xoreaxeaxeax / movfuscator Goto Github PK

This project forked from battelle/movfuscator

The single instruction C compiler

License: Other

C 66.58% Shell 0.50% Makefile 0.14% Objective-C 0.35% C++ 0.69% Python 9.64% Assembly 20.70% Brainfuck 1.40%

movfuscator's Introduction

       ___     ___            ___    ___     ___     ___     ___          ___     ___      
      /\  \   /\  \    ___   /\__\  /\  \   /\__\   /\__\   /\  \        /\  \   /\  \    .
     |::\  \ /::\  \  /\  \ /:/ _/_ \:\  \ /:/ _/_ /:/  /  /::\  \  ___ /::\  \ /::\  \   .
     |:::\  \:/\:\  \ \:\  \:/ /\__\ \:\  \:/ /\  \:/  /  /:/\:\  \/\__\:/\:\  \:/\:\__\  .
   __|:|\:\  \  \:\  \ \:\  \ /:/  /  \:\  \ /::\  \  /  _:/ /::\  \/  //  \:\  \ /:/  /   
  /::::|_\:\__\/ \:\__\ \:\__\:/  / \  \:\__\:/\:\__\/  /\__\:/\:\__\_//__/ \:\__\:/__/___ 
  \:\~~\  \/__/\ /:/  / |:|  |/  /\  \ /:/  // /:/  /\ /:/  //  \/__/ \\  \ /:/  /::::/  / 
   \:\  \  \:\  /:/  / \|:|  |__/\:\  /:/  // /:/  /  /:/  //__/:/\:\  \\  /:/  //~~/~~~~  
    \:\  \  \:\/:/  /\__|:|__|  \ \:\/:/  //_/:/  /:\/:/  /:\  \/__\:\  \\/:/  /:\~~\     .
     \:\__\  \::/  /\::::/__/:\__\ \::/  /  /:/  / \::/  / \:\__\   \:\__\:/  / \:\__\    .
      \/__/   \/__/  ~~~~    \/__/  \/__/   \/__/   \/__/   \/__/    \/__/ __/   \/__/    2
                                                                                           

 M/o/Vfuscator2

 github.com/xoreaxeaxeax/movfuscator :: the single instruction C compiler
 chris domas           @xoreaxeaxeax

Overview

The M/o/Vfuscator (short 'o', sounds like "mobfuscator") compiles programs into "mov" instructions, and only "mov" instructions. Arithmetic, comparisons, jumps, function calls, and everything else a program needs are all performed through mov operations; there is no self-modifying code, no transport-triggered calculation, and no other form of non-mov cheating.

The basic effects of the process can be seen in overview, which illustates compiling a simple prime number function with gcc and the M/o/Vfuscator.

Assembly:

GCC	M/o/Vfuscator

Control flow graphs:

GCC	M/o/Vfuscator

In action:

movcc prime.c -o prime

Of course, as a complete C compiler, it is not limited to simple programs:

movcc nibbles.c -o nibbles -lncurses

The compiler currently targets the C programming language and x86 processor architecture, but is easily adaptable to other languages and architectures.

Building

The M/o/Vfuscator uses LCC as the compiler frontend. The included build script will automatically download LCC, configure it for the mov backend, and build the M/o/Vfuscator tool.

If you are building on a 64 bit system, ensure that you have a 32 bit libc available (for example, 'apt-get install libc6-dev-i386' or 'yum install glibc-devel.i686').

git clone https://github.com/xoreaxeaxeax/movfuscator
cd movfuscator
./build.sh
sudo ./install.sh

If you have trouble building LCC, you can get more details on the LCC build process at: https://drh.github.io/lcc/current/doc/install.html

Testing

Check that the build was successful with the check script. This will automatically download an open source AES implementation, compile it to mov instructions, objdump the result, and run the program.

./check.sh

Usage

Compile programs as you would with any traditional C compiler:

movcc example.c -o example

Flags

Flags are passed to the compiler proper via -Wfflag, e.g. -Wf--no-mov-id

--mov-id
  Add reference instructions for each basic block to assist debugging.

--no-mov-id
  Do not add reference instructions.  This is the default.

--mov-flow
  Use mov instructions in implementing control flow.  This is the default.

--no-mov-flow
  Use jmp instructions in implementing control flow.  This will substantially
  speed up execution in larger projects.  If using floating point operations
  with this flag, link to softfloat*_cf.o instead of the fully obfuscated
  libraries.

--mov-extern
  Use mov instructions to implement external function calls.  This is the
  default.

--no-mov-extern
  Use jmp instructions to implement external function calls.  This is useful for
  debugging.

--mov-loop
  Use mov instructions to implement the primary execution loop.  This is the
  default.

--no-mov-loop
  Use jmp instructions to implement the primary execution loop.  This is useful
  for debugging.

--crt0
  Build the M/o/Vfuscator crt0 library (_start routines).

--crtf
  Build the M/o/Vfuscator crtf library (primary execution loop routines).

--crtd
  Build the M/o/Vfuscator crtd library (data tables).

--crt
  Same as --crt0 --crtf --crtd.

Floats

The M/o/Vfuscator contains a complete mov-only floating point emulator. Since it is approximately 500,000 instructions, you must explicitly link to it if you need it. Use the smaller softfloat32.o if you only use floats, softfloat64.o if you need floats and doubles, and softfloatfull.o for a full IEEE floating point emulator.
```
movcc your_code.c movfuscator/lib/softfloat32.o
```

Recommendations

Due to the lookup tables used for arithmetic, the symbol tables in the compiled binary can be extremely large. Stripping symbols with the -s flag can cut the final binary size by half.
```
movcc example.c -s
```

Warnings

You may occassionally run into ABI conflicts when calling into libraries compiled with other compilers. These are relatively rare, but do occassionally pop up. Watch out for:
- Passing a pointer to a callback function into a library. The M/o/Vfuscator will clobber registers the library was expecting to have preserved.
- Using the long long type. The M/o/Vfuscator uses a 32 bit long long; your library may be expecting 64 bits.
- Such ABI issues are relatively rare; they can be roughly fixed with some coding caution, or more robustly fixed by recompiling your libraries with the M/o/Vfuscator.
LCC is a C89 compiler. If you try to compile C99 code, you will get errors. Don't use C99 features like bool, for (int ...), etc. Don't declare variables in the middle of blocks.
To generate code correctly, the M/o/Vfuscator must be able to determine when a call is being made to a shared library. If a function is used before it is declared, this determination may be incorrect. If your executable hangs, it may be because a function prototype was missing.
LCC strongly enforces type and const rules. You may not be able to compile code with unsafe type or const conversions, unless you explicitly cast for it.
These are by far the most common causes of the M/o/Vfuscator "breaking". Make sure you handle these before you try to compile your code.

Limitations

Calls to external functions (printf, etc) through function pointers are not yet implemented. That is,
```
getchar()
```
works, but
```
int (*f)(void)=getchar; f();
```
does not.

If you need to do this, wrap the function internally:
```
int g(void) { return getchar(); }
int (*f)(void)=g; f();
```

MOV violations

When calling into libraries compiled with other compilers, an occassional non-mov instruction is necessary. This can be fixed by compiling all of your libraries with the M/o/Vfuscator. To be clear, this is not a limitation of the M/o/Vfuscator, or a violation of mov Turing-completeness - non-mov instructions are only necessary to accommodate non-mov calling conventions. If you do not recompile your libraries, the non-mov instructions are as follows:
- A single jmp instruction at the end of the program is used to dispatch the program's external functions. If you wish to avoid this jmp instruction to have a truly mov only program, compile with --no-mov-extern, and avoid calling into shared libraries. If you still need an external function, recompile the library with the M/o/Vfuscator, and statically link it to your program.
- An fstp instruction is used following every call to an external function returning a float or a double. This is because there is no way to access the x86 floating point registers with a mov instruction. To get rid of the fstp instruction, recompile your libraries to use the M/o/Vfuscator's floating point emulator, instead of the x86 FPU.

Post-processing

The M/o/Vfuscator post-processors take assembly from the M/o/Vfuscator and translate it for additional obfuscation, new instructions, or optimization. At some point they may be integrated into the actual compiler; for now they are separate scripts.

Current post-processing scripts include:

Instruction shuffling and register renaming, to prevent simple decompilation through pattern matching.
Assembly translation into only: XOR, SUB, ADD, XADD, ADC, SBB, AND/OR, PUSH/POP, 1-bit shifts, or CMPXCHG/XCHG instructions.
Translation into only 32 bit register-to-memory and memory-to-register transfers. This may assist in translating M/o/Vfuscated code to other instructions or architectures.
Translation into only indexed addressing forms.
Randomization of the above translations.

Other source languages

The M/o/Vfuscator currently uses C as the source language. The following proof of concept, provided by Adam Schwalm, illustrates how to use a variety of other source languages:

# Compile c++ to llvm bytecode
clang++ -S -emit-llvm -o bytecode.ll $1

# Convert bytecode to C
llc -march=c -o code.c bytecode.ll

# 'fix' static inline. This is a workaround for a bug
# in one of the parsers, I think.
sed -i 's/static inline.*//' code.c

# hack
sed -i 's/extern unsigned char \*__dso_handle;/unsigned char \*__dso_handle=0;/' code.c

# Compile the resulting C as usual (but with the c++ stdlib)
movcc code.c -lstdc++

Other architectures

A common observation on the M/o/Vfuscator output is that it uses all available forms and addressing modes for the mov instruction. Although the point was never anything different, the RISC post-processor (risc.py) illustrates transforming the program into RISC-like data transfers, reducing the program to 4 byte memory accesses, only indexed addressing modes, and only two registers. With this, all mov instructions become either "mov esi/edi, [BASE+esi/edi]" or "mov [BASE+esi/edi], esi/edi", where BASE is some constant address. This should demonstrate the applicability of the approach on non-x86 architectures, and deter complaints about the diversity of the x86 mov instruction.

Notes

While Dolan's paper required a jmp instruction, the M/o/Vfuscator does not - it uses a faulting mov instruction to achieve the infinite execution loop. If you're worried that this is still "jumping", the same effect could be achieved through pages aliased to the same address, wrapping execution around the upper range of memory, ring 0 exception handling, or simply repeating the mov loop indefinitely. A jmp is currently used to dispatch external functions - if this is a problem, avoid using external functions, or compile libraries with the M/o/Vfuscator as well.

History

The original M/o/Vfuscator (M/o/Vfuscator 1.0) compiles programs from the esoteric language BrainF@$!, and is best used in conjunction with the BFBASIC compiler by Jeffry Johnston. It is still available as a proof of concept in the poc directory.
M/o/Vfuscator2 is a complete single-instruction C compiler.

F.A.Q.

Q: Why did you make this? A: I thought it would be funny.

References

A presentation explaining the ideation, design, and goals of the M/o/Vfuscator can be found here.
Slides outlining the mechanisms used are here.
The inspiration for the compiler is the paper "mov is Turing-complete", by Stephen Dolan.

Author

chris domas, @xoreaxeaxeax

movfuscator's People

Contributors

Stargazers

Watchers

Forkers

shekkbuilder claudiouzelac montegobay melbshark nivertech bharath1097 xxuin suto ezhangle chubbymaggie loligothick techvoltage peta909 jhigdon geek-li hackartists silky wzrdtales student007 skalarproduktraum johnjohnsp1 wokkaflokka uikit0 springstar xorllc 8l ydc1992 godaccess hotelzululima codecrack3 orbitusrobotics gmlanzi paran0ids0ul pablogventura hoardboard sh1nu11bi peternguyen93 sk4ld enascimento gaoxiaojun longjohncoder viralmaniar zacbre knowlet regina-book lancetw doniexun security-geeks layerfsd jokerni breagitt ognz notyours180 jiaoyk supertanglang xiaoweime fycyes earnol heruix xiaofeng11 xlife86 kernux oter feomao m0n0ph1 sarikayamehmet hawking2013 akpotter themuffingroup aa10000 glishijie kiggundu sanguinawer nalisarc harite tanisman normanx xiaobfly dforgeas deki0r techlord-rce clydejallorina ncolyer maspe36 aaronjeline sangohan darkness0ut neuroradiology rrozestw vasanthaganeshk zpl-zak toast707 yanlinaung clemente xjump kevinmel2000 andriipetruk igpg xorbpebpe fatgrass

movfuscator's Issues

Fails to build softfloat.c on OS/X

softfloat.c: ./softfloat.h:45: invalid struct field declarations
softfloat.c: ./softfloat.h:45: syntax error; found /' expecting }'
softfloat.c: ./softfloat.h:45: skipping /' /' bits32' high'
softfloat.c: ./softfloat.h:45: empty declaration
softfloat.c: ./softfloat.h:45: syntax error; found ,' expecting ;'
softfloat.c: ./softfloat.h:45: skipping ,' softfloat.c: ./softfloat.h:47: redeclaration of low' previously declared at ./softfloat.h:45
softfloat.c: ./softfloat.h:49: unrecognized declaration
softfloat.c: ./softfloat.h:126: syntax error; found int32_to_float64' expecting ;'
softfloat.c: ./softfloat.h:138: syntax error; found float32_to_float64' expecting ;'
softfloat.c: ./softfloat.h:180: extraneous old-style parameter list
softfloat.c: ./softfloat.h:182: extraneous old-style parameter list
softfloat.c: ./softfloat.h:184: extraneous old-style parameter list
softfloat.c: ./softfloat.h:192: syntax error; found float64_round_to_int' expecting ;'
softfloat.c: ./softfloat.h:192: extraneous old-style parameter list
softfloat.c: ./softfloat.h:194: syntax error; found float64_add' expecting ;'
softfloat.c: ./softfloat.h:194: duplicate declaration for float64' previously declared at ./softfloat.h:194 softfloat.c: ./softfloat.h:194: extraneous old-style parameter list softfloat.c: ./softfloat.h:196: syntax error; found float64_sub' expecting ;' softfloat.c: ./softfloat.h:196: duplicate declaration for float64' previously declared at ./softfloat.h:196
softfloat.c: ./softfloat.h:196: too many errors

Not really working

I know it's pretty old fun project, but it would be nice if you can help me. It seems movfuscator can't link the final object file:

$ ./build.sh >/dev/null 2>&1 && echo "int main() {}" > tmp.c && ./build/movcc tmp.c
        ___     ___            ___    ___     ___     ___     ___          ___     ___      
       /\  \   /\  \    ___   /\__\  /\  \   /\__\   /\__\   /\  \        /\  \   /\  \    .
      |::\  \ /::\  \  /\  \ /:/ _/_ \:\  \ /:/ _/_ /:/  /  /::\  \  ___ /::\  \ /::\  \   .
      |:::\  \:/\:\  \ \:\  \:/ /\__\ \:\  \:/ /\  \:/  /  /:/\:\  \/\__\:/\:\  \:/\:\__\  .
    __|:|\:\  \  \:\  \ \:\  \ /:/  /  \:\  \ /::\  \  /  _:/ /::\  \/  //  \:\  \ /:/  /   
   /::::|_\:\__\/ \:\__\ \:\__\:/  / \  \:\__\:/\:\__\/  /\__\:/\:\__\_//__/ \:\__\:/__/___ 
   \:\~~\  \/__/\ /:/  / |:|  |/  /\  \ /:/  // /:/  /\ /:/  //  \/__/ \\  \ /:/  /::::/  / 
    \:\  \  \:\  /:/  / \|:|  |__/\:\  /:/  // /:/  /  /:/  //__/:/\:\  \\  /:/  //~~/~~~~  
     \:\  \  \:\/:/  /\__|:|__|  \ \:\/:/  //_/:/  /:\/:/  /:\  \/__\:\  \\/:/  /:\~~\     .
      \:\__\  \::/  /\::::/__/:\__\ \::/  /  /:/  / \::/  / \:\__\   \:\__\:/  / \:\__\    .
       \/__/   \/__/  ~~~~    \/__/  \/__/   \/__/   \/__/   \/__/    \/__/ __/   \/__/    2
                                                                                            
 
  M/o/Vfuscator2
 
  github.com/xoreaxeaxeax/movfuscator
  chris domas           @xoreaxeaxeax
 

M/o/Vfuscation started...

tmp.c:1: warning: missing return value
emit/mov>cnsti4(0)
emit/mov>cnsti4(0)
emit/mov>reti4(cnsti4(0))
emit/mov>labelv(1)

M/o/Vfuscation complete.

/usr/bin/ld: skipping incompatible /usr/lib/libc.so when searching for -lc
/usr/bin/ld: skipping incompatible /usr/lib/libc.a when searching for -lc
/usr/bin/ld: cannot find -lc
/usr/bin/ld: skipping incompatible /usr/lib/libm.so when searching for -lm
/usr/bin/ld: skipping incompatible /usr/lib/libm.a when searching for -lm
/usr/bin/ld: cannot find -lm

I want to build a corresponding movfuscator on the ARM architecture. How should I pay attention to it or how to carry out this project

I want to apply this project to the ARM architecture. What should I pay attention to, how should I plan the entire process, and can the author provide some feedback

throw this error /usr/bin/ld: cannot find -lgcc

how to do with this error?

Static compilation isssue

The static compilation flag does not seem to work, or I don't understand the compilation options.

From the help menu:

-static	specify static libraries (default is dynamic)

For example, using the following basic code:

#include<stdio.h>
main(){ printf("Hello World"); }

Compiling as follows:

movcc -static test.c -o test

Testing dependencies:

ldd test
	linux-gate.so.1 =>  (0xf778d000)
	libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf75a3000)
	libm.so.6 => /lib/i386-linux-gnu/libm.so.6 (0xf7556000)
	/lib/ld-linux.so.2 (0x565a4000)

"Mov is Turing complete" link broken in readme

Looks like the paper isn't hosted there anymore, just FYI 🙂

--no-mov-flow doesn't work

Hello!

Option --no-mov-flow seems not to work. I got these output:

M/o/Vfuscation complete.

/tmp/lcc61831.s: Assembler messages:
/tmp/lcc61831.s:1254: Error: too many memory references for `cmp'
/tmp/lcc61831.s:3293: Error: too many memory references for `cmp'
/tmp/lcc61831.s:5042: Error: too many memory references for `cmp'
/tmp/lcc61831.s:6292: Error: too many memory references for `cmp'
/tmp/lcc61831.s:9089: Error: too many memory references for `cmp'
/tmp/lcc61831.s:10983: Error: too many memory references for `cmp'
/tmp/lcc61831.s:12366: Error: too many memory references for `cmp'

To reproduce this bug, you can simply add -Wf--no-mov-flow at the end of 22nd line of check.sh

./check.sh failed ...

validation/aes/test.c:101: illegal statement termination
validation/aes/test.c:101: skipping struct' validation/aes/test.c:101: undeclared identifier AES_ctx'
validation/aes/test.c:101: warning: expression with no effect elided
validation/aes/test.c:101: syntax error; found ctx' expecting ;'
validation/aes/test.c:101: undeclared identifier ctx' validation/aes/test.c:101: warning: expression with no effect elided validation/aes/test.c:102: warning: type error in argument 1 to AES_init_ctx'; found pointer to int' expected pointer to struct AES_ctx'
validation/aes/test.c:106: warning: type error in argument 1 to AES_ECB_encrypt'; found pointer to int' expected `pointer to struct AES_ctx'

M/o/Vfuscation failed.

maybe the have changed the source code at https://github.com/kokke/tiny-AES128-C
I think you should include a version that worked ... (for all external stuff too, they might get changed)

run on windows

it is possible to windows?

status of c++14 support?

I'm blocked by this at work thnx

FAQ entry: combining movcc with gcc

Could you describe how I can combine an object file compiled with movcc and other files with gcc?

Integer multiplication error

Hello, I'm getting a multiplication error when trying to compile this code:

#include <stdio.h>

void main() {
	int a = 1501;
	int b = 6754;
	int calc = a * b;

	printf("calculated value: %d\n", calc);
}

Expected 10137754, calculated 10072218.

invalid URL

http://stedolan.net/research/mov.pdf is 404 not found.

Dictionary für equalities

Hello there,
its not realy an issue with your compiler, its more a question if
you would share the equality dictionary for e.g. add <-> mov, comp <->mov
etc

At the end I came to the result that it would be interesting to build such a thing for windows as well.
But instead of making a real compiler, I tought more about writing an translator, which reads the
executeable opcodes, translates them and writes a new executeable. On this way its possible to use
good compilers which already exist and apply the mov-only theory

,greetings

movfuscator/build/rcc: unknown target `x86/mov'; must specify one of

fedora 36

make: *** [Makefile:21: timesoftfloat.o] Error 1

Hello,

I got this error building on LFS system, snip

Create movcc

ln -sfn "$BUILDDIR/lcc" "$BUILDDIR/movcc"

Build the M/o/Vfuscator crt libraries

"$BUILDDIR/movcc" movfuscator/crt0.c -o "$BUILDDIR/crt0.o" -c -Wf--crt0 -Wf--q
movfuscator/crt0.c:0: warning: empty input file
"$BUILDDIR/movcc" movfuscator/crtf.c -o "$BUILDDIR/crtf.o" -c -Wf--crtf -Wf--q
movfuscator/crtf.c:0: warning: empty input file
"$BUILDDIR/movcc" movfuscator/crtd.c -o "$BUILDDIR/crtd.o" -c -Wf--crtd -Wf--q
movfuscator/crtd.c:0: warning: empty input file

Build the M/o/Vfuscator soft float library

These may give warnings about overflows, they are (mostly) safe to ignore

make -C softfloat clean && make -C softfloat CC="$BUILDDIR/movcc"
make: Entering directory '/home/jacks/movfuscator/softfloat'
rm -f *.o *.a timesoftfloat
make: Leaving directory '/home/jacks/movfuscator/softfloat'
make: Entering directory '/home/jacks/movfuscator/softfloat'
/home/jacks/movfuscator/build/movcc -c -I. -I.. -o softfloat32.o -Wf--q softfloat.c -DFLOAT64=0 -DTRIM=1
softfloat.c: softfloat_specialize.c:36: warning: overflow in converting constant expression from unsigned long' to int'
softfloat.c: softfloat_specialize.c:43: warning: overflow in converting constant expression from unsigned long' to int'
softfloat.c:782: warning: overflow in converting constant expression from int' to unsigned int'
softfloat.c:898: warning: overflow in converting constant expression from int' to unsigned int'
softfloat.c:906: warning: overflow in converting constant expression from int' to unsigned int'
softfloat.c:955: warning: overflow in converting constant expression from int' to unsigned int'
softfloat.c:967: warning: overflow in converting constant expression from int' to unsigned int'
/tmp/lcc130821.s: Assembler messages:
/tmp/lcc130821.s:143881: Warning: end of file not at end of a line; newline inserted
/home/jacks/movfuscator/build/movcc -c -I. -I.. -o softfloat64.o -Wf--q softfloat.c -DFLOAT64=1 -DTRIM=1
softfloat.c: softfloat_specialize.c:36: warning: overflow in converting constant expression from unsigned long' to int'
softfloat.c: softfloat_specialize.c:43: warning: overflow in converting constant expression from unsigned long' to int'
softfloat.c:782: warning: overflow in converting constant expression from int' to unsigned int'
softfloat.c:898: warning: overflow in converting constant expression from int' to unsigned int'
softfloat.c:906: warning: overflow in converting constant expression from int' to unsigned int'
softfloat.c:955: warning: overflow in converting constant expression from int' to unsigned int'
softfloat.c:967: warning: overflow in converting constant expression from int' to unsigned int'
softfloat.c:1330: warning: overflow in converting constant expression from int' to unsigned int'
softfloat.c:1332: warning: unsigned operand of unary -
softfloat.c:1338: warning: unsigned operand of unary -
softfloat.c:1475: warning: overflow in converting constant expression from int' to unsigned int'
softfloat.c:1648: warning: overflow in converting constant expression from int' to unsigned int'
softfloat.c:1778: warning: overflow in converting constant expression from int' to unsigned int'
softfloat.c:1847: warning: overflow in converting constant expression from int' to unsigned int'
/tmp/lcc130871.s: Assembler messages:
/tmp/lcc130871.s:368343: Warning: end of file not at end of a line; newline inserted
/home/jacks/movfuscator/build/movcc -c -I. -I.. -o softfloatfull.o -Wf--q softfloat.c -DFLOAT64=1 -DTRIM=0
softfloat.c: softfloat_specialize.c:36: warning: overflow in converting constant expression from unsigned long' to int'
softfloat.c: softfloat_specialize.c:43: warning: overflow in converting constant expression from unsigned long' to int'
softfloat.c:782: warning: overflow in converting constant expression from int' to unsigned int'
softfloat.c:898: warning: overflow in converting constant expression from int' to unsigned int'
softfloat.c:906: warning: overflow in converting constant expression from int' to unsigned int'
softfloat.c:955: warning: overflow in converting constant expression from int' to unsigned int'
softfloat.c:967: warning: overflow in converting constant expression from int' to unsigned int'
softfloat.c:1023: warning: overflow in converting constant expression from int' to unsigned int'
softfloat.c:1032: warning: overflow in converting constant expression from int' to unsigned int'
softfloat.c:1053: warning: unsigned operand of unary -
softfloat.c:1078: warning: unsigned operand of unary -
softfloat.c:1103: warning: overflow in converting constant expression from int' to unsigned int'
softfloat.c:1108: warning: overflow in converting constant expression from int' to unsigned int'
softfloat.c:1330: warning: overflow in converting constant expression from int' to unsigned int'
softfloat.c:1332: warning: unsigned operand of unary -
softfloat.c:1338: warning: unsigned operand of unary -
softfloat.c:1396: warning: unsigned operand of unary -
softfloat.c:1475: warning: overflow in converting constant expression from int' to unsigned int'
softfloat.c:1648: warning: overflow in converting constant expression from int' to unsigned int'
softfloat.c:1778: warning: overflow in converting constant expression from int' to unsigned int'
softfloat.c:1847: warning: overflow in converting constant expression from int' to unsigned int'
softfloat.c:1928: warning: overflow in converting constant expression from int' to unsigned int'
softfloat.c:1980: warning: type error in argument 5 to add64'; found pointer to int' expected pointer to unsigned int' softfloat.c:2023: warning: overflow in converting constant expression from int' to unsigned int' /home/jacks/movfuscator/build/movcc -c -I. -I.. -o timesoftfloat.o -Wf--q timesoftfloat.c timesoftfloat.c: /usr/include/stdlib.h:117: syntax error; found __nptr' expecting )' timesoftfloat.c: /usr/include/stdlib.h:117: skipping __nptr' ,' timesoftfloat.c: /usr/include/stdlib.h:118: syntax error; found char' expecting {' timesoftfloat.c: /usr/include/stdlib.h:118: redeclaration of restrict' previously declared at /usr/include/stdlib.h:117
timesoftfloat.c: /usr/include/stdlib.h:118: syntax error; found __endptr' expecting ;'
timesoftfloat.c: /usr/include/stdlib.h:118: undeclared identifier __endptr' timesoftfloat.c: /usr/include/stdlib.h:118: warning: expression with no effect elided timesoftfloat.c: /usr/include/stdlib.h:118: syntax error; found )' expecting ;' timesoftfloat.c: /usr/include/stdlib.h:118: illegal statement termination timesoftfloat.c: /usr/include/stdlib.h:118: skipping )'
timesoftfloat.c: /usr/include/stdlib.h:123: illegal statement termination
timesoftfloat.c: /usr/include/stdlib.h:123: skipping extern' float'
timesoftfloat.c: /usr/include/stdlib.h:123: illegal expression
timesoftfloat.c: /usr/include/stdlib.h:123: syntax error; found char' expecting )'
timesoftfloat.c: /usr/include/stdlib.h:123: syntax error; found char' expecting ;'
timesoftfloat.c: /usr/include/stdlib.h:123: illegal statement termination
timesoftfloat.c: /usr/include/stdlib.h:123: skipping char' timesoftfloat.c: /usr/include/stdlib.h:123: warning: expression with no effect elided timesoftfloat.c: /usr/include/stdlib.h:123: syntax error; found __nptr' expecting ;' timesoftfloat.c: /usr/include/stdlib.h:123: undeclared identifier __nptr'
timesoftfloat.c: /usr/include/stdlib.h:124: illegal expression
timesoftfloat.c: /usr/include/stdlib.h:124: operands of * have illegal types int' and pointer to char'
timesoftfloat.c: /usr/include/stdlib.h:124: warning: expression with no effect elided
timesoftfloat.c: /usr/include/stdlib.h:124: warning: expression with no effect elided
timesoftfloat.c: /usr/include/stdlib.h:124: too many errors
make: *** [Makefile:21: timesoftfloat.o] Error 1
make: Leaving directory '/home/jacks/movfuscator/softfloat'
mkdir -p movfuscator/lib
cp softfloat/softfloat32.o movfuscator/lib/softfloat32.o
cp softfloat/softfloat64.o movfuscator/lib/softfloat64.o
cp softfloat/softfloatfull.o movfuscator/lib/softfloatfull.o

Not able to compile using movcc

Operating system: Kubuntu
Architecture: 64-bit
Movfuscator was run with sudo

movfuscator test.c:
#include <stdio.h>
int main() {
printf("Hello World!");
return 0;
}

console output:
M/o/Vfuscation started...

emit/mov>addrgp4(5)
emit/mov>argp4(addrgp4(5))
emit/mov>addrgp4(5)
emit/mov>calli4(addrgp4(printf))
emit/mov>cnsti4(0)
emit/mov>cnsti4(0)
emit/mov>reti4(cnsti4(0))
emit/mov>labelv(4)

M/o/Vfuscation complete.

/usr/bin/ld: cannot find -lgcc
/usr/bin/ld: skipping incompatible /usr/lib/x86_64-linux-gnu/libc.so when searching for -lc
/usr/bin/ld: skipping incompatible /usr/lib/x86_64-linux-gnu/libc.a when searching for -lc
/usr/bin/ld: cannot find -lc
/usr/bin/ld: skipping incompatible /usr/lib/x86_64-linux-gnu/libc.so when searching for -lc
/usr/bin/ld: skipping incompatible /usr/lib/x86_64-linux-gnu/libm.so when searching for -lm
/usr/bin/ld: skipping incompatible /usr/lib/x86_64-linux-gnu/libm.a when searching for -lm
/usr/bin/ld: cannot find -lm
/usr/bin/ld: skipping incompatible /usr/lib/x86_64-linux-gnu/libm.so when searching for -lm

Enhancement: Leave some instructions as-is

To make it more difficult for the signature of all-moves to give away such programs

Obfuscate an assembly program?

I would like to obfuscate a x86 assembly program (preferably a fully-static ELF executable, but a x86 assembly file could maybe also work) by converting the full x86 instruction set into only mov instructions. Is this possible?

The reason why I want to do this is because I don't want to be limited to C. It is very easy to build fully-static Linux binaries in Rust (using the x86_64-unknown-linux-musl rustc compiler target for musl libc linking) and it would be great if I could apply the movfuscator on a program originally written in Rust.

If nothing like this is supported, how difficult would it possibly be to implement? I haven't looked at the movfuscator source code ...

Compiling with movcc fails

I've tried
movcc -s ./validation/prime.c -o prime_mov
movcc validation/aes/aes.c validation/aes/test.c -o validation/aes/aes -s
movcc -s hello_world.c -o hello_world with the program "#include <stdio.h>
int main(){ printf("Hello World"); return 0;}"

All of them fail with errors like (but with different c files):

`M/o/Vfuscation started...

hello_world.c: /usr/include/bits/alltypes.h:6: syntax error; found va_list' expecting ;'

M/o/Vfuscation failed.`

I'm using Void Linux with MUSL as libc on a 64bit system

relocation in read-only section .text'

Hello.
I am using gcc (Ubuntu 11.2.0-19ubuntu1) 11.2.0
I created a library and called it in main.
I want to compile my main with gcc (using gcc -m32 -c main.c -o main.o)
and compile my library with movcc (using movcc -m32 -c library.c -o library.o).
These two procedures have been done correctly,
My problem is with creating an executable file (using gcc -m32 main.o library.o -o main)
it returns a warning /usr/bin/ld: library.o: warning: relocation in read-only section .text'
and also there are so many parameters that seem undefined to the compiler, like:
/usr/bin/ld: (.text+0xb): undefined reference to 'alu_x'
...
finally there are these two warning and error:
/usr/bin/ld: warning: creating DT_TEXTREL in PIE
collect2: error: ld returned 1 exit status

Is there any solution to solve this problem?
Thanks for any help in advance.

Binary representation of constants is unsupported: 0b10101

Not an urgent issue, but something that seems like it may be an easy fix.

Source Code:

const gal8 min_poly  = 0b11101,     // Minimal polynomial x^8 + x^4 + x^3 + x^2 + 1
generator = 0b10;        // Generator of Galois field

movcc output:

galois.c:14:    `0b11101' is a preprocessing number but an invalid integer constant
galois.c:15:    `0b10' is a preprocessing number but an invalid integer constant

I'm just a cryptography student trying to obfuscate my algorithms for a ctf I'm working on. The problem is easily fixed when I make the change to decimal representation, but... it'd be nice to have more readable source code that is compatible with movcc.

working source:

const gal8 min_poly  = 39,     // Minimal polynomial x^8 + x^4 + x^3 + x^2 + 1
          generator = 2;        // Generator of Galois field

I have never contributed to a github project before, but I would be happy to take a look at the source, attempt an edit, and submit a pull request if you do that sort of thing..

cannot find -lgcc -lc -lm

Whenever I try to compile something i got this:

/usr/bin/ld: impossibile trovare -lgcc
/usr/bin/ld: impossibile trovare -lc
/usr/bin/ld: impossibile trovare -lm

maybe it is taking too long ... ?

hi
the first example I tried never print out anything. maybe movcc does not work with argc,argv,atoi etc, so I got rid of them all, and set the number of primes to a constant 10, and use only one external function "printf". still, it never print out anything. maybe you should give it a try. what is the speed normally like?
main()
{
int n, i = 3, count, c;

//n=10000;
//printf("Enter the number of prime numbers required\n");
//scanf("%d",&n);

n=10;

if ( n >= 1 )
{
// printf("First %d prime numbers are :\n",n);
printf("2\n");
}

for ( count = 2 ; count <= n ; )
{
for ( c = 2 ; c <= i - 1 ; c++ )
{
if ( i%c == 0 )
break;
}
if ( c == i )
{
printf("%d\n",i);
count++;
}
i++;
}

}

// original version
#include <stdio.h>

int main(int argc,char** argv)
{
int n, i = 3, count, c;

//n=10000;
//printf("Enter the number of prime numbers required\n");
//scanf("%d",&n);

if (argc<2) {printf("%s number.of.primes\n",argv[0]);return 1;}
n=atoi(argv[1]);

if ( n >= 1 )
{
// printf("First %d prime numbers are :\n",n);
printf("2\n");
}

for ( count = 2 ; count <= n ; )
{
for ( c = 2 ; c <= i - 1 ; c++ )
{
if ( i%c == 0 )
break;
}
if ( c == i )
{
printf("%d\n",i);
count++;
}
i++;
}

return 0;
}

softfloat Build Errors

It appears as if the gcc directory isnt created when the build script is ran. So when it comes to building softfloat it errors out. Unsure if this matters, but just in case I should mention, I am trying to compile this on a 64 bit version of LMDE (Linux Mint Debian Edition)

movcc -c -I. -I.. -o softfloat32.o -Wf--q softfloat.c -DFLOAT64=0 -DTRIM=1
movcc: /home/joey/movfuscator/build/gcc/cpp: No such file or directory
Makefile:11: recipe for target 'softfloat32.o' failed

When I make the gcc directory and copy what its looking for into there softfloat fails to build.

movcc -c -I. -I.. -o softfloat32.o -Wf--q softfloat.c -DFLOAT64=0 -DTRIM=1
cpp: softfloat.c:28 Syntax error in #include
cpp: softfloat.c:29 Syntax error in #include
cpp: softfloat.c:30 Syntax error in #include
cpp: softfloat.c:31 Syntax error in #include
) in #if/#elsifc:205 Bad operator (
) in #if/#elsifc:217 Bad operator (
) in #if/#elsifc:228 Bad operator (
) in #if/#elsifc:239 Bad operator (
) in #if/#elsifc:256 Bad operator (
) in #if/#elsifc:299 Bad operator (
) in #if/#elsifc:331 Bad operator (
) in #if/#elsifc:415 Bad operator (
) in #if/#elsifc:464 Bad operator (
) in #if/#elsifc:564 Bad operator (
) in #if/#elsifc:602 Bad operator (
) in #if/#elsifc:632 Bad operator (
) in #if/#elsifc:1004 Bad operator (
) in #if/#elsifc:1089 Bad operator (
) in #if/#elsifc:1215 Bad operator (
) in #if/#elsifc:1235 Bad operator (
) in #if/#elsifc:1262 Bad operator (
) in #if/#elsifc:1291 Bad operator (
) in #if/#elsifc:1363 Bad operator (
) in #if/#elsifc:1414 Bad operator (
) in #if/#elsifc:1444 Bad operator (
) in #if/#elsifc:1546 Bad operator (
) in #if/#elsifc:1623 Bad operator (
) in #if/#elsifc:1705 Bad operator (
) in #if/#elsifc:1726 Bad operator (
) in #if/#elsifc:1747 Bad operator (
) in #if/#elsifc:1811 Bad operator (
) in #if/#elsifc:1893 Bad operator (
) in #if/#elsifc:1999 Bad operator (
) in #if/#elsifc:2071 Bad operator (
) in #if/#elsifc:2099 Bad operator (
) in #if/#elsifc:2131 Bad operator (
) in #if/#elsifc:2164 Bad operator (
) in #if/#elsifc:2193 Bad operator (
) in #if/#elsifc:2230 Bad operator (

rand.py does not include all available post processing steps

rand.py only reimplements adc, add, andor, rrrrr, sub, sbb, and xadd. This is missing xor, push/pop, cmpxchg/xchg, etc. To be fair, though, I don't expect every post processing step to be usable in such a random matter, such as xor, due to it manipulating state in a way that other instructions wouldn't be able to immediately compensate for. If one could preform a sequence of operations to bring it back to a usable state by other post-processing steps, though, then it could be added. (don't take my word for it, please, I'm just thinking out loud)

The other possibility would be modifying the existing compiler to keep track of ways to compensate for mixing these instructions. Going to rule that out for now, as that would be a new compiler, not a modification of a post-processing step.

Idealy, there would be no duplication of these implementations, either. This could be accomplished by turning each possible post-processing step into a module, which does the expected thing when run as a program, and exports a function implementing the post-processing step afterwards. Possibly adds it to a global array, if it exists.

Though, I don't expect this to happen. Just thinking too hard, too loud.

ld error

when i try to compile any program all these errors come up:

M/o/Vfuscation started...

aa.c:4: warning: missing return value
emit/mov>addrgp4(5)
emit/mov>argp4(addrgp4(5))
emit/mov>addrgp4(5)
emit/mov>calli4(addrgp4(printf))
emit/mov>cnsti4(0)
emit/mov>cnsti4(0)
emit/mov>reti4(cnsti4(0))
emit/mov>labelv(4)

M/o/Vfuscation complete.

/usr/bin/ld: saltato /usr/lib/libc.so incompatibile durante la ricerca di -lc
/usr/bin/ld: saltato /usr/lib/libc.a incompatibile durante la ricerca di -lc
/usr/bin/ld: impossibile trovare -lc
/usr/bin/ld: saltato /usr/lib/libm.so incompatibile durante la ricerca di -lm
/usr/bin/ld: saltato /usr/lib/libm.a incompatibile durante la ricerca di -lm
/usr/bin/ld: impossibile trovare -lm

does anyone know how to fix it?

make: *** [Makefile:24: timesoftfloat] Error 1

Hello, i am trying build movfuscator on arch linux x64 with intalled multilib-devel but make error written
/usr/bin/ld: skipping incompatible /usr/lib/libc.so when searching for -lc
/usr/bin/ld: skipping incompatible /usr/lib/libc.a when searching for -lc
/usr/bin/ld: cannot find -lc
/usr/bin/ld: skipping incompatible /usr/lib/libm.so when searching for -lm
/usr/bin/ld: skipping incompatible /usr/lib/libm.a when searching for -lm

support C++？

Dear sir，
Do you have any plans to support C++?

thx a lot!

Crackme is too easy

You should have used something that can't be trivially solved with instruction counting. A fixed memcmp would require more work.

doom.patch not found

Hi!
I'm a fairly new to Ubuntu. When I run the patch command I get the following
bash: doom.patch: No such file or directory

Cannot run movcc compiled files

i managed to compile a simple HelloWorld program with movcc.

#include <stdio.h>

int main()
{
    printf("Hello World");
    return 0;
}

when i compile it with gcc it just works, but when using movcc i get the following error:

bash: ./program: cannot execute binary file: Exec format error

i checked the format of both files, which are indeed different:

gcc produces an elf64-x86-64 binary

movcc produces an elf32-i386 binary

i tried to pass "-m elf_x86_64" with -Wl but then i get another error:

/usr/bin/ld: Incompatible /mnt/d/TMP/C/git/movfuscator/build//gcc/32/libgcc.a skipped search of -lgcc

What am i doing wrong?

But why?

arm, mips, and asic?

hi, im not an hardware expert by any means, i saw your presentations on black hat about how you can run any program using only mov instructions, and i'm curious:
this principle aply to any processor or its an x86 only thing?

its possible to build an processor with only the mov instruction?
i heard that build an processor with a lot of instructions and reduce its size is complex ,its smarter focus on an small set of instrctions running fast than try to make tons of instructions and end up with something harder to reduce the size to improve the clock.
so maybe an asic that only does mov instructions could be faster than an traditional computer cpu?

/usr/include/stdio.h:253: too many errors

host info

Linux rebellion 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

running build.sh

/home/rebellion/tools/movfuscator-master/build/movcc -c -I. -I.. -o timesoftfloat.o -Wf--q timesoftfloat.c
timesoftfloat.c: /usr/include/stdlib.h:117: syntax error; found `__nptr' expecting `)'
timesoftfloat.c: /usr/include/stdlib.h:117: skipping `__nptr' `,'
timesoftfloat.c: /usr/include/stdlib.h:118: syntax error; found `char' expecting `{'
timesoftfloat.c: /usr/include/stdlib.h:118: redeclaration of `restrict' previously declared at /usr/include/stdlib.h:117
timesoftfloat.c: /usr/include/stdlib.h:118: syntax error; found `__endptr' expecting `;'
timesoftfloat.c: /usr/include/stdlib.h:118: undeclared identifier `__endptr'
timesoftfloat.c: /usr/include/stdlib.h:118: warning: expression with no effect elided
timesoftfloat.c: /usr/include/stdlib.h:118: syntax error; found `)' expecting `;'
timesoftfloat.c: /usr/include/stdlib.h:118: illegal statement termination
timesoftfloat.c: /usr/include/stdlib.h:118: skipping `)'
timesoftfloat.c: /usr/include/stdlib.h:123: illegal statement termination
timesoftfloat.c: /usr/include/stdlib.h:123: skipping `extern' `float'
timesoftfloat.c: /usr/include/stdlib.h:123: illegal expression
timesoftfloat.c: /usr/include/stdlib.h:123: syntax error; found `char' expecting `)'
timesoftfloat.c: /usr/include/stdlib.h:123: syntax error; found `char' expecting `;'
timesoftfloat.c: /usr/include/stdlib.h:123: illegal statement termination
timesoftfloat.c: /usr/include/stdlib.h:123: skipping `char'
timesoftfloat.c: /usr/include/stdlib.h:123: warning: expression with no effect elided
timesoftfloat.c: /usr/include/stdlib.h:123: syntax error; found `__nptr' expecting `;'
timesoftfloat.c: /usr/include/stdlib.h:123: undeclared identifier `__nptr'
timesoftfloat.c: /usr/include/stdlib.h:124: illegal expression
timesoftfloat.c: /usr/include/stdlib.h:124: operands of * have illegal types `int' and `pointer to char'
timesoftfloat.c: /usr/include/stdlib.h:124: warning: expression with no effect elided
timesoftfloat.c: /usr/include/stdlib.h:124: warning: expression with no effect elided
timesoftfloat.c: /usr/include/stdlib.h:124: too many errors
Makefile:21: recipe for target 'timesoftfloat.o' failed
make: *** [timesoftfloat.o] Error 1
make: Leaving directory '/home/rebellion/tools/movfuscator-master/softfloat'

LLC not able to compile C++ code into C

Extra info: https://stackoverflow.com/questions/31960290/using-the-llvm-linker-to-produce-c-code

$ clang++ -S -emit-llvm -o bytecode.ll tiny.cpp
--- snip ---
$ llc -march=c -o code.c bytecode.ll
llc: error: error: invalid target 'c'.

The C backend for LLVM was removed in 3.1.

Where is movfuscator 2.0?

Bad variable name on ubuntu sub system for windows 10

So i tried installing this compiler on a windows 10 system using the linux subsystem, but in build.sh at line 10 and install.sh at line 3 I get a bad variable name error. Here is the complete Log:

git clone https://github.com/xoreaxeaxeax/movfuscator
Cloning into 'movfuscator'...
remote: Enumerating objects: 319, done.
Receiving objects:  15% (48/319)
remote: Total 319 (delta 0), reused 0 (delta 0), pack-reused 319
Receiving objects: 100% (319/319), 11.96 MiB | 4.48 MiB/s, done.
Resolving deltas: 100% (123/123), done.
root@DESKTOP-5FIGTCF:... # cd movfuscator
cd movfuscator
root@DESKTOP-5FIGTCF:... # ./build.sh
./build.sh

# grab the frontend
[ ! -d "lcc" ] && git clone https://github.com/drh/lcc
Cloning into 'lcc'...
remote: Enumerating objects: 51, done.
remote: Counting objects: 100% (51/51), done.
remote: Compressing objects: 100% (29/29), done.
remote: Total 2459 (delta 13), reused 48 (delta 12), pack-reused 2408
Receiving objects: 100% (2459/2459), 2.55 MiB | 4.26 MiB/s, done.
Resolving deltas: 100% (1127/1127), done.
cd lcc && git reset --hard 3b3f01b4103cd7b519ae84bd1122c9b03233e687 && cd -
HEAD is now at 3b3f01b Fix issues 11 and 12 reported by Martin Ettl.
...

# create a build directory
export BUILDDIR=`pwd`/build
./build.sh: 10: export: python/movfuscator/build: bad variable name
root@DESKTOP-5FIGTCF:... # sudo ./install.sh
sudo ./install.sh
export BUILDDIR=`pwd`/build
./install.sh: 3: export: python/movfuscator/build: bad variable name
root@DESKTOP-5FIGTCF:... #```

Failed build and install when current working directory path contains spaces.

If a directory in the path back to root contains a space, the build and install prompts do not escape those spaces. Results in .../Space Directory/movfuscator/build/movcc: No such file or directory errors.