Open-Obfuscator: O-MVLL & dProtect

A free and open-source obfuscator for mobile applications
C/C++/Objective-C and Java/Kotlin

For Android and iOS* (AArch64 only)
(*) The support for iOS and Objective-C is currently very limited.
Maintained by Build38.

String Encryption

O-MVLL and dProtect are able to protect strings with different levels of protection.

Data Flow Obfuscation

O-MVLL and dProtect provide the classical Mixed-Boolean Arithmetic (MBA) transformations and opaque constants.

Control Flow Obfuscation

O-MVLL provides classical and new techniques to protect the control flow of native functions. dProtect provides basic control-flow protection.

Anti-Hooking

O-MVLL can protect native functions against Frida hooking by injecting a custom prologue in the functions to protect.

 1import omvll
 2
 3def anti_hooking(self, _, func: omvll.Function):
 4    if func.demangled_name.startswith("hook_me"):
 5        return True
 6    return False
 7
 8def obfuscate_struct_access(self, _, __, S: omvll.Struct):
 9    if S.name.endswith("JNINativeInterface"):
10        return True
11    return False
12
13def obfuscate_string(self, _, func: omvll.Function, string):
14    fname = func.demangled_name
15
16    if b"/home/user/project/src/secret.cpp" in string:
17        return "REDACTED"
18
19    if fname == "Secret::encode(int)":
20        return omvll.StringEncOptStack(20)
21
22    if fname == "Secret::decode(int)":
23        return True
24
25    if fname == "Secret::help()":
26        return omvll.StringEncOptGlobal()
27
28    return False

O-MVLL: Driven by a user-friendly API, it enables you to define and tweak your obfuscation scheme in Python

More information
 1# Mixed boolean-arithmetic Obfuscation
 2-obfuscate-arithmetic,high class re.dprotect.salsa20 {
 3  *;
 4}
 5
 6# Strings protection
 7-obfuscate-strings "XEYnuNOGoEQ*", "TOKEN: *"
 8-obfuscate-strings class re.dprotect.Connect {
 9  private static java.lang.String API_KEY;
10  public static java.lang.String getToken();
11}
12
13# Constants
14-obfuscate-constants    class re.dprotect.secret.** { *; }
15
16# Control-Flow
17-obfuscate-control-flow class re.dprotect.internal.** { *; }

dProtect:It adds an enhanced code obfuscation pipeline on top of Proguard™ with a similar configuration

More information

Toolchain Integration

Android Plugin

dProtect relies on the same integration mechanism as Proguard™.

From an Android integration perspective, it just requires updating the Gradle plugins.

dObf/home/romain/dObf.ideasrcjavapassesUtilsCoreAPIdProtectparserconftestjavabuild.gradledObfsrccomexamplemiscbuild.gradlebuildscript {    dependencies {        classpath 're.obfuscator:dprotect-gradle:9.6.3'    }}...apply plugin: 're.obfuscator.dprotect'...dprotect {    configurations {        release {            defaultConfiguration 'proguard-android-optimize.txt'            configuration        'proguard-rules.pro'            configuration        'dprotect-rules.pro'        }        debug {            defaultConfiguration 'proguard-android.txt'            configuration        'proguard-rules.pro'        }    }}

Native Code Obfuscation

O-MVLL leverages the new LLVM pass manager to load the library plugin that embeds the obfuscation logic.

This new LLVM pass manager is available in the recent Android and xcode toolchains.

$ export OMVLL_CONFIG=/home/user/project/o-obf/o-config.py$ clang++ -fpass-plugin=/home/user/download/libOMVLL.so hello.cpp -o hello$ cmake .. \-DCMAKE_CXX_FLAGS="-fpass-plugin=/home/user/download/libOMVLL.so"$ ninja$ export CXXFLAGS="-fpass-plugin=/home/user/download/libOMVLL.so"$ ./configure$ make

Acknowledgements

O-LLVM is the first public LLVM-based obfuscator that was released in 2015 before becoming the strong.code’s product and eventually being bought by Snapchat.

O-LLVM
O-LLVM
The root of all the LLVM-based obfuscators.

dProtect is strongly based on Proguard and Proguard-Core two open-source projects developed by Guardsquare.

Guardsquare
Guardsquare
The creator of Proguard, DexGuard and iXGuard.

O-MVLL is based on LLVM which provides most of the functionalities to perform native code obfuscation.

LLVM
LLVM
A modular compiler and toolchain framework.

Whilst no longer maintained, Hikari added new and original obfuscation passes for iOS and Objective-C.

Hikari
Hikari
Hikari is an open-source LLVM Obfuscator.

The O-MVLL’s Python API relies on Pybind11.

Pybind11
Pybind11
Seamless operability between C++11 and Python.

The bootstrap of the O-MVLL’s JIT engine is inspired by DragonFFI.

DragonFFI
DragonFFI
C Foreign Function Interface and JIT using Clang/LLVM.

The idea of a pass-plugin obfuscator has been inspired by eShard’s obfuscator-llvm.

eShard
eShard
eShard is a company with an expertise in embedded software security.

Questions

Yes, it already exists several open-source projects that aim at protecting code against reverse engineering.

Compare to these projects, O-MVLL is different in the API used to configure and obfuscate the native code as well as in the design of some of obfuscation passes. On the other hand, dProtect is rooted by Proguard which is known by Android developers and thus, easier to integrate than other solutions.

In addition, this project is strongly attached to:

  • Providing a clean and in-depth documentation
  • Having an easy toolchain integration
  • Exposing a user-friendly API

From a personal standpoint, I really do believe that an open-source design does not – if wisely thought and used – weaken the overall protection against reverse engineering. Said differently, I believe that we can reach a good level of protection against reverse engineering even though the design is known.

Basically, obfuscation passes introduce overhead for the reverse engineering process but it is not an absolute protection. If this overhead is too high, the attacker could timeout or find a way to automate and potentially scale the deobfuscation process. The automation and the scalability of the deobfuscation could be mitigated in the design of the obfuscation.

In its current version, the design of the passes in O-MVLL and dProtect can be improved in a lot of ways, but at least the project is bootstrapped, documented, and open source.

I also do hope that the challenges are a good opportunity to assess and publish attacks on O-MVLL and dProtect which could be a benefit for both: reverse engineering and obfuscation.

Proguard is a Java bytecode optimizer and class names obfuscator developed by Guardsquare. On the other hand, dProtect is an extension of Proguard with an additional code obfuscation pipeline.

All the features of dProtect are highly grounded by Proguard and Proguard-Core. We “just” added code obfuscation passes to Proguard to improve the protection against reverse engineering.

The main difference lies in the API and some obfuscation passes. While most of the LLVM-based obfuscators rely on in-tree obfuscation passes configured with compilation flags, O-MVLL is different in the way that it uses out-of-tree passes configured with a Python API.

Short answer: all the contexts (personal, educational, commercial, etc) as long as it respects the LLVM License (Apache License 2.0) and Proguard License (GPL v2.0).

Open-obfuscator has been created to provide a free and open-source solution for reverse engineers and mobile developers. On one hand, to practice, challenge, and improve reverse engineering techniques as well as automation on obfuscated code. On the other hand, for developers to provide a solution to protect their applications.

You could use open-obfuscator for a commercial purposes but we don’t aim at providing a commercial support. If you have questions or special requests, you can reach out by email on ping@obfuscator.re.

Top