The Control Flow Obfuscation module implements a compile time C/C++ control flow obfuscation that changes during every compilation. This helps you to protect the original flow of a function to make the analysis hard.

Example Binaries

You want to have a look at the result in your favorite Disassembler? Please request example binaries here.

Control Flow Obfuscation Example

bool test_function() {
   printf ("This function was called now.");
   return false;
}

template <size_t N>
void test_call_corruption() {
   libantispy::corrupt_call<N>(test_function);
}

int main(int, char **)
{
   printf ("This is the entry point.");

   // depth of 79
   test_call_corruption<79> ();
   return 0;
}

While this sample is for demonstration purposes it should have an easy and simple control flow, or?

Control Flow Obfuscation Assembly Output

 ; int __cdecl main(int argc, const char **argv, const char **envp)
 main            proc near               ; CODE XREF: sub_140001110+19p
                                         ; DATA XREF: .pdata:0000000140009084o

sub     rsp, 0C8h
mov     [rsp+0C8h+var_40], 0
call    cs:IsDebuggerPresent ; simplified, not visible in production use
test    eax, eax
jz      short loc_140001704
mov     [rsp+0C8h+var_A8], 1
jmp     short loc_140001709
; ---------------------------------------------------------------------------

loc_140001704:                          ; CODE XREF: main+1Bj
mov     [rsp+0C8h+var_A8], 0

loc_140001709:                          ; CODE XREF: main+22j
movzx   eax, [rsp+0C8h+var_A8]
test    eax, eax
jz      loc_14000199A
mov     [rsp+0C8h+var_80], 1
jmp     short loc_14000172E
; ---------------------------------------------------------------------------

loc_140001721:                          ; CODE XREF: main+83j
mov     rax, [rsp+0C8h+var_80]
inc     rax
mov     [rsp+0C8h+var_80], rax

loc_14000172E:                          ; CODE XREF: main+3Fj
cmp     [rsp+0C8h+var_80], 1000h
jnb     short loc_140001765
mov     rax, [rsp+0C8h+var_80]
shl     rax, 3
lea     rcx, [rsp+0C8h+var_40]
sub     rcx, rax
mov     rax, rcx
mov     [rsp+0C8h+var_38], rax
mov     rax, [rsp+0C8h+var_38]
mov     byte ptr [rax], 0 ; destroy stack
jmp     short loc_140001721
; ---------------------------------------------------------------------------

loc_140001765:                          ; CODE XREF: main+57j
mov     [rsp+0C8h+var_70], 1
cmp     [rsp+0C8h+var_70], 1
jz      short loc_140001788
cmp     [rsp+0C8h+var_70], 2
jz      short loc_140001799
cmp     [rsp+0C8h+var_70], 3
jz      short loc_1400017A7
jmp     short loc_1400017B8
; ---------------------------------------------------------------------------

loc_140001788:                          ; CODE XREF: main+94j
lea     rax, unk_1400010F0
inc     rax
mov     [rsp+0C8h+var_A0], rax
jmp     short loc_1400017C4
; ---------------------------------------------------------------------------

loc_140001799:                          ; CODE XREF: main+9Cj
lea     rax, unk_1400010F0
mov     [rsp+0C8h+var_A0], rax
jmp     short loc_1400017C4
; ---------------------------------------------------------------------------

loc_1400017A7:                          ; CODE XREF: main+A4j
lea     rax, unk_1400010F0
inc     rax
mov     [rsp+0C8h+var_A0], rax
jmp     short loc_1400017C4
; ---------------------------------------------------------------------------

loc_1400017B8:                          ; CODE XREF: main+A6j
lea     rax, unk_1400010F0
mov     [rsp+0C8h+var_A0], rax

loc_1400017C4:                          ; CODE XREF: main+B7j
                       ; main+C5j ...
mov     [rsp+0C8h+var_68], 1
cmp     [rsp+0C8h+var_68], 1
jz      short loc_1400017E7
cmp     [rsp+0C8h+var_68], 2
jz      short loc_1400017F6
cmp     [rsp+0C8h+var_68], 3
jz      short loc_140001802
jmp     short loc_140001811
; ---------------------------------------------------------------------------

loc_1400017E7:                          ; CODE XREF: main+F3j
mov     rax, [rsp+0C8h+var_A0]
inc     rax
mov     [rsp+0C8h+var_60], rax
jmp     short loc_14000181B
; ---------------------------------------------------------------------------

loc_1400017F6:                          ; CODE XREF: main+FBj
mov     rax, [rsp+0C8h+var_A0]
mov     [rsp+0C8h+var_60], rax
jmp     short loc_14000181B
; ---------------------------------------------------------------------------

loc_140001802:                          ; CODE XREF: main+103j
mov     rax, [rsp+0C8h+var_A0]
inc     rax
mov     [rsp+0C8h+var_60], rax
jmp     short loc_14000181B
; ---------------------------------------------------------------------------

loc_140001811:                          ; CODE XREF: main+105j
mov     rax, [rsp+0C8h+var_A0]
mov     [rsp+0C8h+var_60], rax

loc_14000181B:                          ; CODE XREF: main+114j
                       ; main+120j ...
xor     eax, eax
lea     rcx, unk_140005410
add     rcx, rax
mov     rax, rcx
mov     [rsp+0C8h+var_88], rax
mov     [rsp+0C8h+var_58], 0
cmp     [rsp+0C8h+var_58], 1
jz      short loc_140001852
cmp     [rsp+0C8h+var_58], 2
jz      short loc_140001862
cmp     [rsp+0C8h+var_58], 3
jz      short loc_140001872
jmp     short loc_140001882
; ---------------------------------------------------------------------------

loc_140001852:                          ; CODE XREF: main+15Ej
mov     rax, [rsp+0C8h+var_88]
add     rax, 8
mov     [rsp+0C8h+var_50], rax
jmp     short loc_140001890
; ---------------------------------------------------------------------------

loc_140001862:                          ; CODE XREF: main+166j
mov     rax, [rsp+0C8h+var_88]
add     rax, 8
mov     [rsp+0C8h+var_50], rax
jmp     short loc_140001890
; ---------------------------------------------------------------------------

loc_140001872:                          ; CODE XREF: main+16Ej
mov     rax, [rsp+0C8h+var_88]
add     rax, 8
mov     [rsp+0C8h+var_50], rax
jmp     short loc_140001890
; ---------------------------------------------------------------------------

loc_140001882:                          ; CODE XREF: main+170j
mov     rax, [rsp+0C8h+var_88]
add     rax, 8
mov     [rsp+0C8h+var_50], rax

loc_140001890:                          ; CODE XREF: main+180j
                       ; main+190j ...
xor     eax, eax
lea     rcx, unk_140005430
add     rcx, rax
mov     rax, rcx
mov     [rsp+0C8h+var_30], rax
mov     eax, 1
imul    rax, 0
lea     rcx, unk_140005418
lea     rax, [rcx+rax+1]
mov     [rsp+0C8h+var_78], rax
mov     [rsp+0C8h+var_48], 3
cmp     [rsp+0C8h+var_48], 1
jz      short loc_1400018F0
cmp     [rsp+0C8h+var_48], 2
jz      short loc_140001900
cmp     [rsp+0C8h+var_48], 3
jz      short loc_140001910
jmp     short loc_140001920
; ---------------------------------------------------------------------------

loc_1400018F0:                          ; CODE XREF: main+1F6j
mov     rax, [rsp+0C8h+var_78]
add     rax, 0Fh
mov     [rsp+0C8h+var_90], rax
jmp     short loc_14000192E
; ---------------------------------------------------------------------------

loc_140001900:                          ; CODE XREF: main+201j
mov     rax, [rsp+0C8h+var_78]
add     rax, 4Eh
mov     [rsp+0C8h+var_90], rax
jmp     short loc_14000192E
; ---------------------------------------------------------------------------

loc_140001910:                          ; CODE XREF: main+20Cj
mov     rax, [rsp+0C8h+var_78]
add     rax, 4Fh
mov     [rsp+0C8h+var_90], rax
jmp     short loc_14000192E
; ---------------------------------------------------------------------------

loc_140001920:                          ; CODE XREF: main+20Ej
mov     rax, [rsp+0C8h+var_78]
add     rax, 0Ah
mov     [rsp+0C8h+var_90], rax

loc_14000192E:                          ; CODE XREF: main+21Ej
                       ; main+22Ej ...
mov     rax, [rsp+0C8h+var_90]
mov     [rsp+0C8h+var_28], rax
mov     r8, [rsp+0C8h+var_30]
mov     edx, 56535540h
mov     rcx, [rsp+0C8h+var_90]
call    [rsp+0C8h+var_28]
mov     rax, [rsp+0C8h+var_A0]
mov     [rsp+0C8h+var_20], rax
mov     r8, [rsp+0C8h+var_88]
mov     edx, 27F00A8h
mov     rcx, [rsp+0C8h+var_90]
call    [rsp+0C8h+var_20]
mov     rax, [rsp+0C8h+var_88]
mov     [rsp+0C8h+var_18], rax
lea     rcx, unk_1400010F0
call    [rsp+0C8h+var_18]
mov     [rsp+0C8h+var_40], rax

loc_14000199A:                          ; CODE XREF: main+30j
cmp     [rsp+0C8h+var_40], 0
jnz     short loc_1400019AE
call    near ptr unk_1400010F0
mov     [rsp+0C8h+var_98], al

loc_1400019AE:                          ; CODE XREF: main+2C3j
add     rsp, 0C8h
retn
main            endp

The C/C++ Control Flow Obfuscation here is simplified for demonstration purposes. When detecting an debugger the stack is corrupted and the application will crash.

Putting this fact aside, the logic goes through obscure branches and shows even more branches that are never reached to make the static analysis per function very complex and time consuming.

Combine this module using other techniques and you are setting up a high wall against attackers.