Home

Awesome

limba

Compile-time control flow obfuscation using MBA (Mixed Boolean-Arithmetic). This project is derived from another project I am working on named limbo, which is why the project files use this name. Keep in mind that this is more of a proof-of-concept rather than something ready to use in production code.

Description

Control flow between function calls is fairly easy to trace in normal binaries.

<details> <summary>Pre-obfuscation pictures</summary>

before_xref
before_call

</details>

limba will generate boilerplate code that obfuscates the actual jump address using MBA. The MBA rewrite rules and address offset is randomized each compilation to hinder analysis. It is important to note the actual function body is NOT obfuscated and is still present in the binary, only function calls will be obfuscated.

<details> <summary>Post-obfuscation pictures</summary>

after_xref
after_call
after_mba

</details>

Support

Usage

The included example uses premake for project configuration. You can generate the project files by running premake5 vs2022 in the root folder. Alternatively, the relevant header files can be copied into your own project.

Sample usage:

LIMBO_OBFUSCATED_FUNC(<ret_type>, <function_name>, <func_params>)
{
	// function body

	return <ret_value>
}

Limitations

Acknowledgements

Great open-source projects that were a great help during development