Code Obfuscation

Code obfuscation is a program transformation technique that makes a transformed program harder to understand and/or difficult to reverse engineer but maintain its functionality. Some well-known obfuscation transformations are implmented in Loco. For example, the control flow flattening introduced by Wang is implemented in Loco and the obfuscation technique is evaluated in one of our papers; "Deobfuscation: Reverse Engineering Obfuscated Code".
Using a simple example, we will show how Loco (Diablo with the GUI Lancet and extended to apply code obfuscation transformations) works.

STILO: SToring Information in Linked Object-files

STILO is a steganographic tool for binary programs. It has been presented at the International Conference on Information Security and Cryptology (ICISC) 2004. See the publications page for details on the article or download the slides that have been presented at the conference.

Three redundancies in programs are explored to embed information:

  • Instruction Selection: many operations can be accomplished through the use of different instructions

Link-time compaction

Diablo has proven to be very adequate to build link-time compaction tools. We have built and published several compaction tools for different architectures and platforms. Examples are ARM ADS and ARM RVCT, ARM Linux, I386 Linux with both glibc and uclibc, MIPS Linux, IA64 Linux, ...
A PowerPC backend is in development, as well as an x86-64 backend.

You can get an overview of the current compaction results from our regression scripts.

Overview of the compaction results

Select a platform to see its latest regression results:

Diablo/i386 regression test results



How to install a patched toolchain for ia32

How should you install a patched toolchain for the ia32? Below we describe the installation instructions for binutils-2.16.1, gcc-4.0.2 and glibc-2.3.6.
If you are building this toolchain on a Linux box with a 2.6 kernel, you will need to download kernel headers for the installation of glibc. You can download these headers here.

  1. Download all necessary files to some directory (say:/tmp). [,,]

Why is the number of arguments to DiabloBrokerCallInstall variable

When some of the arguments of the function to be installed are declared constant, extra arguments can specify the value for those arguments. This way several functions can be installed with different values for the constant arguments. When the function is subsequently called, the one for which the argument has the specified value will be selected.

Lancet, A Nifty Code Editing Tool

New tool: Lancet
Not available for download yet, but we added a page on Lancet, a new tool that will be included in the upcoming 0.4 release.


Invoking Diablo is as simple as:

diablo [options] <executable>

where the executable should be somewhere in the object path.

Diablo has a lot of options (you can see the complete list by typing diablo --help). Here, we will limit ourselves to the most important options:

  • -O: set the object path, a colon-separated list of directories where the object files of the program reside. You can also set this via the environment variable OBJPATH.
  • -L: set the library path, a colon-separated list of directories where the libraries linked to the program reside. You can also set this via the environment variable LIBPATH.

Input files

In order to successfully compact a program, Diablo needs more than just the program executable:

  • The statically linked executable. Dynamic linking is not yet supported by Diablo! Make sure to use a patched toolchain to create the executables you want to optimize with Diablo. The reasons for this requirement can be found in this FAQ item. The patches themselves (and a number of precompiled tool chains) can be obtained from the download page.
Syndicate content