__attribute__((annotate("sub"))) __attribute__((annotate("fla"))) void critical_function() // heavily obfuscated
Download prebuilt hikari_pe_x64.dll from: github.com/HikariObfuscator/Hikari/releases (look for Hikari-LLVM15.0-windows-x64.zip ) Extract the zip to C:\Hikari\ :
clang-cl.exe /O2 /GS- /c source.c ^ -mllvm -enable-pass-plugin=C:\Hikari\lib\hikari_pe_x64.dll ^ -mllvm -sub -mllvm -sub_loop=1 | Flag | Effect | |------|--------| | -sub | Instruction substitution | | -sub_loop=1 | Substitution on loops | | -bcf | Bogus control flow | | -bcf_loop=1 | Bogus flow in loops | | -fla | Control flow flattening | | -fla_loop=1 | Flatten loops | | -split | Basic block splitting | | -split_num=2 | Split into 2 blocks | | -indibran | Indirect branching (opaque predicates) | hikari_pe_x64
loc_obf_1: mov eax, switch_var cmp eax, 0x1 -> jmp loc_realblock1 cmp eax, 0x2 -> jmp loc_realblock2 ... If prebuilt plugin fails:
Example full obfuscation:
Also available: "bcf" , "split" , "indibran" , "fla_loop" , "sub_loop" , "split_num=3" Combine with manual tricks:
lld-link.exe /SUBSYSTEM:CONSOLE /ENTRY:main /MACHINE:X64 /OUT:obfuscated.exe payload.obj Do apply obfuscation at link stage – only per TU (translation unit). 6. Advanced: Selective Obfuscation with __attribute__ Annotate functions to control passes: switch_var cmp eax
C:\Hikari\ bin\ clang-cl.exe lld-link.exe lib\ hikari_pe_x64.dll <-- plugin Add to environment PATH : C:\Hikari\bin Use the plugin flag :