Believe Be:leave

I finally had enough fun with building LLVM Transform Obfuscation Passes and decided to build a VMProtect-Like obfuscation mechanism.

During my random browsing of PPHelper, China’s largest “assistant” that provids download of cracked softwares as well as serving as a 2nd AppStore itself, we found one of the games contains a strange Adware not seen in its AppStore Version.

Overall it’s a pretty boring case since the native calls are not obfuscated

This is a note following my post back in april regarding short function hooking.

LLVM has a large doc base which takes literally 12hours+ to build on my configuration. This post is a collection of techniques I found that could improve either the build doc size/build time/quality

For languages that doesn’t have a reflection mechanism that benefits developers (and hackers), (I’m looking at you Objective-C) function hooking inevitably involves in inline hooking, or to be more precise, assembly patching. Unfortunately not every C function has enough length for us to do our dirty work. This post is my $0.02 regarding this issue. Theoretically following analysis should hold true on most platforms, although the implementation might differ