Obfuscation#

Config#

class omvll.ObfuscationConfig(self: omvll.ObfuscationConfig)#

This class must be inherited by the user to define where and how the obfuscation passes must be enabled.

anti_hooking(self: omvll.ObfuscationConfig, module: omvll.Module, function: omvll.Function) → omvll.AntiHookOpt#

The default user-callback to enable hooking protection.

In addition to the associated class options, O-MVLL interprets these return values as follows:

Return Value	Interpretation
`True`	`ArithmeticOpt`(`True`)
`False`	`ArithmeticOpt`(`False`)
`None`	`ArithmeticOpt`(`False`)

See the anti-hook documentation.

break_control_flow(self: omvll.ObfuscationConfig, module: omvll.Module, function: omvll.Function) → omvll.BreakControlFlowOpt#

The default user-callback for the pass that breaks the control flow.

In addition to the associated class options, O-MVLL interprets these return values as follows:

Return Value	Interpretation
`True`	`BreakControlFlowOpt`(`True`)
`False`	`BreakControlFlowOpt`(`False`)
`None`	`BreakControlFlowOpt`(`False`)

See the control-flow-breaking documentation.

flatten_cfg(self: omvll.ObfuscationConfig, module: omvll.Module, function: omvll.Function) → omvll.ControlFlowFlatteningOpt#

The default user-callback used to configure the control-flow flattening pass.

In addition to the associated class options, O-MVLL interprets these return values as follows:

Return Value	Interpretation
`True`	`ControlFlowFlatteningOpt`(`True`)
`False`	`ControlFlowFlatteningOpt`(`False`)
`None`	`ControlFlowFlatteningOpt`(`False`)

See the control-flow-flattening documentation.

obfuscate_arithmetic(self: omvll.ObfuscationConfig, module: omvll.Module, function: omvll.Function) → omvll.ArithmeticOpt#

The default user-callback when obfuscating arithmetic operations.

In addition to the associated class options, O-MVLL interprets these return values as follows:

Return Value	Interpretation
`True`	`AntiHookOpt`(`True`)
`False`	`AntiHookOpt`(`False`)
`None`	`AntiHookOpt`(`False`)

See the arithmetic documentation.

obfuscate_constants(self: omvll.ObfuscationConfig, module: omvll.Module, function: omvll.Function) → Union[omvll.OpaqueConstantsSkip, omvll.OpaqueConstantsBool, omvll.OpaqueConstantsLowerLimit, omvll.OpaqueConstantsSet]#

The default user-callback to obfuscate constants.

In addition to the associated class options, O-MVLL interprets these return values as follows:

Return Value	Interpretation
`True`	`OpaqueConstantsBool`(`True`)
`False`	`OpaqueConstantsBool`(`False`)
`None`	`OpaqueConstantsBool`(`False`)
`list(int ...)`	`OpaqueConstantsSet`(`int ...`)

See the opaque-constants documentation.

obfuscate_string(self: omvll.ObfuscationConfig, module: omvll.Module, function: omvll.Function, string: str) → Union[omvll.StringEncOptSkip, omvll.StringEncOptStack, omvll.StringEncOptGlobal, omvll.StringEncOptReplace, omvll.StringEncOptDefault]#

The default user-callback used to configure strings obfuscation.

In addition to the associated class options, O-MVLL interprets these return values as follows:

Return Value	Interpretation
`None`	`StringEncOptSkip`
`False`	`StringEncOptSkip`
`True`	`StringEncOptDefault`
`str`	`StringEncOptReplace`
`bytes`	`StringEncOptReplace`

See the strings-encoding documentation.

obfuscate_struct_access(self: omvll.ObfuscationConfig, module: omvll.Module, function: omvll.Function, struct: omvll.Struct) → omvll.StructAccessOpt#

The default user-callback when obfuscating structures accesses.

In addition to the associated class options, O-MVLL interprets these return values as follows:

Return Value	Interpretation
`True`	`StructAccessOpt`(`True`)
`False`	`StructAccessOpt`(`False`)
`None`	`StructAccessOpt`(`False`)

See the opaque-fields-access documentation.

obfuscate_variable_access(self: omvll.ObfuscationConfig, module: omvll.Module, function: omvll.Function, variable: omvll.GlobalVariable) → omvll.VarAccessOpt#

The default user-callback when obfuscating global variables access.

In addition to the associated class options, O-MVLL interprets these return values as follows:

Return Value	Interpretation
`True`	`VarAccessOpt`(`True`)
`False`	`VarAccessOpt`(`False`)
`None`	`VarAccessOpt`(`False`)

See the opaque-fields-access documentation.

Template#

Here is a template for the main O-MVLL configuration file:

import omvll
from functools import lru_cache

class MyConfig(omvll.ObfuscationConfig):
    def __init__(self):
        super().__init__()

    def obfuscate_string(self, module: omvll.Module, func: omvll.Function,
                               string: bytes):

        if func.demangled_name == "Hello::say_hi()":
            return True

        if "debug.cpp" in module.name:
            return "<REMOVED>"

        return False


@lru_cache(maxsize=1)
def omvll_get_config() -> omvll.ObfuscationConfig:
    return MyConfig()

Options#

Anti-Hooking#

class omvll.AntiHookOpt(self: omvll.AntiHookOpt, value: bool)#

Option for the omvll.ObfuscationConfig.anti_hooking() protection.

This option only accepts a boolean value (e.g. AntiHookOpt(True))

Arithmetic Obfuscation#

class omvll.ArithmeticOpt(*args, **kwargs)#

Option for the omvll.ObfuscationConfig.obfuscate_arithmetic() protection.

This option defines the number of rounds to transform arithmetic expressions (e.g. ArithmeticOpt(3)). It also accepts a boolean value which defers the number of rounds to O-MVLL (e.g. ArithmeticOpt(True)).

Overloaded function.

__init__(self: omvll.ArithmeticOpt, rounds: int) -> None
__init__(self: omvll.ArithmeticOpt, value: bool) -> None

Control-Flow Breaking#

class omvll.BreakControlFlowOpt(self: omvll.BreakControlFlowOpt, arg0: bool)#

Option for the omvll.ObfuscationConfig.break_control_flow() protection.

This boolean option determines whether the protection must be enabled (e.g. BreakControlFlowOpt(True))

Control-Flow Flattening#

class omvll.ControlFlowFlatteningOpt(self: omvll.ControlFlowFlatteningOpt, value: bool)#

Option for the omvll.ObfuscationConfig.flatten_cfg() protection.

This boolean option determines whether the protection must be enabled (e.g. ControlFlowFlatteningOpt(False))

Opaque Constants#

class omvll.OpaqueConstantsBool(self: omvll.OpaqueConstantsBool, value: bool)#

Option for the omvll.ObfuscationConfig.obfuscate_constants() protection.

This option defines whether or not the constants must be obfuscated. If the value is set to False, the constants are not protected otherwise, all the constants are protected.

class omvll.OpaqueConstantsLowerLimit(self: omvll.OpaqueConstantsLowerLimit, limit: int)#

Option for the omvll.ObfuscationConfig.obfuscate_constants() protection.

This option defines lower limit from which constants must be obfuscated (e.g. OpaqueConstantsLowerLimit(100))

class omvll.OpaqueConstantsSet(self: omvll.OpaqueConstantsSet, constants: List[int])#

Option for the omvll.ObfuscationConfig.obfuscate_constants() protection.

This option takes a list of constants that must be protected by the pass (e.g. OpaqueConstantsSet([0x12234, 1, 2]))

class omvll.OpaqueConstantsSkip(self: omvll.OpaqueConstantsSkip)#

Option for the omvll.ObfuscationConfig.obfuscate_constants() protection.

Alias for OpaqueConstantsBool(False)

Opaque Fields Access#

class omvll.StructAccessOpt(self: omvll.StructAccessOpt, arg0: bool)#

Option for the omvll.ObfuscationConfig.obfuscate_struct_access() protection.

This boolean option determines whether the protection must be enabled (e.g. StructAccessOpt(True))

class omvll.VarAccessOpt(self: omvll.VarAccessOpt, arg0: bool)#

Option for the omvll.ObfuscationConfig.obfuscate_variable_access() protection.

This boolean option determines whether the protection must be enabled (e.g. VarAccessOpt(True))

Strings Encoding#

class omvll.StringEncOptSkip(self: omvll.StringEncOptSkip)#

Option for the omvll.ObfuscationConfig.obfuscate_string() protection.

This option can be used to not protect the string given in the callback’s parameters.

class omvll.StringEncOptReplace(*args, **kwargs)#

Option for the omvll.ObfuscationConfig.obfuscate_string() protection.

This option determines the new string that replaces the one from the parameter

Overloaded function.

__init__(self: omvll.StringEncOptReplace) -> None

Construct an empty string

__init__(self: omvll.StringEncOptReplace, new_string: str) -> None

class omvll.StringEncOptGlobal(self: omvll.StringEncOptGlobal)#

Option for the omvll.ObfuscationConfig.obfuscate_string() protection.

This option protect the string in a global constructor.

Warning

With this option, the string will be in clear as soon as the binary is loaded.

class omvll.StringEncOptDefault(self: omvll.StringEncOptDefault)#

Option for the omvll.ObfuscationConfig.obfuscate_string() protection.

Option that defers the choice of the protection to O-MVLL.

class omvll.StringEncOptStack(*args, **kwargs)#

Option for the omvll.ObfuscationConfig.obfuscate_string() protection.

This option protects the string with a stack decoding.

Danger

For large strings, this option can introduce a huge overhead if the loopThreshold is not used.

Overloaded function.

__init__(self: omvll.StringEncOptStack) -> None
__init__(self: omvll.StringEncOptStack, loopThreshold: int) -> None

Contructor that defines the string length threshold from which the decoding routine must be looped.