big update

Author: expend20

src/shifting_codes/passes/alias_access.py

@@ -0,0 +1,257 @@
+"""Alias Access Pass — port of Polaris AliasAccess.cpp.
+
+Obscures local variable access through pointer aliasing and multi-level
+struct indirection.  Original allocas are hidden inside randomly-built
+struct types and accessed via a graph of transition nodes with getter
+functions, making static analysis of stack variable access much harder.
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass, field
+
+import llvm
+
+from shifting_codes.passes import PassRegistry
+from shifting_codes.passes.base import FunctionPass, PassInfo
+from shifting_codes.utils.crypto import CryptoRandom
+
+BRANCH_NUM = 6  # Slots per transition node struct
+
+
+@dataclass
+class ElementPos:
+    struct_type: llvm.Type
+    index: int
+
+
+@dataclass
+class ReferenceNode:
+    alloca: llvm.Value              # struct alloca for this node
+    is_raw: bool
+    node_id: int
+    raw_insts: dict = field(default_factory=dict)   # {orig_alloca: ElementPos}
+    edges: dict = field(default_factory=dict)        # {slot_idx: ReferenceNode}
+    path: dict = field(default_factory=dict)          # {orig_alloca: [slot_indices]}
+
+
+@PassRegistry.register
+class AliasAccessPass(FunctionPass):
+
+    def __init__(self, rng: CryptoRandom | None = None):
+        self.rng = rng or CryptoRandom()
+        self._counter = 0
+
+    @classmethod
+    def info(cls) -> PassInfo:
+        return PassInfo(
+            name="alias_access",
+            description="[Polaris] Obscure stack variable access via struct indirection",
+        )
+
+    def run_on_function(self, func: llvm.Function, ctx: llvm.Context) -> bool:
+        # Step 1: Collect allocas
+        allocas = []
+        for bb in func.basic_blocks:
+            for inst in bb.instructions:
+                if inst.opcode == llvm.Opcode.Alloca:
+                    allocas.append(inst)
+
+        if not allocas:
+            return False
+
+        self._counter += 1
+        tag = self._counter
+        mod = func.module
+        ptr_ty = ctx.types.ptr
+        i32 = ctx.types.i32
+        i64 = ctx.types.i64
+
+        # Step 2: Randomly distribute allocas into buckets
+        n = len(allocas)
+        buckets: list[list] = [[] for _ in range(n)]
+        for a in allocas:
+            idx = self.rng.get_range(n)
+            buckets[idx].append(a)
+
+        # Step 3: Build raw nodes from non-empty buckets
+        raw_nodes: list[ReferenceNode] = []
+        entry_bb = list(func.basic_blocks)[0]
+        first_inst = list(entry_bb.instructions)[0]
+
+        for bucket in buckets:
+            if not bucket:
+                continue
+
+            # Create struct with alloca types at random positions + pointer padding
+            field_count = 2 * len(bucket) + 1
+            field_types = [ptr_ty] * field_count
+            positions: dict = {}
+
+            for alloca in bucket:
+                # Pick random unused position
+                while True:
+                    pos = self.rng.get_range(field_count)
+                    if pos not in positions:
+                        break
+                field_types[pos] = alloca.allocated_type
+                positions[alloca] = pos
+
+            struct_ty = ctx.types.struct(field_types)
+
+            # Allocate the struct in entry block
+            with entry_bb.create_builder() as builder:
+                builder.position_before(first_inst)
+                struct_alloca = builder.alloca(struct_ty, name=f"aa.raw.{tag}.{len(raw_nodes)}")
+
+            node = ReferenceNode(
+                alloca=struct_alloca,
+                is_raw=True,
+                node_id=len(raw_nodes),
+            )
+            for alloca, pos in positions.items():
+                node.raw_insts[alloca] = ElementPos(struct_type=struct_ty, index=pos)
+            raw_nodes.append(node)
+
+        # Step 4: Build transition nodes
+        trans_struct_ty = ctx.types.struct([ptr_ty] * BRANCH_NUM)
+        trans_count = len(raw_nodes) * 3
+        all_nodes: list[ReferenceNode] = list(raw_nodes)
+        trans_nodes: list[ReferenceNode] = []
+
+        for t in range(trans_count):
+            with entry_bb.create_builder() as builder:
+                builder.position_before(first_inst)
+                trans_alloca = builder.alloca(
+                    trans_struct_ty, name=f"aa.trans.{tag}.{t}",
+                )
+
+            node = ReferenceNode(
+                alloca=trans_alloca,
+                is_raw=False,
+                node_id=len(all_nodes),
+            )
+
+            # Randomly connect to existing nodes
+            num_edges = self.rng.get_range(BRANCH_NUM) + 1
+            available_slots = list(range(BRANCH_NUM))
+            for _ in range(min(num_edges, len(all_nodes))):
+                if not available_slots:
+                    break
+                slot = available_slots.pop(self.rng.get_range(len(available_slots)))
+                target = all_nodes[self.rng.get_range(len(all_nodes))]
+                node.edges[slot] = target
+
+                # Store pointer to target node in the transition struct
+                with entry_bb.create_builder() as builder:
+                    builder.position_before(first_inst)
+                    slot_ptr = builder.gep(
+                        trans_struct_ty, trans_alloca,
+                        [i32.constant(0), i32.constant(slot)],
+                        f"aa.edge.{tag}.{t}.{slot}",
+                    )
+                    builder.store(target.alloca, slot_ptr)
+
+                # Propagate paths
+                if target.is_raw:
+                    for orig_alloca in target.raw_insts:
+                        if orig_alloca not in node.path:
+                            node.path[orig_alloca] = [slot]
+                        # else: already have a path, keep first
+                else:
+                    for orig_alloca, path in target.path.items():
+                        if orig_alloca not in node.path:
+                            node.path[orig_alloca] = [slot] + path
+
+            trans_nodes.append(node)
+            all_nodes.append(node)
+
+        # Step 5: Create getter functions (one per slot index)
+        getter_funcs: dict[int, llvm.Function] = {}
+        for slot_idx in range(BRANCH_NUM):
+            getter_name = f"__obfu_aa_getter_{tag}_{slot_idx}"
+            getter_fn_ty = ctx.types.function(ptr_ty, [ptr_ty])
+            getter = mod.add_function(getter_name, getter_fn_ty)
+            getter.linkage = llvm.Linkage.Private
+
+            getter_entry = getter.append_basic_block("entry")
+            with getter_entry.create_builder() as builder:
+                gep = builder.gep(
+                    trans_struct_ty, getter.get_param(0),
+                    [i32.constant(0), i32.constant(slot_idx)],
+                    "aa.getter.gep",
+                )
+                loaded = builder.load(ptr_ty, gep, "aa.getter.load")
+                builder.ret(loaded)
+
+            getter_funcs[slot_idx] = getter
+
+        # Step 6: Replace operand references
+        for orig_alloca in allocas:
+            uses = list(orig_alloca.uses)
+            for use in uses:
+                user_inst = use.user
+                operand_idx = use.operand_index
+
+                # Find a node that has a path to this alloca
+                # Prefer transition nodes (more indirection)
+                source_node = None
+                for node in trans_nodes:
+                    if orig_alloca in node.path:
+                        source_node = node
+                        break
+                if source_node is None:
+                    # Fall back to raw node
+                    for node in raw_nodes:
+                        if orig_alloca in node.raw_insts:
+                            source_node = node
+                            break
+                if source_node is None:
+                    continue
+
+                with user_inst.block.create_builder() as builder:
+                    builder.position_before(user_inst)
+
+                    if source_node.is_raw:
+                        # Direct GEP to the element
+                        elem = source_node.raw_insts[orig_alloca]
+                        replacement = builder.gep(
+                            elem.struct_type, source_node.alloca,
+                            [i32.constant(0), i32.constant(elem.index)],
+                            "aa.direct",
+                        )
+                    else:
+                        # Walk the path: call getters to traverse graph
+                        path = source_node.path[orig_alloca]
+                        current_ptr = source_node.alloca
+                        for slot_idx in path:
+                            getter = getter_funcs[slot_idx]
+                            current_ptr = builder.call(
+                                getter, [current_ptr], "aa.walk",
+                            )
+
+                        # current_ptr is now the raw node; GEP to element
+                        # Find which raw node we ended up at
+                        target_node = source_node
+                        for slot_idx in path:
+                            target_node = target_node.edges[slot_idx]
+
+                        if target_node.is_raw and orig_alloca in target_node.raw_insts:
+                            elem = target_node.raw_insts[orig_alloca]
+                            replacement = builder.gep(
+                                elem.struct_type, current_ptr,
+                                [i32.constant(0), i32.constant(elem.index)],
+                                "aa.elem",
+                            )
+                        else:
+                            # Fallback: shouldn't happen with correct paths
+                            continue
+
+                user_inst.set_operand(operand_idx, replacement)
+
+        # Step 7: Erase original allocas (all uses should be replaced)
+        for alloca in allocas:
+            if not alloca.has_uses:
+                alloca.erase_from_parent()
+
+        return True

src/shifting_codes/passes/bogus_control_flow.py

@@ -14,6 +14,17 @@
 from shifting_codes.utils.crypto import CryptoRandom
 
 
+def _safe_remap_operands(inst, value_map: dict):
+    """Remap operands using try/except for nanobind cross-type __eq__ safety."""
+    for i in range(inst.num_operands):
+        op = inst.get_operand(i)
+        try:
+            if op in value_map:
+                inst.set_operand(i, value_map[op])
+        except TypeError:
+            pass
+
+
 def _clone_basic_block(body_bb: llvm.BasicBlock, func: llvm.Function,
                        ctx: llvm.Context, tag: int) -> llvm.BasicBlock:
     """Clone a basic block's instructions into a new block.
@@ -35,10 +46,7 @@ def _clone_basic_block(body_bb: llvm.BasicBlock, func: llvm.Function,
 
     # Remap operands: replace references to original values with cloned ones
     for inst in clone_bb.instructions:
-        for i in range(inst.num_operands):
-            op = inst.get_operand(i)
-            if op in value_map:
-                inst.set_operand(i, value_map[op])
+        _safe_remap_operands(inst, value_map)
 
     return clone_bb
 
@@ -79,7 +87,7 @@ def __init__(self, rng: CryptoRandom | None = None):
     def info(cls) -> PassInfo:
         return PassInfo(
             name="bogus_control_flow",
-            description="Insert opaque predicates and bogus branches",
+            description="[Pluto] Insert opaque predicates and bogus branches",
         )
 
     def run_on_function(self, func: llvm.Function, ctx: llvm.Context) -> bool:
@@ -113,7 +121,7 @@ def run_on_function(self, func: llvm.Function, ctx: llvm.Context) -> bool:
                 continue
 
             # If block has only a terminator, skip (nothing to split)
-            if first_non_phi.is_terminator_inst:
+            if first_non_phi.is_terminator:
                 continue
 
             # Split: headBB → bodyBB (at first non-PHI)

src/shifting_codes/passes/custom_cc.py

@@ -0,0 +1,68 @@
+"""Custom Calling Convention Pass — port of Polaris CustomCC.cpp.
+
+Randomly assigns non-standard calling conventions to internal functions
+and their call sites, breaking decompiler assumptions about register
+usage, stack frame layout, and argument passing.
+"""
+
+from __future__ import annotations
+
+import llvm
+
+from shifting_codes.passes import PassRegistry
+from shifting_codes.passes.base import ModulePass, PassInfo
+from shifting_codes.utils.crypto import CryptoRandom
+
+# Pool of standard non-C calling conventions that change ABI behaviour.
+_CC_POOL = [
+    llvm.CallConv.Fast,
+    llvm.CallConv.Cold,
+    llvm.CallConv.PreserveMost,
+    llvm.CallConv.PreserveAll,
+    llvm.CallConv.X86RegCall,
+    llvm.CallConv.X86_64_SysV,
+    llvm.CallConv.Win64,
+]
+
+
+@PassRegistry.register
+class CustomCCPass(ModulePass):
+
+    def __init__(self, rng: CryptoRandom | None = None):
+        self.rng = rng or CryptoRandom()
+
+    @classmethod
+    def info(cls) -> PassInfo:
+        return PassInfo(
+            name="custom_cc",
+            description="[Polaris] Randomly assign non-standard calling conventions",
+            is_module_pass=True,
+        )
+
+    def run_on_module(self, mod: llvm.Module, ctx: llvm.Context) -> bool:
+        # Collect internal/private functions with bodies
+        internal_funcs = []
+        for func in mod.functions:
+            if func.is_declaration:
+                continue
+            if func.linkage in (llvm.Linkage.Internal, llvm.Linkage.Private):
+                internal_funcs.append(func)
+
+        if not internal_funcs:
+            return False
+
+        for func in internal_funcs:
+            cc = _CC_POOL[self.rng.get_range(len(_CC_POOL))]
+            func.calling_conv = cc
+
+            # Fix all call sites targeting this function
+            func_name = func.name
+            for caller in mod.functions:
+                for bb in caller.basic_blocks:
+                    for inst in bb.instructions:
+                        if inst.opcode == llvm.Opcode.Call:
+                            called = inst.get_operand(inst.num_operands - 1)
+                            if hasattr(called, 'name') and called.name == func_name:
+                                inst.instruction_call_conv = cc
+
+        return True

src/shifting_codes/passes/flattening.py

@@ -24,7 +24,7 @@ def __init__(self, rng: CryptoRandom | None = None):
     def info(cls) -> PassInfo:
         return PassInfo(
             name="flattening",
-            description="Control flow flattening via switch dispatcher",
+            description="[Pluto] Control flow flattening via switch dispatcher",
         )
 
     def run_on_function(self, func: llvm.Function, ctx: llvm.Context) -> bool:

src/shifting_codes/passes/global_encryption.py

@@ -23,7 +23,7 @@ def __init__(self, rng: CryptoRandom | None = None):
     def info(cls) -> PassInfo:
         return PassInfo(
             name="global_encryption",
-            description="XOR-encrypt internal global variables",
+            description="[Pluto] XOR-encrypt internal global variables",
             is_module_pass=True,
         )