OptionArgumentsDescription
--Environment string A string that describes the architecture, operating system, and compiler being used. We currently recognize the following strings: x86_64:Linux:Gcc:4.6, x86_64:Darwin:Clang:5.1, armv7:Linux:Gcc:4.6, armv8:Linux:Gcc:4.6. This is mostly necessary because Clang does not support some features (most notably asm goto) that Gcc does. In the future we will use this to provide better support for 32-bit binaries. Default=0.
--out file.c The file to write to.
--Seed INTSPEC The randomization seed. --Seed=0 makes Tigress generate its own seed.
--FilePrefix AUTO, NONE, string Use this if you intend to run tigress multiple times on each file to avoid name clashes. Only set this option once. Default=NONE.
  • AUTO = generate a prefix to add to all symbols
  • NONE = don't add any prefix
  • string = add this prefix
--Verbosity int Tigress' chattiness level. --Verbosity=0 makes Tigress quiet. --Verbosity=1 prints each transformation as it is being applied. Default=0.
--Input INPUTSPEC Specify invariants over the command line arguments, such the range of integer values a particular argument may take, the range of lengths of an argument, or the string value of an argument. These are used by the input opaque predicate, which is created by --InitOpaque=input. Default=0.
INTSPEC ?, int?int, int The INTSPEC notation allows randomized selection of integer valued options.
  • ? = select a 32-bit random number
  • int?int = select a random integer value in the range [int,int]
  • int = select this value
FRACSPEC *, int, int?int, %int The FRACSPEC notation allows the selection of a fraction of a set of elements.
  • * = 100%
  • int = select exactly this number of elements (if they exist)
  • int?int = a?b selects a random number of elements in the rage [a,b] (if they exist)
  • %int = select this fraction of available elements
BOOLSPEC ?, true, false The BOOLSPEC notation allows randomized selection of boolean valued options.
  • ? = select a random boolean value
  • true = select true
  • false = select false
IDENTSPEC *, ?int, %int, /regexp/, string Many transformations require you to specify the set of functions to which they should be applied. Trivally, you can say --Functions=foo to apply the obfuscation only to foo, but frequently you need more flexibility than that. The IDENTSPEC notation provides this functionality. Some transformations also use identifier specifications to specify variables, as in --UpdateEntropyVar=\* which would select all variables of a function.
  • * = select all available identifiers
  • ?int = randomly select int number of identifiers
  • %int = randomly select int percent of available identifiers
  • /regexp/ = select the identifiers that match the regular expression
  • string = select this identifier
LOCALSPEC The LOCALSPEC notation is used to specify a set of local variables and formal parameters. For example, --LocalVariables='main:i,j;foo:\*'=\* would select all variables of foo and i and j of main. The notation is a semicolon-separated list of IDENTSPEC:IDENTSPEC.
INPUTSPEC int, ?int, int?, int?int, +int, -int, "int", "string", "length" The --Input=... switch allows you to specify invariants over the command line arguments. These are used when you set --AddOpaqueStructs=input and --VirtualizeOpaqueStructs=input to create opaque constructs that appear to depend on input. An input specification is a coomma-separated list of 3-tuples: position:kind:value. I.e., --Input=position:kind:value,position:kind:value,.../tt> For example, consider the input specification --InputSpec=+1:int:34?56,-1:length:1? The first tuple specifies that the first command line argument must evaluate to an integer in the range 34-56, and the last argument has a length of exactly 1 character. Specifically, position=/+n|-n/, i.e. the n:th command line argument from the beginning or end of the line. The second part of the 3-tuple, kind is /int|string|length/, specifying that an invariant over a command line argument is a range of integer values, a particular string value, or the length (in characters) of an argument. The last part of the 3-tuple, value, allows you to specify four types of ranges: /[0-9]+/, /?[0-9]+/, /[0-9]+?/, and /[0-9]+?[0-9]+/,/[0-9]*?/, for a specfic value n, a range [n,..], a range [..,n], and a range [n..m]. n (a single integer) specifies a specific value, n? specifies a range starting at n
  • int = range specification: matches a particular integer
  • ?int = range specification: matches any value from int and up
  • int? = range specification: matches any value up to int
  • int?int = range specification: matches values in the range.
  • +int = position specification: argument number int from the left on the command line
  • -int = position specification: argument number int from the right on the command line
  • "int" = invariant specification: match the integer value of a command line argument
  • "string" = invariant specification: match the string value of a command line argument
  • "length" = invariant specification: match the length of a string argument
--Prefix string Add this prefix to each new generated symbol. This is in addition to the --filePrefix. Default is "_number_" where number is the order number of the transformation given on the command line. You can set this for every transformation. Default=_number_.
--Exclude string-list Comma-separated list of the functions to exclude from obfuscation. Useful after an --Functions=* or --Functions=?int option, like this: --Functions=* --Exclude=main
--Functions IDENTSPEC The functions to which the transformation should be applied. See below for how to specify a set of functions.
--GlobalVariables IDENTSPEC The global variables to which the transformation should be applied. Currently only used for the --Transform=EncodeData transformation.
--LocalVariables LOCALSPEC The local variables and formal parameters to which the transformation should be applied. Currently only used for the --Transform=EncodeData transformation.
--Transform Virtualize Turn a function into an interpreter.
--VirtualizeShortIdents bool Generate shorter identifiers to produce interpreters suitable for publication. Default=false.
--VirtualizeIsWindows bool Set this to true if you're on Windows rather than a Unix system. Currently only relevant when generating bogus functions.
--VirtualizeDispatch switch, direct, indirect, call, ifnest, linear, binary, interpolation, ? Select the interpreter's dispatch method. Default=switch.
  • switch = dispatch by while(){switch(next){...}}
  • direct = dispatch by direct threading
  • indirect = dispatch by indirect threading
  • call = dispatch by call threading
  • ifnest = dispatch by nested if-statements
  • linear = dispatch by searching a table using linear search
  • binary = dispatch by searching a table using binary search
  • interpolation = dispatch by searching a table using interpolation search
  • ? = Pick a random dispatch method
--VirtualizeOperands stack, registers, *, ? Comma-separated list of the types of operands allowed in the ISA. Default=stack.
  • stack = use stack arguments to instructions
  • registers = use register arguments to instructions
  • * = same as stack,registers
  • ? = select one an argument type at random.
--VirtualizeMaxDuplicateOps INTSPEC Number of ADD instructions, for example, with different signatures. Default=0.
--VirtualizeRandomOps bool Should opcodes be randomized, or go from 0..n? Default=true.
--VirtualizeSuperOpsRatio Float>0.0 Desired number of super operators. Default=0.0.
--VirtualizeMaxMergeLength INTSPEC Longest sequence of instructions to be merged into one. Default=0.
--VirtualizeMaxOpaque INTSPEC Number of opaques to add to each instruction handler. Default=0.
--VirtualizeNumberOfBogusFuns INTSPEC Weave the execution of random functions into the execution of the original program. This makes certain kinds of pattern-based dynamic analysis more difficult. Default=0.
--VirtualizeBogusFunKinds trivial, arithSeq, collatz, * The kind of bogus function to generate. Comma-separated list. Default=arithSeq,collatz.
  • trivial = insert a trivial computation
  • arithSeq = insert a simple arithmetic loop
  • collatz = insert a computation of the Collatz sequence
  • * = select all options
--VirtualizeBogusLoopKinds trivial, arithSeq, collatz, * Insert a bogus loop for each instruction list. This will extend the length of the trace, making dynamic analysis more difficult. Default=collatz.
  • trivial = insert a trivial computation
  • arithSeq = insert a simple arithmetic loop
  • collatz = insert a computation of the Collatz sequence
  • * = select all options
--VirtualizeBogusLoopIterations INTSPEC Adjust this value to balance performance and trace length. Default=0.
--VirtualizeReentrant bool Make the function reentrant. Default=false.
--VirtualizeOptimizeBody BOOLSPEC Clean up after superoperator generation by optimizing the body of the generated function. Default=false.
--VirtualizeOptimizeTreeCode BOOLSPEC Do constant folding etc. prior to interpreter generation. Default=false.
--VirtualizeTrace bool Insert tracing code to show the stack and the virtual instructions executing. Default=false.
--VirtualizeComment bool Insert comments in the generated interpreter. Default=false.
--VirtualizeDump tree, ISA, instrs, types, vars, strings, calls, bytes, array, stack, * Dump internal data structures used by the virtualizer. Comma-separated list. Default=dump nothing.
  • tree = dump the expression trees generated from the CIL representation
  • ISA = dump the Instruction Set Architecture
  • instrs = dump the generated virtual instructions
  • types = dump the types found
  • vars = dump the local variables found
  • strings = dump the strings found
  • calls = dump the function calls found
  • bytes = dump the bytecode array
  • array = dump the instruction array
  • stack = dump the evaluation stack
  • * = select all options
--VirtualizeImplicitFlow PCInit, PCUpdate, * Insert implicit flow between the virtual program counter and instruction dispatcher. Default=none.
  • PCInit = insert implcit flow between the computation of the VPC address and the first load
  • PCUpdate = insert implcit flow for each VPC load (potentially very slow)
  • * = select all options
--VirtualizeCopyKinds counter, unrolled, loop, * Comma-separated list of the kinds of implicit flow to insert between the program counter and the instruction dispatcher. Default=all options.
  • counter = Copy a variable by counting up to its value.
  • unrolled = Copy a variable bit-by-bit, each bit tested by an if-statement.
  • loop = Loop over the bits in a variable, and copy each bit by testing in an if-statement.
  • * = Same as all options turned on.
--Transform Flatten Flatten a function using Chenxi Wang's algorithm
--FlattenDispatch switch, goto, indirect, ? Dispatch method. Default=switch.
  • switch = dispatch by while(1) {switch (next) {blocks}}
  • goto = dispatch by {labl1: block1; goto block2;}
  • indirect = dispatch by goto* (jtab[next])
  • ? = select an dispatch method at random.
--FlattenObfuscateNext BOOLSPEC Whether the dispatch variable should be obfuscated with opaque expressions or not. Default=true.
--FlattenOpaqueStructs list, array, * Type of opaque predicate to use. Traditionally, for this transformation, array is used. Default=array.
  • list = Generate opaque expressions using linked lists
  • array = Generate opaque expressions using arrays
  • * = Same as list,array
--FlattenSplitBasicBlocks BOOLSPEC If true, then basic blocks (sequences of assignment and call statements without intervening branches) will be split up into indiviual blocks. If false, they will be kept intact. Default=true.
--FlattenTrace bool Print a message before each block gets executed. Useful for debugging. Default=false.
--Transform Jit Turn a function into a sequence of instructions that dynamically builds up the function at runtime.
--JitFrequency INTSPEC How often to jit the code at runtime. 0=only the first time; n>0=Every n:th time the function is called. Default=true.
--JitOptimizeBinary INTSPEC Optimize the jitted binary code. 1=omit frame pointer, 2=omit unused assignments, 4=merge ADDs and MULs. Default=1|4=5.
--JitImplicitFlow BOOLSPEC Insert implicit flow to the generated function handle. Default=false.
--JitCopyKinds counter, counter_signal, bitcopy_unrolled, bitcopy_loop, bitcopy_signal, * Comma-separated list of the kinds of implicit flow to insert. counter_signal and bitcopy_signal require that --Transform=InitImplicitFlow --InitImplicitFlowCount=... has been called to create the signal handlers. Default=all options.
  • counter = Copy a variable by counting up to its value.
  • counter_signal = Copy a variable by counting up to its value in a signal handler.
  • bitcopy_unrolled = Copy a variable bit-by-bit, each bit tested by an if-statement.
  • bitcopy_loop = Loop over the bits in a variable and copy each bit by testing in an if-statement.
  • bitcopy_signal = Loop over the bits in a variable and copy each bit in a signal handler.
  • * = Same as all options turned on.
--JitObfuscateHandle BOOLSPEC Add an opaque predicate to the generated function handle. Default=false.
--JitObfuscateArguments BOOLSPEC Add bogus arguments and opaque predicates to the jit_add_op function calls. Default=false.
--JitDumpOpcodes BOOLSPEC Print the jitter's bytecode. Default=false.
--JitDumpTree BOOLSPEC Print the tree representation of the function, prior to generating the jitting code." Default=false.
--JitDumpIntermediate BOOLSPEC Print the generated intermediate code at translation time." Default=false.
--JitDumpBinary BOOLSPEC Print the generated machine code. Useful for debugging. Requires 'objdump' to be installed. Default=false.
--JitTrace BOOLSPEC Insert runtime tracing of instructions. Default=false.
--Transform Split Outline pieces of a function
--SplitKinds top, block, deep, recursive Comma-separated list specifying the order in which different split methods are attempted. Default=top,block,deep,recursive.
  • top = split the top-level list of statements into two functions funcname_split_1 and funcname_split_2.
  • block = split a basic block (list of assignment and call statements) into two functions.
  • deep = split out a nested control structure of at least height>2 into its own function funcname_split_1.
  • recursive = same as block, but calls to split functions are also allowed to be split out.
--SplitCount INTSPEC How many times to attempt the split. Default=1.
--SplitName string If set, the split out functions will be named prefix_name_number, otherwise they will be named prefix_originalName_split_number.
--Transform Merge Merge of two or more functions. Two different types of merge are supported: simple merge (if () function1 else if () function2 else ...) and flatten merge, where the functions are first flattened, and then the resulting blocks are woven together. This transformation modifies the signature of the function (an extra formal selector argument is added that selects between the constituent functions at runtime), and this cannot be done for functions whose address is taken. --Functions=\* merges together all functions in the program whose signatures can be changed, --Functions=%50 merges together about half of them, etc. It is a good idea to follow this transform by a RndArgs transform to hide the extra selector argument.
--MergeName string If set, the merged function will be named prefix_name, otherwise it will be named prefix_originalName1_originalName2. Note that it's unpredictable which function will be the first and the second, so it's better to set the merged named explicitly.
--MergeObfuscateSelect BOOLSPEC Whether the extra parameter passed to the merged function should be obfuscated with opaque expressions or not. Default=true.
--MergeOpaqueStructs list, array, * Type of opaque predicate to use. Traditionally, for this transformation, array is used. Default=array.
  • list = Generate opaque expressions using linked lists
  • array = Generate opaque expressions using arrays
  • * = Same as list,array
--MergeFlatten BOOLSPEC Whether to flatten before merging or not. Default=true.
--MergeFlattenDispatch switch, goto, indirect, ? Dispatch method used for flattened merge. Default=switch.
  • switch = dispatch by while(1) {switch (next) {blocks}}
  • goto = dispatch by {labl1: block1; goto block2;}
  • indirect = dispatch by goto* (jtab[next])
  • ? = select an dispatch method at random.
--Transform RndArgs Randomize the order of arguments to a function and add extra bogus arguments.
--RndArgsBogusNo INTSPEC Number of bogus arguments to add. Default=0.
--Transform InitOpaque Add opaque initialization code. This initialization code has to be added to a function that gets called before any uses of opaque predicates, usually, but not necessarily, to main.
--InitOpaqueStructs list, array, * Comma-separated list of the kinds of opaque constructs to add. Default=list,array.
  • list = Generate opaque expressions using linked lists
  • array = Generate opaque expressions using arrays
  • * = Same as list,array
--InitOpaqueCount INTSPEC How many opaque data structures (lists or arrays) to add to the program. They will be split roughly evenly between the different declared opaque structures. Default=1.
--InitOpaqueSize INTSPEC Size of opaque arrays. Default=30.
--Transform AddOpaque Add opaque predicates to split up control-flow.
--AddOpaqueCount INTSPEC How many opaques to add to each function. Default=1.
--AddOpaqueKinds call, bug, true, junk, fake, * Comma-separated list of the types of insertions of bogus computation allowed. Default=call,bug,true,junk.
  • call = if (false) RandomFunction()
  • bug = if (false) BuggyStatement else RealStatement
  • true = if (true) RealStatement
  • junk = if (false) asm(".byte random bytes")
  • fake = if (False) NonExistingFunction()
  • * = Turns all options on.
--Transform UpdateOpaque Add code that makes updates to opaque predicates.
--UpdateOpaqueCount INTSPEC How many updates to opaque data structures to add to the function. Default=1.
--UpdateOpaqueAllowAddNodes bool Is it safe to malloc new nodes for the opaque data structure in this function? Only set to true if the function is called sparingly. Default=false.
--Transform InitEntropy Add initialization of the entropy variables.
--Transform UpdateEntropy Add updates to the entropy variables.
--UpdateEntropyVar IDENTSPEC Add to the entropy variables from these variables. Default=*.
--Transform EncodeLiterals Replace literal integers and strings with less obvious expressions.
--EncodeLiteralsKinds integer, string, * Specify the types of literals to encode Default=integer,string.
  • integer = Replace literal integers with opaque expressions
  • string = Replace literal strings with calls to a function that generates them
  • * = Same as integer,string
--EncodeLiteralsEncoderName string The name of the generated encoder function (only for encoded strings). Default=None.
--Transform EncodeArithmetic Replace integer arithmetic with more complex expressions.
--EncodeArithmeitKinds integer Specify the types to encode. Currently, only integer is available. Default=integer.
  • integer = Replace integer arithmetic.
--Transform EncodeData Replace integer variables with a different encoding. Use --GlobalVariables and --LocalVariables to specify the variables that should be transformed. In addition to the variables specifed, any other variables that are related through aliasing will be transformed. Only integer variables, arrays of integers, and pointers to integers are currently supported. Avoid structs, since our alias analysis algorithm conflates all fields.
--EncodeDataCodecs poly1, xor, add, * Comma-separated list of the kinds of codecs that may be used. Only poly1 currently makes sense; avoid the others. Default=poly1.
  • poly1 = Linear transformation of the form a*x+b.
  • xor = Exclusive-or with a constant.
  • add = Add a constant and promote to next largest integer type. Will fail for the largest integer type.
  • * = Same as poly1,xor,add
--Transform InitBranchFuns Create branch functions.
--InitBranchFunsOpaqueStructs list, array, * Comma-separated list of the kinds of opaque constructs to use for branch functions. Default=list,array.
  • list = Generate opaque expressions using linked lists
  • array = Generate opaque expressions using arrays
  • * = Same as list,array
--InitBranchFunsCount INTSPEC How many branch functions to create. Default=1.
--InitBranchFunsObfuscate BOOLSPEC Obfuscate the branch function. Default=true.
--Transform AntiBranchAnalysis Replace branches with other constructs.
--AntiBranchAnalysisKinds branchFuns, goto2call, goto2push, * Comma-separated list of the kinds of constructs branches can be replaced with. Default=branchFuns.
  • branchFuns = Generate calls to branch functions. --Transform=InitBranchFuns must be given prior to this transform
  • goto2call = Replace goto L with push L; call lab; ret; lab: ret
  • goto2push = Replace goto L with push L; ret
  • * = Same as branchFuns,goto2call,goto2push
--AntiBranchAnalysisBranchFunOpaqueStructs list, array, * Comma-separated list of the kinds of opaque constructs to use in a call to a branch function. Default=list,array.
  • list = Generate opaque expressions using linked lists
  • array = Generate opaque expressions using arrays
  • * = Same as list,array
--AntiBranchAnalysisObfuscateBranchFunCall BOOLSPEC Obfuscate the branch function call Default=true.
--AntiBranchAnalysisBranchFunFlatten BOOLSPEC Flatten before replacing jumps. This opens up more opportunities for replacing unconditional branches. Default=true.
--AntiBranchAnalysisBranchFunAddressOffset integer The offset (in bytes) of the return address on the stack, for branch functions. May differ based on operating system, word size, and compiler. Default=8.
--Transform InitImplicitFlow Call this before --Transform=AntiTaintAnalysis, in case you want to use the implicit flow copy kinds counter_signal and bitcopy_signal. This transformation inserts the requisite signal handlers.
--InitImplicitFlowCount INTSPEC How many signal handlers to insert. Default=0.
--Transform AntiTaintAnalysis Transform the code by inserting implicit flow such that dynamic taint analysis becomes less precise.
--AntiTaintAnalysisKinds untaintArgv, untaintSysCalls, * Comma-separated list of the kinds of anti-taint analysis transformations to employ. Default=none.
  • untaintArgv = Insert implicit flow from argv and argc in main.
  • untaintSysCalls = Insert implicit flow from output variables of common system calls.
  • * = Same as all options turned on.
--AntiTaintAnalysisSysCalls getpid, scanf, * Comma-separated list of the system calls whose output should be passed through implicit flow. Only two calls are currently implemented. Default=all system calls.
  • getpid = Insert implicit flow to the output of getpid.
  • scanf = Insert implicit flow to the output of scanf.
  • * = Same as all options turned on.
--AntiTaintAnalysisCopyKinds counter, counter_signal, bitcopy_unrolled, bitcopy_loop, bitcopy_signal, * Comma-separated list of the kinds of implicit flow to insert. counter_signal and bitcopy_signal require that --Transform=InitImplicitFlow --InitImplicitFlowCount=... has been called to create the signal handlers. Default=all options.
  • counter = Copy a variable by counting up to its value.
  • counter_signal = Copy a variable by counting up to its value in a signal handler.
  • bitcopy_unrolled = Copy a variable bit-by-bit, each bit tested by an if-statement.
  • bitcopy_loop = Loop over the bits in a variable and copy each bit by testing in an if-statement.
  • bitcopy_signal = Loop over the bits in a variable and copy each bit in a signal handler.
  • * = Same as all options turned on.
--Transform AntiAliasAnalysis Transform the code by replacing direct function calls with indirect ones, making alias analysis become less precise.
--AntiAliasAnalysisObfuscateIndex BOOLSPEC Use opaque expressions to compute function addresses. Default=true.
--AntiAliasAnalysisBogusEntries BOOLSPEC Add bogus function addresses, and bogus updates to them. Default=true.
--Transform RandomFuns Generate a random function useful as an attack target.
--RandomFunsInputSize INTSPEC Size of input. Default=1.
--RandomFunsStateSize INTSPEC Size of internal state. Default=1.
--RandomFunsOutputSize INTSPEC Size of output. Default=1.
--RandomFunsCodeSize INTSPEC Size of the generated code. Currently only 0 (empty body) and 1 (arbitrary non-zero size) make sense. Default=1.
--RandomFunsType int, long, float, double Type of input/output/state. Default=long.
  • int = C int type
  • long = C long type
  • float = C float type
  • double = C double type
--RandomFunsName string The name of the generated function.
--RandomFunsFailureKind message, abort, segv The manner in which a triggered asset may fail. Comma-separated list. Default=segv.
  • message = Print a message.
  • abort = Call the abort function.
  • segv = Die with a segmentation fault.
--RandomFunsActivationCode int The code the user has to enter (as the first command line arguments) to be allowed to run the program. Default=42.
--RandomFunsPassword string The password the user has to enter (read from standar input) to be allowed to run the program. Default="42".
--RandomFunsTimeCheckCount int The number of checks for expired time (gettimeofday() > someTimeInThePast) to be inserted in the program. Default=0.
--RandomFunsActivationCodeCheckCount int The number of checks for correct activation code to be inserted in the program. Default=0.
--RandomFunsPasswordCheckCount int The number of checks for correct password to be inserted in the program. Probably only 0 and 1 make sense here, since the user will be prompted for a password once for every check. Default=0.
--Transform CleanUp Transformation to run last, to clean up the generated code.
--CleanUpKinds names, annotations, constants, randomize, * Specify types of cleanup to perform Default=names,annotations,constants.
  • names = Replace identifiers with less obvious ones
  • annotations = Remove annotations that Tigress uses internally. Tigress should not be called again on a file that has had annotations removed
  • constants = Fold constant expressions
  • randomize = Randomly reorder functions in the output file
  • * = Same as names,annotations,constants
--Transform Info Print internal information.
--InfoKind cfg, fun, linear, WS, DG, CG, alias, global Information to print. For cfg, fun, and linear use --Functions, as usual, to specify which functions to print.
  • cfg = Control Flow Graph
  • fun = Function in internal format
  • linear = Function in internal linearized block format (used as a starting point for flattening and branch functions)
  • WS = Working Set
  • DG = Dependency Graph
  • CG = Call Graph
  • alias = Print the pointer-graphs
  • global = List of global symbols in the original program.