Bogus Control Flow

R1kk3r edited this page Jun 29, 2017 · 4 revisions


This method modifies a function call graph by adding a basic block before the current basic block. This new basic block contains an opaque predicate and then makes a conditional jump to the original basic block.

The original basic block is also cloned and filled up with junk instructions chosen at random.

Available Compiler Options

  • -mllvm -bcf: activates the bogus control flow pass
  • -mllvm -bcf_loop=3: if the pass is activated, applies it 3 times on a function. Default: 1
  • -mllvm -bcf_prob=40: if the pass is activated, a basic bloc will be obfuscated with a probability of 40%. Default: 30

Implemented Technique

Here is an example: the following C code snippet

#include <stdlib.h>
int main(int argc, char** argv) {
  int a = atoi(argv[1]);
  if(a == 0)
    return 1;
    return 10;
  return 0;

translates to the following intermediate representation:

Without BCF

After the bogus controlflow pass, we might obtain the following flow graph :

With BCF