/

Control Flow Flattening

Protection ID: controlFlowFlattening

Control Flow Flattening is one of the most powerful obfuscation techniques available in ByteHide Shield. It transforms the structure of your code to make it significantly harder to understand while preserving its original functionality.

This protection is available in all editions of ByteHide Shield.

How It Works

Control Flow Flattening transforms code by breaking the normal flow of execution into a flat state machine structure. Instead of a straightforward sequence of statements, the code is restructured into a loop containing a dispatcher that determines which block of code should be executed next.

When applied, the original logical paths in your code become almost impossible to follow by inspection, greatly complicating the task of reverse engineering.

This option can significantly increase the size of your code and may impact performance. Use the threshold parameter to control how much of your code is affected by this transformation.

Parameters

  • Enabled boolean : Determines whether Control Flow Flattening is applied to your code. false by default

  • Threshold number : Sets the probability (from 0 to 1) that a code block will be transformed using Control Flow Flattening. This lets you balance security with performance. 0.75 by default

Setting the threshold to 0 is equivalent to disabling the protection. Setting it to 1 will apply Control Flow Flattening to all eligible code blocks.

Configuration Examples

Basic Configuration (shield.config.json)

{
  "controlFlowFlattening": true
}

Advanced Configuration

{
  "controlFlowFlattening": true,
  "controlFlowFlatteningThreshold": 0.6
}

Build Tool Integration (Webpack)

// webpack.config.js
const ByteHideShieldPlugin = require('@bytehide/webpack-shield');

module.exports = {
  // ... other webpack config
  plugins: [
    new ByteHideShieldPlugin({
      controlFlowFlattening: true,
      controlFlowFlatteningThreshold: 0.5
    })
  ]
}

Code Transformation Example

Original Code

function calculateTotal(items) {
  let total = 0;
  
  for (let i = 0; i < items.length; i++) {
    let item = items[i];
    if (item.type === 'regular') {
      total += item.price;
    } else if (item.type === 'discounted') {
      total += item.price * 0.8;
    } else if (item.type === 'sale') {
      total += item.price * 0.5;
    }
  }
  
  return total;
}

Transformed Code (with Control Flow Flattening)

function calculateTotal(items) {
  var _0x27f8 = {
    'LqcWD': '3|4|2|0|1|5',
    'qLKwV': function(_0x1c17ea, _0x3ee252) {
      return _0x1c17ea < _0x3ee252;
    },
    'EHkjg': function(_0x3ea6d1, _0x16c63c) {
      return _0x3ea6d1 === _0x16c63c;
    },
    'AzUIf': 'regular',
    'Bcdkx': function(_0x1f83b9, _0x5bb94b) {
      return _0x1f83b9 === _0x5bb94b;
    },
    'YgvJq': 'discounted',
    'PkVPt': function(_0x473a60, _0x424d19) {
      return _0x473a60 * _0x424d19;
    },
    'ypncZ': function(_0x48df96, _0x59e59f) {
      return _0x48df96 === _0x59e59f;
    },
    'msPDz': 'sale'
  };
  var _0x4c9b24 = _0x27f8['LqcWD']['split']('|');
  var _0x433974 = 0x0;
  let total = 0;

  for (let i = 0; i < items.length; i++) {
    while (true) {
      switch (_0x4c9b24[_0x433974++]) {
      case '0':
        if (_0x27f8['EHkjg'](item['type'], _0x27f8['AzUIf'])) {
          total += item['price'];
        }
        continue;
      case '1':
        if (_0x27f8['Bcdkx'](item['type'], _0x27f8['YgvJq'])) {
          total += _0x27f8['PkVPt'](item['price'], 0.8);
        }
        continue;
      case '2':
        let item = items[i];
        continue;
      case '3':
        if (_0x27f8['ypncZ'](item['type'], _0x27f8['msPDz'])) {
          total += _0x27f8['PkVPt'](item['price'], 0.5);
        }
        continue;
      case '4':
        // Some dead code might be inserted here
        continue;
      case '5':
        break;
      }
      break;
    }
  }
  
  return total;
}

When to Use

Control Flow Flattening is most beneficial in these scenarios:

  • Critical business logic: Apply to functions containing proprietary algorithms
  • License validation: Functions that verify software licenses
  • Encryption routines: Code that handles encryption/decryption operations
  • Critical validation logic: Functions that validate user input or access rights

For optimal balance between security and performance, it's recommended to:

  1. Use this protection selectively on critical code sections
  2. Adjust the threshold parameter based on your application's performance requirements
  3. Combine with other protections like string encryption for maximum effectiveness

Compatibility Notes

Control Flow Flattening works with all major JavaScript environments but may have these considerations:

  • Mobile applications: May impact performance on low-end devices
  • Web applications: Increases code size and parsing time
  • Node.js: Generally good performance, can be applied more aggressively

For most applications, a threshold of 0.5-0.7 provides an excellent balance between security and performance.

For maximum security, combine Control Flow Flattening with:

Previous
Overview
Next
Dead Code Injection