Othread Obfuscator

Othread is an obfuscation tool based on LLVM, which can perfectly realize the obfuscation of C/C++ code under the Windows platform of x86 architecture.

0x01 Principle

We present a confusion idea called Execution trajectory obfuscation which make the program execution trajectory with function as the unit converted from the call execution in a single thread to the jump execution in the mode of repeated switching between multiple threads. Experiment results show that the application of this obfuscation algorithm program can effectively resist the mainstream reverse analysis methods, and at the same time has a low impact on the efficiency of program execution.

0x02 How to use

Compile the source code and ".\source\template\templateFileForOthread.cpp" into LLVM intermedia representation
Utilize llvm-link to merge all intermedia representation files into one
Input the file generated by step2, ".\obfuscator\othread.exe" will output obfuscated intermedia representation
Link the file output by step3 to generate an executable file

Usage: othread.exe ..\example\aes\aes.bc ..\example\aes\aes-obf.bc

0x03 Example

aes symmetric cryptographic algorithm Usage:aes.exe
rsa asymmetric cryptographic algorithm Usage:rsa.exe
gzip Compression algorithm Usage:gzip.exe ./data/input.combined
parser Lexical analyzer Usage:parser.exe 2.1.dict
twoif Simulated annealing algorithm Usage:twoif.exe ./data/test

Table1 Program execution efficiency before and after obfuscation

example	before(s)	after(s)	efficiency
aes	0.004	0.004	95%
rsa	0.243	0.277	87.7%
gzip	21.379	23.255	89.1%
parser	0.302	0.852	35.4%
twoif	0.128	0.447	28.6%

Due to the time loss caused by the communication between threads, Othead is mainly suitable for functional programs, the execution efficiency of highly computationally intensive programs (one function called over 10000000 times like simulated annealing algorithm) has decreased significantly