Obfuscate
llvm-string-obfuscator
Obfuscate | llvm-string-obfuscator | |
---|---|---|
1 | 2 | |
1,108 | 259 | |
1.0% | 5.0% | |
4.9 | 3.6 | |
7 months ago | over 3 years ago | |
C++ | C++ | |
The Unlicense | - |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Obfuscate
-
How do I prevent abuse to my app?
if you hardcode the api key into your app, the apk can always get decompiled (apk -> dex -> dex2jar -> jar -> java decompiler). I personally hardcode sensitive api keys in C code, as #define constants. I use this class to obfiscate the C string constants. then I expose functions returning the api keys from C to java via JNI. I also use a mechanism to verify the apk signature, so that the C methods will only be called from the correct application (without this, others could take the .so library, include in their project, and just call the c functions from java / kotlin side, to get the api key). There was an article about this online, but i cannot find it right now.
llvm-string-obfuscator
-
Hacking 700M Electronic Arts Accounts
There's at least one plugin for LLVM to obfuscate strings from binaries [1], and for Android there is DexGuard [2]. The general idea is to make life as difficult as possible for reverse engineers, crackers and whomever else - hardcoded stuff just showing up in "cat .binfile | strings" is about the first thing I do when investigating some random stuff, and there's tools like binwalk that can automatically do stuff like extracting PEM certificates and other easily identifiable content.
[1] https://github.com/tsarpaul/llvm-string-obfuscator
[2] https://www.guardsquare.com/dexguard
-
Custom LLVM Pass
For my use case, I need to create a llvm plugin which does some basic obfuscation to deter reversing of my application. I'm well aware obfuscation will not fully protect my application, but would like to implement it because one, the concept is interesting to me, and two, it will serve as a barrier to entry and might discourage some lazy bad actors. As an example, I have been referencing this project https://github.com/tsarpaul/llvm-string-obfuscator/blob/master/StringObfuscator/StringObfuscator.cpp , but would like to keep my code base totally in rust. I've searched around crates.io and can't find any library exposing bindings to the plugin pass api of llvm. Is there a crate already available to facilitate creating llvm passes in rust, or does anyone have any resources to suggest which could get me on the right path? I've created basic sys bindings for a c++ library (https://github.com/0xFounders/detour-sys), but am not an expert and was hoping there was already an established way to access the llvm pass api in rust.
What are some alternatives?
span-lite - span lite - A C++20-like span for C++98, C++11 and later in a single-file header-only library
ngPost - Command Line (or minimalist GUI) usenet poster for binaries developped in C++/QT designed to be as fast as possible and offer all the main features to post data easily and safely. Releases for Linux, Windows and MacOS are available.
inline_syscall - Inline syscalls made easy for windows on clang
lazy_importer - library for importing functions from dlls in a hidden, reverse engineer unfriendly way
filesystem - An implementation of C++17 std::filesystem for C++11 /C++14/C++17/C++20 on Windows, macOS, Linux and FreeBSD.
heavydb - HeavyDB (formerly OmniSciDB)
kfr - Fast, modern C++ DSP framework, FFT, Sample Rate Conversion, FIR/IIR/Biquad Filters (SSE, AVX, AVX-512, ARM NEON)
detour-sys
doctest - The fastest feature-rich C++11/14/17/20/23 single-header testing framework
crates.io - The Rust package registry