CasualX
Break ghidra constant folding through inline-never fns
Heyo,
I just updated my project to the obfstr 4, and overall the improvements are quite nice! However, there is one small downside compared to the previous version: Obfstr 4 generates a huge block of data that xrefs every code dealing with obfuscated string in the .data block:
This is not ideal, as it gives a reverser a simple way to find all the code offsets to obfuscated strings, making the creation of an automated deobfuscation tool a bit easier.
Digging into the code, I figured that this change came from the new xref code. After reading over #44, I eventually figured that this was done to break Ghidra's constant folding which defeated much of the obfuscation.
So I tried to take a different approach here: Instead of storing the xref offsets in the .data, I figured they could be stored in a dedicated function marked inline(never). In theory, ghidra will not be able to "see through" the call, and thus break the constant folding.
Here's the result:
This approach has the other benefits of not using the .data segment, which should make code integrity checks properly verify that the xref offsets aren't tampered with.
Does the same problem not happen with the #[inline(never)] approach? There should be a ton of mov rax, OFFSET; retn funcs which you can easily enumerate as well.
