-
Notifications
You must be signed in to change notification settings - Fork 70
Handling Bogus Control Flow Pass Manually
After Control Flow Flattening has been removed, it is trivial to recognize opaque predicates (note that these are not removed by the binja opaque predicate plugin). The opaque predicate is something of the form (though may be quite a bit uglier due to expression substitution):
if ((y < 10 || x * (x + 1) % 2 == 0)
break;There are also bogus do-nothing instructions inserted before the conditional. x and y are both globals. More information on the pass can be found here (original source comment).
The identifying features here are the load to globals y and x (though this may change in the future as the LLVM-obfuscator guys have acknowledged this). Because this is an opaque predicate, it always evaluates to true, regardless of the values of the globals. For this case, you can simply always take the branch using binja. This will be automated later.