obfuse 1.0.0

Compile-time string obfuscation with runtime decryption and secure memory wiping
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209

//! Binary verification test to ensure polymorphic decryption is not optimized away.
//!
//! This test builds the polymorphic example in release mode and verifies that:
//! 1. Transformation instructions (XOR, ADD, SUB, ROL, ROR) are present
//! 2. No central decrypt function exists
//! 3. The binary executes correctly
//!
//! Supports both x86_64 and ARM64 (aarch64) architectures with appropriate
//! instruction pattern matching for each.

#[cfg(feature = "polymorphic")]
#[test]
fn test_polymorphic_not_optimized_away() {
    use std::process::Command;

    println!("Building polymorphic example in release mode...");

    // Build the polymorphic example
    let build_output = Command::new("cargo")
        .args(&[
            "build",
            "--release",
            "--example",
            "polymorphic",
            "--features",
            "polymorphic",
        ])
        .output()
        .expect("Failed to build polymorphic example");

    assert!(
        build_output.status.success(),
        "Failed to build polymorphic example: {}",
        String::from_utf8_lossy(&build_output.stderr)
    );

    println!("Build successful, analyzing binary...");

    // Path to the binary (relative to workspace root)
    let cargo_manifest_dir =
        std::env::var("CARGO_MANIFEST_DIR").expect("CARGO_MANIFEST_DIR not set");
    let workspace_root = std::path::Path::new(&cargo_manifest_dir)
        .parent()
        .expect("Failed to get workspace root");

    let binary_name = if cfg!(target_os = "windows") {
        "polymorphic.exe"
    } else {
        "polymorphic"
    };

    let binary_path = workspace_root
        .join("target")
        .join("release")
        .join("examples")
        .join(binary_name);

    // Check that binary exists
    assert!(
        binary_path.exists(),
        "Binary not found at {}",
        binary_path.display()
    );

    // Disassemble the binary
    let objdump_output = Command::new("objdump")
        .args(&["-d", binary_path.to_str().unwrap()])
        .output();

    if let Ok(output) = objdump_output {
        if output.status.success() {
            let disasm = String::from_utf8_lossy(&output.stdout);

            // Architecture-specific instruction patterns:
            // - x86_64: xor, add, sub, rol, ror
            // - ARM64:  eor (exclusive or), add, sub, ror (handles both rotations)
            let is_arm = cfg!(target_arch = "aarch64");

            // Count XOR instructions (x86: xor, ARM64: eor)
            let xor_count = if is_arm {
                // ARM64 uses 'eor' for exclusive OR
                disasm.matches("eor").count()
            } else {
                disasm.matches("xor").count()
            };

            // ADD and SUB are the same on both architectures
            let add_count = disasm.matches("add").count();
            let sub_count = disasm.matches("sub").count();

            // Rotation instructions
            // x86_64: rol (rotate left), ror (rotate right)
            // ARM64: ror only (rotate left is implemented as ror with inverted shift)
            let (rol_count, ror_count) = if is_arm {
                // ARM64 only has ror, but it's used for both directions
                (0usize, disasm.matches("ror").count())
            } else {
                (disasm.matches("rol").count(), disasm.matches("ror").count())
            };

            let arch_name = if is_arm { "ARM64" } else { "x86_64" };
            println!("Architecture: {}", arch_name);
            println!("Instruction counts:");
            if is_arm {
                println!("  EOR (XOR): {}", xor_count);
            } else {
                println!("  XOR: {}", xor_count);
            }
            println!("  ADD: {}", add_count);
            println!("  SUB: {}", sub_count);
            if is_arm {
                println!("  ROR: {}", ror_count);
            } else {
                println!("  ROL: {}", rol_count);
                println!("  ROR: {}", ror_count);
            }

            // Verify we have transformation instructions
            // Thresholds may vary by architecture due to different code generation
            let min_xor = if is_arm { 3 } else { 5 };
            let min_add = if is_arm { 5 } else { 10 };
            let min_sub = if is_arm { 3 } else { 5 };

            assert!(
                xor_count >= min_xor,
                "Expected at least {} XOR/{} instructions, found {}",
                min_xor,
                if is_arm { "EOR" } else { "XOR" },
                xor_count
            );
            assert!(
                add_count >= min_add,
                "Expected at least {} ADD instructions, found {}",
                min_add,
                add_count
            );
            assert!(
                sub_count >= min_sub,
                "Expected at least {} SUB instructions, found {}",
                min_sub,
                sub_count
            );
            assert!(
                rol_count + ror_count >= 1,
                "Expected at least 1 rotation instruction, found {} ROL + {} ROR",
                rol_count,
                ror_count
            );
        } else {
            println!("Warning: objdump failed, skipping disassembly verification");
            println!("stderr: {}", String::from_utf8_lossy(&output.stderr));
        }
    } else {
        println!("Warning: objdump not available, skipping disassembly verification");
    }

    // Check for decrypt symbols (should be none)
    let nm_output = Command::new("nm")
        .arg(binary_path.to_str().unwrap())
        .output();

    if let Ok(output) = nm_output {
        if output.status.success() {
            let symbols = String::from_utf8_lossy(&output.stdout);
            let decrypt_symbols: Vec<_> = symbols
                .lines()
                .filter(|line| line.to_lowercase().contains("decrypt"))
                .collect();

            assert!(
                decrypt_symbols.is_empty(),
                "Found decrypt symbols in polymorphic binary (should be none): {:?}",
                decrypt_symbols
            );
            println!("✓ No decrypt symbols found (as expected)");
        }
    }

    // Run the binary and verify output
    println!("Running binary to verify execution...");
    let run_output = Command::new(binary_path.to_str().unwrap())
        .output()
        .expect("Failed to run polymorphic example");

    assert!(
        run_output.status.success(),
        "Binary execution failed: {}",
        String::from_utf8_lossy(&run_output.stderr)
    );

    let output_str = String::from_utf8_lossy(&run_output.stdout);

    // Verify expected strings are in output
    assert!(
        output_str.contains("sk_live_abc123"),
        "Output missing expected string: sk_live_abc123"
    );
    assert!(
        output_str.contains("P@ssw0rd!2024"),
        "Output missing expected string: P@ssw0rd!2024"
    );
    assert!(
        output_str.contains("jwt_secret_xyz789"),
        "Output missing expected string: jwt_secret_xyz789"
    );

    println!("✓ Binary executes correctly and produces expected output");
    println!("\n✅ Polymorphic decryption verification PASSED");
}