Bogus Control Flow

R1kk3r edited this page Jun 29, 2017 · 4 revisions


This method modifies a function call graph by adding a basic block before the current basic block. This new basic block contains an opaque predicate and then makes a conditional jump to the original basic block.

The original basic block is also cloned and filled up with junk instructions chosen at random.

Available Compiler Options

  • -mllvm -bcf: activates the bogus control flow pass
  • -mllvm -bcf_loop=3: if the pass is activated, applies it 3 times on a function. Default: 1
  • -mllvm -bcf_prob=40: if the pass is activated, a basic bloc will be obfuscated with a probability of 40%. Default: 30

Implemented Technique

Here is an example: the following C code snippet

#include <stdlib.h>
int main(int argc, char** argv) {
  int a = atoi(argv[1]);
  if(a == 0)
    return 1;
    return 10;
  return 0;

translates to the following intermediate representation:

Without BCF

After the bogus controlflow pass, we might obtain the following flow graph :

With BCF

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.