Index

How to Protect User Code

Precautions

When using code obfuscation and virtualization, be mindful of the following situations:

1. Compiler Optimization Considerations:
If you're using the VxLang SDK to obfuscate or virtualize your code, ensure that you check the compiler optimization settings. When compiler optimization is enabled, your code might be merged in ways that differ from how you originally wrote it. If VxLang SDK functions are referenced within this merged code, the Begin/End positions might change, resulting in less obfuscation than intended.

Here's how to fix the problem:

Turn off compiler optimization. 

Disable code optimization for specific functions or pages at the code level. 

Use MAP/PDB-based obfuscation/virtualization.

2. Potential Code Generation:
Be aware of the following code pattern that may occur during the obfuscation and virtualization process:

			...

			call _VXLANG_BEGIN 

			jmp L1 

			L0:

			jmp EXIT 

			L1:

			lea rax, $L0 

			jmp rax 

			EXIT:

			call _VXLANG_END 

			...

In this example, the jmp rax instruction causes a jump from the VxLang region back to the original code. This type of code can occur when table-based operations are used in a switch-case statement.

3. Exception Handling:
VxLang currently only supports SEH (Structured Exception Handling). Therefore, be cautious when using it in conjunction with try-catch blocks.

Protecting user code with the SDK

Let's check out the VxLang SDK functions.
- Link: vxlib.h
- Link: vxlib.cpp

			// Code Obfuscation Macros

			#define VL_OBFUSCATION_BEGIN

			#define VL_OBFUSCATION_END

			// Code Flattening Macros
			
			#define VL_CODE_FLATTENING_BEGIN

			#define VL_CODE_FLATTENING_END

			// Code Virtualization Macros
			
			#define VL_VIRTUALIZATION_BEGIN

			#define VL_VIRTUALIZATION_END

To protect specific code sections, you can insert these macros as follows:
Link: sample.cpp

			void func() {

			   VL_OBFUSCATION_BEGIN;

			   // Your code to be obfuscated

			   VL_OBFUSCATION_END;

			   return;

			}

Protecting user code with the MAP-File

VxLang can perform function-level obfuscation by utilizing the binary's MAP-file.
The MAP file looks something like this:

			map64

			Timestamp is 66d39ebe (Sun Sep  1 07:52:46 2024)

			Preferred load address is 0000000140000000

			Start         Length     Name                   Class

			...

			0001:00000000
			   
			__local_stdio_printf_options
			 
			0000000140001000 f i sample.obj

			0001:00000010
			   
			_vfprintf_l
			             
			0000000140001010 f i sample.obj

			0001:00000060
			   
			printf
			             
			0000000140001060 f i sample.obj

			...

In the MAP file, the function is represented by f, as shown in the example above.
Find the function you need to obfuscate in the list above and enter it into your project JSON, and it will be obfuscated per function.

			  "virtualization-by-map": [

			  "__local_stdio_printf_options",

			  "_vfprintf_l",

			  "printf"

			  ]

			  "obfuscation-by-map": [

			  "__local_stdio_printf_options",

			  "_vfprintf_l",

			  "printf"

			  ]

			  "flattening-by-map": [

			  "__local_stdio_printf_options",

			  "_vfprintf_l",

			  "printf"

			  ]

Protecting user code with the PDB-File

...

Disable the VxLang-Core

VxLang performs additional binary protection behavior through VxLang-Core. However, sometimes users only need code protection without additional protection behavior. In this case, you can enter a command like the one below to exclude the core.

:\> vxlang.exe ${PE-Binary} --disable-core

:\> vxlang.exe temp.json --disable-core