous namespace)::AArch64InstructionSelector::selectAddrModeWRO<64>(llvm::MachineOperand&) const (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x3ca98f3)
   #4 0x00007ff75cd042e4 bool llvm::InstructionSelector::executeMatchTable<(anonymous namespace)::AArch64InstructionSelector const, llvm::PredicateBitsetImpl<57ull>, std::optional<llvm::SmallVector<std::function<void (llvm::MachineInstrBuilder&)>, 4u>> ((anonymous namespace)::AArch64InstructionSelector::*)(llvm::MachineOperand&) const, void ((anonymous namespace)::AArch64InstructionSelector::*)(llvm::MachineInstrBuilder&, llvm::MachineInstr const&, int) const>((anonymous namespace)::AArch64InstructionSelector const&, llvm::SmallVector<llvm::MachineInstrBuilder, 4u>&, llvm::InstructionSelector::MatcherState&, llvm::InstructionSelector::ISelInfoTy<llvm::PredicateBitsetImpl<57ull>, std::optional<llvm::SmallVector<std::function<void (llvm::MachineInstrBuilder&)>, 4u>> ((anonymous namespace)::AArch64InstructionSelector::*)(llvm::MachineOperand&) const, void ((anonymous namespace)::AArch64InstructionSelector::*)(llvm::MachineInstrBuilder&, llvm::MachineInstr const&, int) const> const&, long long const*, llvm::TargetInstrInfo const&, llvm::MachineRegisterInfo&, llvm::TargetRegisterInfo const&, llvm::RegisterBankInfo const&, llvm::PredicateBitsetImpl<57ull> const&, llvm::CodeGenCoverage&) const (.constprop.0) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x3fb42e4)
   #5 0x00007ff75a68926c (anonymous namespace)::AArch64InstructionSelector::select(llvm::MachineInstr&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x193926c)
   #6 0x00007ff75b00c774 llvm::InstructionSelect::runOnMachineFunction(llvm::MachineFunction&) (.part.0) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x22bc774)
   #7 0x00007ff75b0f3268 llvm::MachineFunctionPass::runOnFunction(llvm::Function&) (.part.0) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x23a3268)
   #8 0x00007ff75aaf7e67 llvm::FPPassManager::runOnFunction(llvm::Function&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x1da7e67)
   #9 0x00007ff75aaf7b03 llvm::FPPassManager::runOnModule(llvm::Module&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x1da7b03)
  #10 0x00007ff75b479688 llvm::legacy::PassManagerImpl::run(llvm::Module&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x2729688)
  #11 0x00007ff75ba8fbe8 clang::EmitBackendOutput(clang::DiagnosticsEngine&, clang::HeaderSearchOptions const&, clang::CodeGenOptions const&, clang::TargetOptions const&, clang::LangOptions const&, llvm::StringRef, llvm::Module*, clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream>>) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x2d3fbe8)
  #12 0x00007ff759086409 clang::BackendConsumer::HandleTranslationUnit(clang::ASTContext&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x336409)
  #13 0x00007ff75c7d6201 clang::ParseAST(clang::Sema&, bool, bool) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x3a86201)
  #14 0x00007ff75b94fe29 clang::FrontendAction::Execute() (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x2bffe29)
  #15 0x00007ff75ba65088 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x2d15088)
  #16 0x00007ff75beff0eb clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x31af0eb)
  #17 0x00007ff75964cb88 cc1_main(llvm::ArrayRef<char const*>, char const*, void*) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x8fcb88)
  #18 0x00007ff759726d22 ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x9d6d22)
  #19 0x00007ff75aa8b3c9 void llvm::function_ref<void ()>::callback_fn<clang::Parser::ParseDeclarationAfterDeclaratorAndAttributes(clang::Declarator&, clang::Parser::ParsedTemplateInfo const&, clang::Parser::ForRangeInit*)::'lambda0'()>(long long) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x1d3b3c9)
  #20 0x00007ff75b1803ff llvm::CrashRecoveryContext::RunSafely(llvm::function_ref<void ()>) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x24303ff)
  #21 0x00007ff75cf7e253 clang::driver::CC1Command::Execute(llvm::ArrayRef<std::optional<llvm::StringRef>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*, bool*) const (.part.0) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x422e253)
  #22 0x00007ff75cfb7b4c clang::driver::Compilation::ExecuteCommand(clang::driver::Command const&, clang::driver::Command const*&, bool) const (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x4267b4c)
  #23 0x00007ff75cfb7926 clang::driver::Compilation::ExecuteJobs(clang::driver::JobList const&, llvm::SmallVectorImpl<std::pair<int, clang::driver::Command const*>>&, bool) const (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x4267926)
  #24 0x00007ff75c4b5dbd clang::driver::Driver::ExecuteCompilation(clang::driver::Compilation&, llvm::SmallVectorImpl<std::pair<int, clang::driver::Command const*>>&) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x3765dbd)
  #25 0x00007ff7596046ae clang_main(int, char**) (D:\Android\SDK\ndk\25.2.9519655\toolchains\llvm\prebuilt\windows-x86_64\bin\clang++.exe+0x8b46ae)
  #26 0x00007ff758d512ee __tmainCRTStartup C:/M/mingw-w64-crt-git/src/mingw-w64/mingw-w64-crt/crt/crtexe.c:273:8
  #27 0x00007ff758d51406 mainCRTStartup C:/M/mingw-w64-crt-git/src/mingw-w64/mingw-w64-crt/crt/crtexe.c:195:3
  #28 0x00007ff9d650269d (C:\WINDOWS\System32\KERNEL32.DLL+0x1269d)
  #29 0x00007ff9d7c2a9f8 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x5a9f8)
  clang++: error: clang frontend command failed due to signal (use -v to see invocation)
  clang version 16.0.0
  Target: aarch64-none-linux-android27
  Thread model: posix
  InstalledDir: D:/Android/SDK/ndk/25.2.9519655/build/../toolchains/llvm/prebuilt/windows-x86_64/bin
  clang++: note: diagnostic msg: 
  ********************

I am not able to provide the source code currently. I may try to create a minimal reproduce sample.

any one tried with Xcode 14.1 ?

@NeHyci hanabi working with macos ventura and xcode 14.0.1, just reconfirming so that i can update my setup? mainly any eta on update for xcode 14.1 or current one works just fine?

bigsur build issue

hello,
tried to build it on bigsur, after 02hours got this :

Doing Post-Run Cleanup
Hikari Out
[126/5905] Building C object CMakeFiles/clang_rt.builtins_x86_64_osx.dir/ashrti3.c.o
FAILED: CMakeFiles/clang_rt.builtins_x86_64_osx.dir/ashrti3.c.o 
/Users/p5/Desktop/Hikari-LLVM15-llvm-15.0.2-ported/build/./bin/clang --target=x86_64-apple-darwin20.6.0   -Os -DNDEBUG -arch x86_64 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.1.sdk -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.1.sdk -mmacosx-version-min=10.5 -fPIC -O3 -fvisibility=hidden -DVISIBILITY_HIDDEN -Wall -fomit-frame-pointer -arch x86_64 -MD -MT CMakeFiles/clang_rt.builtins_x86_64_osx.dir/ashrti3.c.o -MF CMakeFiles/clang_rt.builtins_x86_64_osx.dir/ashrti3.c.o.d -o CMakeFiles/clang_rt.builtins_x86_64_osx.dir/ashrti3.c.o -c /Users/p5/Desktop/Hikari-LLVM15-llvm-15.0.2-ported/compiler-rt/lib/builtins/ashrti3.c
std::mt19937_64 seeded with current timestamp: 1669881112058
Initializing Hikari Core with Revision ID:
Failed To Link PreCompiled AntiHooking IR From:/Users/p5/Hikari/PrecompiledAntiHooking-x86_64-macosx.bc
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace, preprocessed source, and associated run script.
Stack dump:
0.	Program arguments: /Users/p5/Desktop/Hikari-LLVM15-llvm-15.0.2-ported/build/./bin/clang --target=x86_64-apple-darwin20.6.0 -Os -DNDEBUG -arch x86_64 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.1.sdk -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.1.sdk -mmacosx-version-min=10.5 -fPIC -O3 -fvisibility=hidden -DVISIBILITY_HIDDEN -Wall -fomit-frame-pointer -arch x86_64 -MD -MT CMakeFiles/clang_rt.builtins_x86_64_osx.dir/ashrti3.c.o -MF CMakeFiles/clang_rt.builtins_x86_64_osx.dir/ashrti3.c.o.d -o CMakeFiles/clang_rt.builtins_x86_64_osx.dir/ashrti3.c.o -c /Users/p5/Desktop/Hikari-LLVM15-llvm-15.0.2-ported/compiler-rt/lib/builtins/ashrti3.c
1.	<eof> parser at end of file
2.	Optimizer
Stack dump without symbol names (ensure you have llvm-symbolizer in your PATH or set the environment var `LLVM_SYMBOLIZER_PATH` to point to it):
0  clang                    0x0000000102a5b5de llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) + 43
1  clang                    0x0000000102a5b0af llvm::sys::CleanupOnSignal(unsigned long) + 180
2  clang                    0x00000001029cb219 (anonymous namespace)::CrashRecoveryContextImpl::HandleCrash(int, unsigned long) + 97
3  clang                    0x00000001029cb40a CrashRecoverySignalHandler(int) + 135
4  libsystem_platform.dylib 0x00007fff203ddd7d _sigtramp + 29
5  libdyld.dylib            0x00007fff203b2ce8 _dyld_fast_stub_entry(void*, long) + 65
6  clang                    0x00000001035f781b llvm::AntiHook::doInitialization(llvm::Module&) + 2267
7  clang                    0x0000000103601fe7 llvm::Obfuscation::runOnModule(llvm::Module&) + 47
8  clang                    0x0000000103601dcf llvm::ObfuscationPass::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) + 37
9  clang                    0x000000010354d6fa llvm::detail::PassModel<llvm::Module, llvm::ObfuscationPass, llvm::PreservedAnalyses, llvm::AnalysisManager<llvm::Module>>::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) + 18
10 clang                    0x0000000102524d88 llvm::PassManager<llvm::Module, llvm::AnalysisManager<llvm::Module>>::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) + 398
11 clang                    0x0000000102c719d6 (anonymous namespace)::EmitAssemblyHelper::EmitAssembly(clang::BackendAction, std::__1::unique_ptr<llvm::raw_pwrite_stream, std::__1::default_delete<llvm::raw_pwrite_stream>>) + 7496
12 clang                    0x0000000102c6f25b clang::EmitBackendOutput(clang::DiagnosticsEngine&, clang::HeaderSearchOptions const&, clang::CodeGenOptions const&, clang::TargetOptions const&, clang::LangOptions const&, llvm::StringRef, llvm::Module*, clang::BackendAction, std::__1::unique_ptr<llvm::raw_pwrite_stream, std::__1::default_delete<llvm::raw_pwrite_stream>>) + 1615
13 clang                    0x0000000102ece93d clang::BackendConsumer::HandleTranslationUnit(clang::ASTContext&) + 1713
14 clang                    0x0000000103b30046 clang::ParseAST(clang::Sema&, bool, bool) + 715
15 clang                    0x00000001030e2c15 clang::FrontendAction::Execute() + 75
16 clang                    0x0000000103091a7f clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) + 465
17 clang                    0x00000001031367c4 clang::ExecuteCompilerInvocation(clang::CompilerInstance*) + 516
18 clang                    0x0000000101a89569 cc1_main(llvm::ArrayRef<char const*>, char const*, void*) + 1575
19 clang                    0x0000000101a88618 ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&) + 259
20 clang                    0x0000000102fa6929 void llvm::function_ref<void ()>::callback_fn<clang::driver::CC1Command::Execute(llvm::ArrayRef<llvm::Optional<llvm::StringRef>>, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>*, bool*) const::$_1>(long) + 23
21 clang                    0x00000001029cb196 llvm::CrashRecoveryContext::RunSafely(llvm::function_ref<void ()>) + 226
22 clang                    0x0000000102fa63e8 clang::driver::CC1Command::Execute(llvm::ArrayRef<llvm::Optional<llvm::StringRef>>, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>*, bool*) const + 234
23 clang                    0x0000000102f84810 clang::driver::Compilation::ExecuteCommand(clang::driver::Command const&, clang::driver::Command const*&, bool) const + 548
24 clang                    0x0000000102f84924 clang::driver::Compilation::ExecuteJobs(clang::driver::JobList const&, llvm::SmallVectorImpl<std::__1::pair<int, clang::driver::Command const*>>&, bool) const + 104
25 clang                    0x0000000102f93297 clang::driver::Driver::ExecuteCompilation(clang::driver::Compilation&, llvm::SmallVectorImpl<std::__1::pair<int, clang::driver::Command const*>>&) + 349
26 clang                    0x0000000101a8823b clang_main(int, char**) + 7190
27 libdyld.dylib            0x00007fff203b3f3d start + 1
28 libdyld.dylib            0x000000000000001c start + 18446603339975409888
clang-15: error: clang frontend command failed with exit code 139 (use -v to see invocation)
clang version 15.0.2
Target: x86_64-apple-darwin20.6.0
Thread model: posix
InstalledDir: /Users/p5/Desktop/Hikari-LLVM15-llvm-15.0.2-ported/build/./bin
clang-15: note: diagnostic msg: 
********************

PLEASE ATTACH THE FOLLOWING FILES TO THE BUG REPORT:
Preprocessed source(s) and associated run script(s) are located at:
clang-15: note: diagnostic msg: /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/ashrti3-645c71.c
clang-15: note: diagnostic msg: /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/ashrti3-645c71.sh
clang-15: note: diagnostic msg: Crash backtrace is located in
clang-15: note: diagnostic msg: /Users/p5/Library/Logs/DiagnosticReports/clang-15_<YYYY-MM-DD-HHMMSS>_<hostname>.crash
clang-15: note: diagnostic msg: (choose the .crash file that corresponds to your crash)
clang-15: note: diagnostic msg: 

Indirect branch protection time crash under certain circumstances

Can the encrypted target jump addresses be used as a single feature for the indirect branch obfuscation?
If I pass the parameters -mllvm -enable-indibran -mllvm -indibran-enc-jump-target, the clang is crashed with such backtrace

...
5  clang-15                 0x000000010ce26163 CrashRecoverySignalHandler(int) + 195
6  libsystem_platform.dylib 0x00007ff817560dfd _sigtramp + 29
7  libsystem_platform.dylib 0x0000600000b265a0 _sigtramp + 18446708923317376960
8  clang-15                 0x000000010baaa741 llvm::BinaryOperator::Create(llvm::Instruction::BinaryOps, llvm::Value*, llvm::Value*, llvm::Twine const&, llvm::Instruction*) + 49
9  clang-15                 0x000000010ccbfe7b llvm::IRBuilderBase::CreateInsertNUWNSWBinOp(llvm::Instruction::BinaryOps, llvm::Value*, llvm::Value*, llvm::Twine const&, bool, bool) + 155
10 clang-15                 0x000000010c887375 llvm::IRBuilderBase::CreateSub(llvm::Value*, llvm::Value*, llvm::Twine const&, bool, bool) + 213
11 clang-15                 0x000000010f7e4360 llvm::IndirectBranch::runOnFunction(llvm::Function&) + 6896
12 clang-15                 0x000000010f7fd05c llvm::Obfuscation::runOnModule(llvm::Module&) + 1708
13 clang-15                 0x000000010f7fbc48 llvm::ObfuscationPass::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) + 56
...

If I additionally pass the use-stack parameter (-mllvm -enable-indibran -mllvm -indibran-enc-jump-target -mllvm -indibran-use-stack), it works well.

Do we need INITIALIZE_PASS_DEPENDENCY in the Obfuscation class?

What is the purpose of having?

INITIALIZE_PASS_DEPENDENCY(AntiClassDump);
INITIALIZE_PASS_DEPENDENCY(BogusControlFlow);
INITIALIZE_PASS_DEPENDENCY(Flattening);
INITIALIZE_PASS_DEPENDENCY(FunctionCallObfuscate);
INITIALIZE_PASS_DEPENDENCY(IndirectBranch);
INITIALIZE_PASS_DEPENDENCY(SplitBasicBlock);
INITIALIZE_PASS_DEPENDENCY(StringEncryption);
INITIALIZE_PASS_DEPENDENCY(Substitution);

It shouldn't affect somehow obfuscation logic as everything is hardcoded in the Obfuscation::runOnModule()

Porting on Apple clang (question)

What is the best option to port/backport this project on the Apple clang?
Suppose I have

bash-3.2$ clang -v
Apple clang version 14.0.0 (clang-1400.0.29.202)
Target: x86_64-apple-darwin21.6.0
Thread model: posix
InstalledDir: /Library/Developer/CommandLineTools/usr/bin

I tried to find the source code for clang-1400.0.29.202 but I was not able to do it. Not sure the source codes are available.
If they are not available how can I do integration with Hikari?

Rearranging of basic blocks (question)

How do you think, whether it is possible to implement basic block rearranging to harden the indirect branch obfuscation?
For example, we have such snippet of the obfuscated code

...
.text:0000000000001E90                 ADRL            X10, off_4988
.text:0000000000001E98                 CMP             W9, #0x10
.text:0000000000001E9C                 CSET            W8, CC
.text:0000000000001EA0                 LDR             X11, [X10,W8,UXTW#3]
.text:0000000000001EA4                 MOV             W8, W9
.text:0000000000001EA8                 BR              X11

.text:0000000000001EB0                 MOV             X12, SP
.text:0000000000001EB4                 REV             W11, W11
.text:0000000000001EB8                 STR             W11, [X12,W8,UXTW#2]
...

I ran such parts of the code (which has indirect branch BR X xx instruction) under uEmu in IDA Pro and noticed that execution just jumps on the "0000000000001EB0" address (there are many BR X xx replacements in the function being obfuscated).
Above construction breaks decompilation but it can be easily binary patched by the "nop" instruction to make the code decompilable.
The idea is to rearrange the basic blocks to prevent easy prediction of jumping by the BR X xx instruction and make patching challenge more difficult.

Use cases of the ConstantEncryption protection

What are the use cases for the ConstantEncryption protection?
I didn't studied this protection yet but I just played with different values. Each case produces the integer values in the plain text in the disassembly listing.
For example, I tried such sample code

unsigned int a = 0x11223344;
const unsigned int b = 0x55667788;
static unsigned int c = 0x99aabbcc;
static const unsigned int d = 0xddeeff00;

int main()
{
    unsigned int a_loc = 0x12345678;
    const unsigned int b_loc = 0x9abcdef0;
    printf("%08X, %08X, %08X, %08X, %08X, %08X", a, b, c, d, a_loc, b_loc);

    return 0;
}

And I got below decompiled output which clearly show that all integers are in plain text:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  printf(
    "%08X, %08X, %08X, %08X, %08X, %08X",
    0x11223344LL,
    0x55667788LL,
    0x99AABBCCLL,
    0xDDEEFF00LL,
    0x12345678LL,
    0x9ABCDEF0LL);
  return 0;
}

Linking process fail

[100%] Linking CXX executable ../../../../bin/clang-repl
/usr/bin/ld: ../../lib/libLLVMObfuscation.a(AntiDebugging.cpp.o): in function llvm::AntiDebugging::runOnFunction(llvm::Function&)': AntiDebugging.cpp:(.text._ZN4llvm13AntiDebugging13runOnFunctionERNS_8FunctionE[_ZN4llvm13AntiDebugging13runOnFunctionERNS_8FunctionE]+0x920): undefined reference to llvm::Linker::linkModules(llvm::Module&, std::unique_ptr<llvm::Module, std::default_deletellvm::Module >, unsigned int, std::function<void (llvm::Module&, llvm::StringSetllvm::MallocAllocator const&)>)'
/usr/bin/ld: ../../lib/libLLVMObfuscation.a(AntiHooking.cpp.o): in function llvm::AntiHook::doInitialization(llvm::Module&)': AntiHooking.cpp:(.text._ZN4llvm8AntiHook16doInitializationERNS_6ModuleE[_ZN4llvm8AntiHook16doInitializationERNS_6ModuleE]+0x362): undefined reference to llvm::Linker::linkModules(llvm::Module&, std::unique_ptr<llvm::Module, std::default_deletellvm::Module >, unsigned int, std::function<void (llvm::Module&, llvm::StringSetllvm::MallocAllocator const&)>)'
collect2: error: ld returned 1 exit status
make[2]: *** [tools/llc/CMakeFiles/llc.dir/build.make:234: bin/llc] Error 1
make[1]: *** [CMakeFiles/Makefile2:88233: tools/llc/CMakeFiles/llc.dir/all] Error 2
make[1]: *** Waiting for unfinished jobs....
/usr/bin/ld: ../../lib/libLLVMObfuscation.a(AntiDebugging.cpp.o): in function llvm::AntiDebugging::runOnFunction(llvm::Function&)': AntiDebugging.cpp:(.text._ZN4llvm13AntiDebugging13runOnFunctionERNS_8FunctionE[_ZN4llvm13AntiDebugging13runOnFunctionERNS_8FunctionE]+0x920): undefined reference to llvm::Linker::linkModules(llvm::Module&, std::unique_ptr<llvm::Module, std::default_deletellvm::Module >, unsigned int, std::function<void (llvm::Module&, llvm::StringSetllvm::MallocAllocator const&)>)'
/usr/bin/ld: ../../lib/libLLVMObfuscation.a(AntiHooking.cpp.o): in function llvm::AntiHook::doInitialization(llvm::Module&)': AntiHooking.cpp:(.text._ZN4llvm8AntiHook16doInitializationERNS_6ModuleE[_ZN4llvm8AntiHook16doInitializationERNS_6ModuleE]+0x362): undefined reference to llvm::Linker::linkModules(llvm::Module&, std::unique_ptr<llvm::Module, std::default_deletellvm::Module >, unsigned int, std::function<void (llvm::Module&, llvm::StringSetllvm::MallocAllocator const&)>)'
[100%] Linking CXX executable ../../../../bin/clang-linker-wrapper
collect2: error: ld returned 1 exit status
make[2]: *** [tools/llvm-opt-fuzzer/CMakeFiles/llvm-opt-fuzzer.dir/build.make:257: bin/llvm-opt-fuzzer] Error 1
make[1]: *** [CMakeFiles/Makefile2:94954: tools/llvm-opt-fuzzer/CMakeFiles/llvm-opt-fuzzer.dir/all] Error 2
[100%] Linking CXX executable ../../bin/lli
[100%] Built target LTO
/usr/bin/ld: ../../lib/libLLVMObfuscation.a(AntiDebugging.cpp.o): in function llvm::AntiDebugging::runOnFunction(llvm::Function&)': AntiDebugging.cpp:(.text._ZN4llvm13AntiDebugging13runOnFunctionERNS_8FunctionE[_ZN4llvm13AntiDebugging13runOnFunctionERNS_8FunctionE]+0x920): undefined reference to llvm::Linker::linkModules(llvm::Module&, std::unique_ptr<llvm::Module, std::default_deletellvm::Module >, unsigned int, std::function<void (llvm::Module&, llvm::StringSetllvm::MallocAllocator const&)>)'
/usr/bin/ld: ../../lib/libLLVMObfuscation.a(AntiHooking.cpp.o): in function llvm::AntiHook::doInitialization(llvm::Module&)': AntiHooking.cpp:(.text._ZN4llvm8AntiHook16doInitializationERNS_6ModuleE[_ZN4llvm8AntiHook16doInitializationERNS_6ModuleE]+0x362): undefined reference to llvm::Linker::linkModules(llvm::Module&, std::unique_ptr<llvm::Module, std::default_deletellvm::Module >, unsigned int, std::function<void (llvm::Module&, llvm::StringSetllvm::MallocAllocator const&)>)'
[100%] Built target dsymutil
collect2: error: ld returned 1 exit status
make[2]: *** [tools/llvm-lto2/CMakeFiles/llvm-lto2.dir/build.make:231: bin/llvm-lto2] Error 1
make[1]: *** [CMakeFiles/Makefile2:93029: tools/llvm-lto2/CMakeFiles/llvm-lto2.dir/all] Error 2
[100%] Linking CXX executable ../../bin/opt
[100%] Built target llvm-dwarfutil
[100%] Built target llvm-lto
[100%] Built target lli
[100%] Built target bugpoint
[100%] Built target clang-check
[100%] Linking CXX executable ../../bin/llvm-exegesis
[100%] Linking CXX executable ../../../../bin/clang-scan-deps
[100%] Linking CXX executable ../../bin/llvm-reduce
[100%] Linking CXX shared library ../../../../lib/libclang.so
[100%] Built target clang-linker-wrapper
[100%] Built target llvm-exegesis
[100%] Built target clang-repl
/usr/bin/ld: ../../lib/libLLVMObfuscation.a(AntiDebugging.cpp.o): in function llvm::AntiDebugging::runOnFunction(llvm::Function&)': AntiDebugging.cpp:(.text._ZN4llvm13AntiDebugging13runOnFunctionERNS_8FunctionE[_ZN4llvm13AntiDebugging13runOnFunctionERNS_8FunctionE]+0x920): undefined reference to llvm::Linker::linkModules(llvm::Module&, std::unique_ptr<llvm::Module, std::default_deletellvm::Module >, unsigned int, std::function<void (llvm::Module&, llvm::StringSetllvm::MallocAllocator const&)>)'
/usr/bin/ld: ../../lib/libLLVMObfuscation.a(AntiHooking.cpp.o): in function llvm::AntiHook::doInitialization(llvm::Module&)': AntiHooking.cpp:(.text._ZN4llvm8AntiHook16doInitializationERNS_6ModuleE[_ZN4llvm8AntiHook16doInitializationERNS_6ModuleE]+0x362): undefined reference to llvm::Linker::linkModules(llvm::Module&, std::unique_ptr<llvm::Module, std::default_deletellvm::Module >, unsigned int, std::function<void (llvm::Module&, llvm::StringSetllvm::MallocAllocator const&)>)'
collect2: error: ld returned 1 exit status
make[2]: *** [tools/opt/CMakeFiles/opt.dir/build.make:321: bin/opt] Error 1
make[1]: *** [CMakeFiles/Makefile2:97589: tools/opt/CMakeFiles/opt.dir/all] Error 2
[100%] Built target llvm-reduce
/usr/bin/ld: ../../../../lib/libLLVMObfuscation.a(AntiDebugging.cpp.o): in function llvm::AntiDebugging::runOnFunction(llvm::Function&)': AntiDebugging.cpp:(.text._ZN4llvm13AntiDebugging13runOnFunctionERNS_8FunctionE[_ZN4llvm13AntiDebugging13runOnFunctionERNS_8FunctionE]+0x920): undefined reference to llvm::Linker::linkModules(llvm::Module&, std::unique_ptr<llvm::Module, std::default_deletellvm::Module >, unsigned int, std::function<void (llvm::Module&, llvm::StringSetllvm::MallocAllocator const&)>)'
/usr/bin/ld: ../../../../lib/libLLVMObfuscation.a(AntiHooking.cpp.o): in function llvm::AntiHook::doInitialization(llvm::Module&)': AntiHooking.cpp:(.text._ZN4llvm8AntiHook16doInitializationERNS_6ModuleE[_ZN4llvm8AntiHook16doInitializationERNS_6ModuleE]+0x362): undefined reference to llvm::Linker::linkModules(llvm::Module&, std::unique_ptr<llvm::Module, std::default_deletellvm::Module >, unsigned int, std::function<void (llvm::Module&, llvm::StringSetllvm::MallocAllocator const&)>)'
collect2: error: ld returned 1 exit status
make[2]: *** [tools/clang/tools/clang-scan-deps/CMakeFiles/clang-scan-deps.dir/build.make:277: bin/clang-scan-deps] Error 1
make[1]: *** [CMakeFiles/Makefile2:43581: tools/clang/tools/clang-scan-deps/CMakeFiles/clang-scan-deps.dir/all] Error 2
[100%] Built target libclang

控制函数混淆无效

你好,这边验证单个函数混淆,没有效果。能否解决一下?
xcode未配置混淆参数,代码中使用如下:
// c/c++
int foo() __attribute((annotate(("bcf_prob=100"))));
int foo() {
return 2;
}
// Objc
extern void hikari_bcf_prob(uint32_t);
@implementation foo2 : NSObject
+(void)foo{
hikari_bcf_prob(100);
NSLog(@"FOOOO2");
}
@EnD

Hanabi Build Instructions

Can you please post building instructions for Hanabi? (Step By Step if possible **** PLEASE ****) i am trying to learn this project.

when i run this ..
"cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DLLVM_ABI_BREAKING_CHECKS=FORCE_OFF /Volumes/Development/Hikari/llvm/projects"

I Get Error..
`CMake Error at CMakeLists.txt:5 (add_dependencies):
The dependency target "LLVMCore" of target "LLVMHanabiDeps" does not exist.

CMake Error at CMakeLists.txt:5 (add_dependencies):
The dependency target "LLVMPasses" of target "LLVMHanabiDeps" does not
exist.

CMake Error at CMakeLists.txt:5 (add_dependencies):
The dependency target "LLVMSupport" of target "LLVMHanabiDeps" does not
exist.

CMake Error at CMakeLists.txt:17 (add_dependencies):
The dependency target "LLVMObfuscation" of target "LLVMHanabi" does not
exist.`

Regards,
M

building on macOS

Did you try to build the latest snapshot on macOS Monterey?
I have faced with couple of build issues

First issue:

Hikari-LLVM15/llvm/lib/Transforms/Obfuscation/FunctionCallObfuscate.cpp:5:
Hikari-LLVM15/llvm/include/llvm/Transforms/Obfuscation/compat/CallSite.h:130:45: error: no member named 'getElementType' in 'llvm::PointerType'
    assert(cast<PointerType>(V->getType())->getElementType() ==
           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  ^
/Library/Developer/CommandLineTools/SDKs/MacOSX13.1.sdk/usr/include/assert.h:99:25: note: expanded from macro 'assert'
    (__builtin_expect(!(e), 0) ? __assert_rtn(__func__, __ASSERT_FILE_NAME, __LINE__, #e) : (void)0)

The second issue:

Hikari-LLVM15/llvm/lib/Transforms/Obfuscation/StringEncryption.cpp:394:11: error: 'llvm::Triple' is an incomplete type
      if (Triple(GV->getParent()->getTargetTriple()).isArm64e()) {
          ^

For this issue you have to add
#include "llvm/ADT/Triple.h"
in the Hikari-LLVM15/llvm/lib/Transforms/Obfuscation/StringEncryption.cpp

swift 5 使用 -enable-strcry 无法编译成功

  1. Apple Swift version 5.7.2 (swiftlang-5.7.2.135.5 clang-1400.0.29.51)
  2. Compiling with the current language version
    Stack dump without symbol names (ensure you have llvm-symbolizer in your PATH or set the environment var LLVM_SYMBOLIZER_PATH to point to it):
    0 swift-frontend 0x0000000106ce5fe7 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) + 39
    1 swift-frontend 0x0000000106ce5018 llvm::sys::RunSignalHandlers() + 248
    2 swift-frontend 0x0000000106ce6600 SignalHandler(int) + 288
    3 libsystem_platform.dylib 0x00007ff813aa2dfd _sigtramp + 29
    4 libsystem_platform.dylib 0x0000000000000a00 _sigtramp + 18446603370251017248
    5 libsystem_c.dylib 0x00007ff8139d8d24 abort + 123
    6 libsystem_malloc.dylib 0x00007ff8138b6357 has_default_zone0 + 0
    7 libsystem_malloc.dylib 0x00007ff8138ca308 malloc_zone_error + 178
    8 libsystem_malloc.dylib 0x00007ff8138af03d small_free_list_remove_ptr_no_clear + 1251
    9 libsystem_malloc.dylib 0x00007ff8138ac108 free_small + 847
    10 swift-frontend 0x0000000106a1964c llvm::LLVMContextImpl::~LLVMContextImpl() + 26556
    11 swift-frontend 0x000000010189c7d0 performCompileStepsPostSILGen(swift::CompilerInstance&, std::__1::unique_ptr<swift::SILModule, std::__1::default_deleteswift::SILModule >, llvm::PointerUnion<swift::ModuleDecl*, swift::SourceFile*>, swift::PrimarySpecificPaths const&, int&, swift::FrontendObserver*) + 3984
    12 swift-frontend 0x000000010189df85 swift::performFrontend(llvm::ArrayRef<char const*>, char const*, void*, swift::FrontendObserver*) + 5701
    13 swift-frontend 0x0000000101833eaa swift::mainEntry(int, char const**) + 3082
    14 dyld 0x0000000118c7652e start + 462
    Command SwiftCompile failed with a nonzero exit code

Linker issue when indirect branch obfuscation is active

I faced with the interesting issue specific to the indirect branch obfuscation in c++ code.
The linker reports

ld: error: relocation refers to a discarded section: .text._ZNSt6__ndk19allocatorIcE10deallocateEPcm
>>> defined in second.o
>>> section group signature: _ZNSt6__ndk19allocatorIcE10deallocateEPcm
>>> prevailing definition is in first.o
>>> referenced by second.cpp
>>>               second.o:(.data+0xD28)

ld: error: relocation refers to a discarded section: .text.__clang_call_terminate
>>> defined in second.o
>>> section group signature: __clang_call_terminate
>>> prevailing definition is in first.o
>>> referenced by second.cpp
>>>               second.o:(.data+0xD38)
>>> referenced by second.cpp
>>>               second.o:(.data+0xD40)
>>> referenced by second.cpp
>>>               second.o:(.data+0xD48)
>>> referenced 13 more times

The data references here are the offset to the IndirectBranchingTargetAddress table.
The issue can be reproduced using only the -mllvm -enable-indibran parameter.

Here is the sample files first.cpp and second.cpp used to create the shared library.

first.cpp

#include <iostream>
#include <string>

int first()
{
  char buffer[20];
  std::string str ("Test string...");
  std::size_t length = str.copy(buffer, 6, 5);
  buffer[length] = '\0';
  std::cout << "buffer contains: " << buffer << '\n';
  return 0;
}

second.cpp

#include <iostream>
#include <string>

int second ()
{
  std::string base="this is a test string.";
  std::string str2="n example";
  std::string str3="sample phrase";
  std::string str4="useful.";

  // replace signatures used in the same order as described above:

  // Using positions:                 0123456789*123456789*12345
  std::string str=base;           // "this is a test string."
  str.replace(9,5,str2);          // "this is an example string." (1)
  str.replace(19,6,str3,7,6);     // "this is an example phrase." (2)
  str.replace(8,10,"just a");     // "this is just a phrase."     (3)
  str.replace(8,6,"a shorty",7);  // "this is a short phrase."    (4)
  str.replace(22,1,3,'!');        // "this is a short phrase!!!"  (5)

  // Using iterators:                                               0123456789*123456789*
  str.replace(str.begin(),str.end()-3,str3);                    // "sample phrase!!!"      (1)
  str.replace(str.begin(),str.begin()+6,"replace");             // "replace phrase!!!"     (3)
  str.replace(str.begin()+8,str.begin()+14,"is coolness",7);    // "replace is cool!!!"    (4)
  str.replace(str.begin()+12,str.end()-4,4,'o');                // "replace is cooool!!!"  (5)
  str.replace(str.begin()+11,str.end(),str4.begin(),str4.end());// "replace is useful."    (6)
  std::cout << str << '\n';
  return 0;
}

Compile them

clang++ -target aarch64-none-linux-android21 -mllvm -enable-bcfobf -mllvm -enable-splitobf -mllvm -split_num=9 -O2 first.cpp -c -mllvm -enable-indibran
and
clang++ -target aarch64-none-linux-android21 -mllvm -enable-bcfobf -mllvm -enable-splitobf -mllvm -split_num=9 -O2 second.cpp -c -mllvm -enable-indibran

-mllvm -enable-bcfobf -mllvm -enable-splitobf -mllvm -split_num=9 are used to emit more code with the branches so that to give the chance to the indirect branch obfuscator to construct the IndirectBranchingTargetAddress table.

Finally, link the object files
clang++ -target aarch64-none-linux-android21 -fPIC -shared -Wl,-soname,libsample.so -o libsample.so first.o second.o

to reproduce the issue.

String encryption don't seem to work

I added the flags -Xllvm -enable-strcry -Xllvm -strcry-encrypt-global-string in the Other Swift Flags of Xcode; however, it don't seem to make a change with the IOS app.

juliusalexandre@Juliuss-MacBook-Pro testing-obf.app % strings testing-obf

...
Body
Previews
Body
ContentView
ContentView_Previews
$s11testing_obf11ContentViewV4bodyQrvp
$s11testing_obf20ContentView_PreviewsV8previewsQrvpZ
testing_obf
testing_obfApp
$s11testing_obf0a1_B3AppV4bodyQrvp
globe
Hello, world!
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>application-identifier</key>
<string>TCKTXXK9UU.test.testing-obf</string>
</dict>
</plist>
;09

application-identifier

is there any reason why this is happening?

AntiHooking缺少ir文件

Failed To Link PreCompiled AntiHooking IR From:/home/Hikari/PrecompiledAntiHooking-unknown-unknown.bc
不会影响使用吗

Windows MINGW64环境编译失败

x86 LLVM15

cmake -G "Ninja" -S ./Hikari-LLVM15/llvm -B ./build_dyn_x64 -DCMAKE_INSTALL_PREFIX=./llvm_x64 -DCMAKE_CXX_STANDARD=17 -DCMAKE_BUILD_TYPE=Release -DLLVM_ENABLE_PROJECTS="clang;lld;" -DLLVM_TARGETS_TO_BUILD="X86" -DBUILD_SHARED_LIBS=ON -DLLVM_INSTALL_UTILS=ON -DLLVM_INCLUDE_TESTS=OFF -DLLVM_BUILD_TESTS=OFF -DLLVM_INCLUDE_BENCHMARKS=OFF -DLLVM_BUILD_BENCHMARKS=OFF
$ cmake --build ./build_dyn_x64 -j 24
[5/2470] Linking CXX shared library bin\libLLVMObfuscation.dll
FAILED: bin/libLLVMObfuscation.dll lib/libLLVMObfuscation.dll.a
cmd.exe /C "cd . && E:\msys64\mingw64\bin\c++.exe -Wa,-mbig-obj -Werror=date-time -Wall -Wextra -Wno-unused-parameter -Wwrite-strings -Wcast-qual -Wno-missing-field-initializers -pedantic -Wno-long-long -Wimplicit-fallthrough -Wno-maybe-uninitialized -Wno-class-memaccess -Wno-redun
dant-move -Wno-pessimizing-move -Wno-noexcept-type -Wdelete-non-virtual-dtor -Wsuggest-override -Wno-comment -Wmisleading-indentation -ffunction-sections -fdata-sections  -O2 -DNDEBUG  -Wl,--gc-sections -shared -o bin\libLLVMObfuscation.dll -Wl,--out-implib,lib\libLLVMObfuscation.d
ll.a -Wl,--major-image-version,0,--minor-image-version,0 lib/Transforms/Obfuscation/CMakeFiles/LLVMObfuscation.dir/FunctionCallObfuscate.cpp.obj lib/Transforms/Obfuscation/CMakeFiles/LLVMObfuscation.dir/CryptoUtils.cpp.obj lib/Transforms/Obfuscation/CMakeFiles/LLVMObfuscation.dir/B
ogusControlFlow.cpp.obj lib/Transforms/Obfuscation/CMakeFiles/LLVMObfuscation.dir/SubstituteImpl.cpp.obj lib/Transforms/Obfuscation/CMakeFiles/LLVMObfuscation.dir/Substitution.cpp.obj lib/Transforms/Obfuscation/CMakeFiles/LLVMObfuscation.dir/Flattening.cpp.obj lib/Transforms/Obfusc
ation/CMakeFiles/LLVMObfuscation.dir/Utils.cpp.obj lib/Transforms/Obfuscation/CMakeFiles/LLVMObfuscation.dir/SplitBasicBlocks.cpp.obj lib/Transforms/Obfuscation/CMakeFiles/LLVMObfuscation.dir/AntiClassDump.cpp.obj lib/Transforms/Obfuscation/CMakeFiles/LLVMObfuscation.dir/AntiDebugg
ing.cpp.obj lib/Transforms/Obfuscation/CMakeFiles/LLVMObfuscation.dir/AntiHooking.cpp.obj lib/Transforms/Obfuscation/CMakeFiles/LLVMObfuscation.dir/StringEncryption.cpp.obj lib/Transforms/Obfuscation/CMakeFiles/LLVMObfuscation.dir/IndirectBranch.cpp.obj lib/Transforms/Obfuscation/C
MakeFiles/LLVMObfuscation.dir/FunctionWrapper.cpp.obj lib/Transforms/Obfuscation/CMakeFiles/LLVMObfuscation.dir/ConstantEncryption.cpp.obj lib/Transforms/Obfuscation/CMakeFiles/LLVMObfuscation.dir/Obfuscation.cpp.obj  -lkernel32 -luser32 -lgdi32 -lwinspool -lshell32 -lole32 -loleau
t32 -luuid -lcomdlg32 -ladvapi32 && cd ."
E:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/12.2.0/../../../../x86_64-w64-mingw32/bin/ld.exe: lib/Transforms/Obfuscation/CMakeFiles/LLVMObfuscation.dir/CryptoUtils.cpp.obj:CryptoUtils.cpp:(.text$_ZN4llvm11CryptoUtils9prng_seedEv+0x2d): undefined reference to `llvm::errs()'
E:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/12.2.0/../../../../x86_64-w64-mingw32/bin/ld.exe: lib/Transforms/Obfuscation/CMakeFiles/LLVMObfuscation.dir/CryptoUtils.cpp.obj:CryptoUtils.cpp:(.text$_ZN4llvm11CryptoUtils9prng_seedEv+0x60): undefined reference to `llvm::raw_ostr
eam::operator<<(llvm::format_object_base const&)'
...
E:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/12.2.0/../../../../x86_64-w64-mingw32/bin/ld.exe: lib/Transforms/Obfuscation/CMakeFiles/LLVMObfuscation.dir/FunctionWrapper.cpp.obj:FunctionWrapper.cpp:(.rdata$_ZTVN4llvm15FunctionWrapperE[_ZTVN4llvm15FunctionWrapperE]+0x68): unde
fined reference to `llvm::Pass::releaseMemory()'
E:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/12.2.0/../../../../x86_64-w64-mingw32/bin/ld.exe: lib/Transforms/Obfuscation/CMakeFiles/LLVMObfuscation.dir/FunctionWrapper.cpp.obj:FunctionWrapper.cpp:(.rdata$_ZTVN4llvm15FunctionWrapperE[_ZTVN4llvm15FunctionWrapperE]+0x70): unde
fined reference to `llvm::Pass::getAdjustedAnalysisPointer(void const*)'
E:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/12.2.0/../../../../x86_64-w64-mingw32/bin/ld.exe: lib/Transforms/Obfuscation/CMakeFiles/LLVMObfuscation.dir/FunctionWrapper.cpp.obj:FunctionWrapper.cpp:(.rdata$_ZTVN4llvm15FunctionWrapperE[_ZTVN4llvm15FunctionWrapperE]+0x78): unde
fined reference to `llvm::Pass::getAsImmutablePass()'
E:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/12.2.0/../../../../x86_64-w64-mingw32/bin/ld.exe: lib/Transforms/Obfuscation/CMakeFiles/LLVMObfuscation.dir/FunctionWrapper.cpp.obj:FunctionWrapper.cpp:(.rdata$_ZTVN4llvm15FunctionWrapperE[_ZTVN4llvm15FunctionWrapperE]+0x80): unde
fined reference to `llvm::Pass::getAsPMDataManager()'
E:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/12.2.0/../../../../x86_64-w64-mingw32/bin/ld.exe: lib/Transforms/Obfuscation/CMakeFiles/LLVMObfuscation.dir/FunctionWrapper.cpp.obj:FunctionWrapper.cpp:(.rdata$_ZTVN4llvm15FunctionWrapperE[_ZTVN4llvm15FunctionWrapperE]+0x88): unde
fined reference to `llvm::Pass::verifyAnalysis() const'
E:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/12.2.0/../../../../x86_64-w64-mingw32/bin/ld.exe: lib/Transforms/Obfuscation/CMakeFiles/LLVMObfuscation.dir/FunctionWrapper.cpp.obj:FunctionWrapper.cpp:(.rdata$_ZTVN4llvm15FunctionWrapperE[_ZTVN4llvm15FunctionWrapperE]+0x90): unde
fined reference to `llvm::Pass::dumpPassStructure(unsigned int)'
collect2.exe: error: ld returned 1 exit status
[26/2444] Building CXX object lib/DebugInfo/CodeView/CMakeFiles/LLVMDebugInfoCodeView.dir/SymbolDumper.cpp.obj
ninja: build stopped: subcommand failed.

SplitBasicBlocks may causes heap memory corruption

I have found crashing while using basic block splitting 5 times by the -mllvm -enable-splitobf -mllvm -split_num=5 parameters.
The most interesting thing is memory corruption is happened only if we split five times.
The first unusual thing is -mllvm -split_num=5 takes very long time even in compare with greater values like 8,9.

bash-3.2$ time clang sha256.c -c -mllvm -enable-splitobf -mllvm -split_num=5
std::mt19937_64 seeded with current timestamp: 1672951088010
Initializing Hikari Core with Revision ID:c33f34f65cd5eda385964c4176906d55d7236206
Failed To Link PreCompiled AntiHooking IR From:/Users/aaaa/Hikari/PrecompiledAntiHooking-unknown-unknown.bc
Running BasicBlockSplit On sha256_transform
Running BasicBlockSplit On sha256_init
Running BasicBlockSplit On sha256_update
Running BasicBlockSplit On sha256_final
Doing Post-Run Cleanup
Hikari Out

real	0m2.623s
user	0m2.163s
sys	0m0.053s
bash-3.2$ time clang sha256.c -c -mllvm -enable-splitobf -mllvm -split_num=9
std::mt19937_64 seeded with current timestamp: 1672951085617
Initializing Hikari Core with Revision ID:c33f34f65cd5eda385964c4176906d55d7236206
Failed To Link PreCompiled AntiHooking IR From:/Users/aaaa/Hikari/PrecompiledAntiHooking-unknown-unknown.bc
Running BasicBlockSplit On sha256_transform
Running BasicBlockSplit On sha256_init
Running BasicBlockSplit On sha256_update
Running BasicBlockSplit On sha256_final
Doing Post-Run Cleanup
Hikari Out

real	0m0.148s
user	0m0.093s
sys	0m0.044s

The crash has many different forms. One of them is:

bash-3.2$ clang sha256.c -c -mllvm -enable-splitobf -mllvm -split_num=5
std::mt19937_64 seeded with current timestamp: 1672950705273
Initializing Hikari Core with Revision ID:c33f34f65cd5eda385964c4176906d55d7236206
Failed To Link PreCompiled AntiHooking IR From:/Users/aaaa/Hikari/PrecompiledAntiHooking-unknown-unknown.bc
Running BasicBlockSplit On sha256_transform
Running BasicBlockSplit On sha256_init
Running BasicBlockSplit On sha256_update
Running BasicBlockSplit On sha256_final
Doing Post-Run Cleanup
Hikari Out
clang(24391,0x112e14600) malloc: Heap corruption detected, free list is damaged at 0x6000036806a0
*** Incorrect guard value: 218639605170180
clang(24391,0x112e14600) malloc: *** set a breakpoint in malloc_error_break to debug
PLEASE submit a bug report to https://bugs.llvm.org/ and include the crash backtrace, preprocessed source, and associated run script.
Stack dump:
0.	Program arguments: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang sha256.c -c -mllvm -enable-splitobf -mllvm -split_num=5
1.	<eof> parser at end of file
2.	Code generation
3.	Running pass 'Function Pass Manager' on module 'sha256.c'.
4.	Running pass 'X86 DAG->DAG Instruction Selection' on function '@sha256_transform'
Stack dump without symbol names (ensure you have llvm-symbolizer in your PATH or set the environment var `LLVM_SYMBOLIZER_PATH` to point to it):
0  clang                    0x0000000102816247 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) + 39
1  clang                    0x00000001028151d8 llvm::sys::RunSignalHandlers() + 248
2  clang                    0x0000000102815800 llvm::sys::CleanupOnSignal(unsigned long) + 208
3  clang                    0x000000010274779f CrashRecoverySignalHandler(int) + 191
4  libsystem_platform.dylib 0x00007ff81a806dfd _sigtramp + 29
5  libsystem_platform.dylib 0x0000000000000001 _sigtramp + 18446603370136310305
6  libsystem_c.dylib        0x00007ff81a73cd24 abort + 123
7  libsystem_malloc.dylib   0x00007ff81a61a357 has_default_zone0 + 0
8  libsystem_malloc.dylib   0x00007ff81a62e308 malloc_zone_error + 178
9  libsystem_malloc.dylib   0x00007ff81a60d0e8 nanov2_allocate_from_block + 582
10 libsystem_malloc.dylib   0x00007ff81a60c677 nanov2_allocate + 130
11 libsystem_malloc.dylib   0x00007ff81a60c5a4 nanov2_malloc + 56
12 libsystem_malloc.dylib   0x00007ff81a628abb _malloc_zone_malloc + 125
13 libc++abi.dylib          0x00007ff81a7ae95a operator new(unsigned long) + 26
14 clang                    0x0000000101c7dc46 llvm::MachineBasicBlock::addSuccessorWithoutProb(llvm::MachineBasicBlock*) + 166
15 clang                    0x0000000103569b15 llvm::FastISel::fastEmitBranch(llvm::MachineBasicBlock*, llvm::DebugLoc const&) + 213
16 clang                    0x0000000103562aa1 llvm::FastISel::selectOperator(llvm::User const*, unsigned int) + 1457
17 clang                    0x00000001035690dc llvm::FastISel::selectInstruction(llvm::Instruction const*) + 540
18 clang                    0x00000001036c5d33 llvm::SelectionDAGISel::SelectAllBasicBlocks(llvm::Function const&) + 4499
19 clang                    0x00000001036c3ec7 llvm::SelectionDAGISel::runOnMachineFunction(llvm::MachineFunction&) + 2391
20 clang                    0x0000000101688ce0 (anonymous namespace)::X86DAGToDAGISel::runOnMachineFunction(llvm::MachineFunction&) + 80
21 clang                    0x0000000101ccbc7e llvm::MachineFunctionPass::runOnFunction(llvm::Function&) + 302
22 clang                    0x00000001020718cc llvm::FPPassManager::runOnFunction(llvm::Function&) + 620
23 clang                    0x0000000102077c63 llvm::FPPassManager::runOnModule(llvm::Module&) + 67
24 clang                    0x0000000102072015 llvm::legacy::PassManagerImpl::run(llvm::Module&) + 933
25 clang                    0x0000000102afa4cd clang::EmitBackendOutput(clang::DiagnosticsEngine&, clang::HeaderSearchOptions const&, clang::CodeGenOptions const&, clang::TargetOptions const&, clang::LangOptions const&, llvm::StringRef, llvm::Module*, clang::BackendAction, std::__1::unique_ptr<llvm::raw_pwrite_stream, std::__1::default_delete<llvm::raw_pwrite_stream> >) + 5693
26 clang                    0x0000000102df60e2 clang::BackendConsumer::HandleTranslationUnit(clang::ASTContext&) + 1810
27 clang                    0x000000010400a274 clang::ParseAST(clang::Sema&, bool, bool) + 564
28 clang                    0x000000010310e5ca clang::FrontendAction::Execute() + 90
29 clang                    0x00000001030895a6 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) + 854
30 clang                    0x00000001031891e8 clang::ExecuteCompilerInvocation(clang::CompilerInstance*) + 680
31 clang                    0x0000000100835053 cc1_main(llvm::ArrayRef<char const*>, char const*, void*) + 2211
32 clang                    0x0000000100833236 ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&) + 278
33 clang                    0x0000000102f156a7 void llvm::function_ref<void ()>::callback_fn<clang::driver::CC1Command::Execute(llvm::ArrayRef<llvm::Optional<llvm::StringRef> >, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >*, bool*) const::$_1>(long) + 23
34 clang                    0x00000001027474f2 llvm::CrashRecoveryContext::RunSafely(llvm::function_ref<void ()>) + 226
35 clang                    0x0000000102f151cd clang::driver::CC1Command::Execute(llvm::ArrayRef<llvm::Optional<llvm::StringRef> >, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >*, bool*) const + 397
36 clang                    0x0000000102ee7fb3 clang::driver::Compilation::ExecuteCommand(clang::driver::Command const&, clang::driver::Command const*&) const + 515
37 clang                    0x0000000102ee835c clang::driver::Compilation::ExecuteJobs(clang::driver::JobList const&, llvm::SmallVectorImpl<std::__1::pair<int, clang::driver::Command const*> >&) const + 124
38 clang                    0x0000000102efd4ac clang::driver::Driver::ExecuteCompilation(clang::driver::Compilation&, llvm::SmallVectorImpl<std::__1::pair<int, clang::driver::Command const*> >&) + 220
39 clang                    0x00000001008328d6 main + 10022
40 dyld                     0x0000000112d9952e start + 462

I used the sha256 implementation for the testing purpose from the repo
https://github.com/B-Con/crypto-algorithms

To reproduce the crash, it can take to launch clangs many times up to 20 tries.

-acd-rename-methodimp这个参数如何使用

这个参数是要配置一下要混淆的函数名称吗?我使用了这个参数,编译完后在IDA里边看了下,发现还是原来的函数名称并没有被替换成ACDMethodIMP

Bug in the constant encryption obfuscation

There is a bug in the constant encryption obfuscator.
To reproduce it:

  1. clone the sample https://github.com/LekKit/sha256 repo.
  2. build the source files with the constant encryption to be enabled: bin/clang-15 -mllvm -enable-constenc sha256.c sha256_tests.c -o sha --sysroot=/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/

The expected output:

std::mt19937_64 seeded with current timestamp: 1677874928659
Initializing Hikari Core with Revision ID:3c58d20e13eca7be109a9f3b9f164a1f66df1f59
Failed To Link PreCompiled AntiHooking IR From:Hikari/PrecompiledAntiHooking-unknown-unknown.bc
Doing Post-Run Cleanup
Running ConstantEncryption On sha256_init
Running ConstantEncryption On sha256_update
Running ConstantEncryption On sha256_calc_chunk
Running ConstantEncryption On sha256_finalize
Running ConstantEncryption On sha256_read
Running ConstantEncryption On sha256_read_hex
Running ConstantEncryption On bin_to_hex
Running ConstantEncryption On sha256_easy_hash
Running ConstantEncryption On sha256_easy_hash_hex
Hikari Out
Spend Time: 0.0032301s
std::mt19937_64 seeded with current timestamp: 1677874929040
Initializing Hikari Core with Revision ID:3c58d20e13eca7be109a9f3b9f164a1f66df1f59
Failed To Link PreCompiled AntiHooking IR From:Hikari/PrecompiledAntiHooking-unknown-unknown.bc
Doing Post-Run Cleanup
Running ConstantEncryption On test_str
Running ConstantEncryption On test_bytes
Running ConstantEncryption On main
Hikari Out
Spend Time: 0.0013762s
Instruction does not dominate all uses!
  %21 = xor i32 %22, 1174219237
  store i32 %21, ptr @test_str.test_count, align 4
Instruction does not dominate all uses!
  %22 = xor i32 %inc, 273554728
  %21 = xor i32 %22, 1174219237
in function test_str
fatal error: error in backend: Broken function found, compilation aborted!
clang-15: error: clang frontend command failed with exit code 70 (use -v to see invocation)
clang version 15.0.2 (https://github.com/NeHyci/Hikari-LLVM15.git bfe7a96c9b2af1662c2c49e34eba18acf67e3d39)

As expected, commented line in the function void HandleConstantIntInitializerGV(GlobalVariable *GVPtr) prevents bug appearing:

ConstantEncryption.cpp
130       if (LoadInst *LI = dyn_cast<LoadInst>(U)) {
131         XORInst = BinaryOperator::Create(Instruction::Xor, LI, XORKey);
132         XORInst->insertAfter(LI);
133         LI->replaceAllUsesWith(XORInst);
134         XORInst->setOperand(0, LI);
135       } else if (StoreInst *SI = dyn_cast<StoreInst>(U)) {
136         XORInst =
137             BinaryOperator::Create(Instruction::Xor, SI->getOperand(0), XORKey);
138         XORInst->insertAfter(SI);
139 //        SI->replaceUsesOfWith(SI->getOperand(0), XORInst);
140       }

当使用-mllvm -enable-cffobf时, 报错Internal error: atom is missing a symbolIndex

您好
我在编译时发现,混淆指令除去-mllvm -enable-cffobf时,不会报错且app正常运行。加上-mllvm -enable-cffobf后,会有报错
ld: internal error: atom is missing a symbolIndex(_objc_msgSend$appendFormat:) for architecture arm64
clang: error: linker command failed with exit code 1 (use -v to see invocation)

环境:
mac mini m1,xcode 14.0.1,使用hanabi中的release

Integrity protection implementation thoughts

Do you ever think about adding integrity protection to make this product more or less complete?
It is pretty easy to implement any algorithm on C, precompile it is a bitcode file (*.bc) and then just link it as it is done for the custom implementation in AntiDebugging.cpp.
Example implementation:

  1. Take predefined range of the specific length.
  2. Do any simple arithmetic operation, say, addition, on that prediefined range (like mod 2^32) using secret random value as a key.
  3. Compare the obtained result with the pre-calculated value.

Each integrity protection instance should have

  1. Secret random value used as a key, valid pre-calculated integrity value for the specific range.
  2. Pointer to the code which should be protected and its length.

Protection itself should be applied in two steps:

  1. Linking of the precompiled bitcode file which implements integrity protection on compile time. In this step, the metadata file must be created which would inform what ranges should be protected and location of the tables to store valid integrity values.
  2. Reading of the metadata file created on the first step, parsing it, calculating the valid checksum values for the predefined ranges and filling the integrity protection instance tables. For this step, separated tool is required.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.