- Status
- Offline
- Joined
- Mar 3, 2026
- Messages
- 750
- Reaction score
- 457
Getting tired of the same old lazy obfuscators that just slap an extra section at the end of your binary and scream "analyze me" to every primitive heuristic? I found this project recently that takes a much more surgical approach to binary protection.
binprotect is a bin2bin rewriter for x64 PE files. Unlike your typical protectors that append junk at the end of the file, this tool injects obfuscated code directly into the original sections by tracking every single RVA (Relative Virtual Address). This makes it significantly harder for a reverse engineer to separate the wheat from the chaff just by looking at the section headers.
Core Mechanics & Re-writing Logic
The engine is built around a robust binary rewriter. When you feed it a binary, it doesn't just guess; it tracks relative addresses and updates every reference when bytes are shifted. This prevents the usual instability you see with low-tier bin2bin tools.
Implemented Obfuscation Passes
Technical Implementation Notes
The tool is written in C++ and uses CMake for the build system. For the best results, you should provide a symbol file (PDB/MAP). While the tool can work without them, symbols are required for high-level features like CFF and full exception support.
How to Build & Run
Usage is straightforward via CLI:
This isn't just a simple paste; the RVA tracking logic alone is worth studying if you're into binary instrumentation or building your own protectors. It's currently x64 only, but the architecture seems ready for ELF if someone wants to port it.
Any of you guys tried running this against Vanguard or EAC? Curious to see if the section-injection approach holds up against their latest integrity checks.
binprotect is a bin2bin rewriter for x64 PE files. Unlike your typical protectors that append junk at the end of the file, this tool injects obfuscated code directly into the original sections by tracking every single RVA (Relative Virtual Address). This makes it significantly harder for a reverse engineer to separate the wheat from the chaff just by looking at the section headers.
You cant view this link please login.
You cant view this link please login.
Core Mechanics & Re-writing Logic
The engine is built around a robust binary rewriter. When you feed it a binary, it doesn't just guess; it tracks relative addresses and updates every reference when bytes are shifted. This prevents the usual instability you see with low-tier bin2bin tools.
- Basic Block Splitting: Handles overlapping blocks and ensures instructions aren't duplicated.
- Indirect Control Flow: Supports jump tables for MSVC, LLVM/CLANG, and GCC (including multi-level tables).
- Noreturn Handling: Correctly identifies functions like _CxxThrowException to avoid disassembling junk padding as code.
- Exceptions Support: The tool inserts a frame pointer (RBP) into functions to maintain stack-unwinding even when the obfuscator allocates its own stack space.
Implemented Obfuscation Passes
- Virtual Machine: Translates x86-64 into a custom virtual CPU architecture. It randomizes the virtual register mapping on the stack and uses unique hardware registers for stubs. It even supports stack unwinding within the VM context.
- Opaque Predicates: Uses Fermat’s Last Theorem to create branches to fake basic blocks. The parameters are pulled from the stack and instruction pointers at runtime, making them dynamic and painful to solve statically.
- Control Flow Flattening (CFF): Transforms the function logic into a central dispatcher stub. The code blocks are physically shuffled in memory, nuking any chance of visual flow analysis in IDA/Ghidra.
- Mixed Boolean Arithmetic (MBA): Replaces simple operations with complex linear identities. It can do this recursively, turning a simple addition into a mess of AND/OR/XOR gates.
- Linear Substitution: Hides immediate values and displacements by calculating them at runtime using random constants.
Technical Implementation Notes
The tool is written in C++ and uses CMake for the build system. For the best results, you should provide a symbol file (PDB/MAP). While the tool can work without them, symbols are required for high-level features like CFF and full exception support.
How to Build & Run
Code:
mkdir build
cd build
cmake .. -DCMAKE_TOOLCHAIN_FILE=PATH_TO_VCPKG/scripts/buildsystems/vcpkg.cmake
cmake --build .Usage is straightforward via CLI:
Code:
binprotect binary.exe symbols.pdb --vm 1 --cff 1 --mba 2This isn't just a simple paste; the RVA tracking logic alone is worth studying if you're into binary instrumentation or building your own protectors. It's currently x64 only, but the architecture seems ready for ELF if someone wants to port it.
Any of you guys tried running this against Vanguard or EAC? Curious to see if the section-injection approach holds up against their latest integrity checks.
