A metamorphic binary transformation engine based on r2pipe and radare2
Project description
r2morph
Metamorphic binary transformation engine for analysis, mutation, and validation
Overview
r2morph is a framework for analyzing and transforming binary executables through semantic‑preserving mutations. It leverages radare2 and r2pipe to perform deep binary analysis, apply metamorphic transformations, and validate results across PE/ELF/Mach‑O targets.
Key Features
| Feature | Description |
|---|---|
| Deep Binary Analysis | radare2‑backed analysis and disassembly |
| Metamorphic Mutations | Instruction substitution, NOP insertion, block reordering, opaque predicates, dead code |
| Multi‑Format | PE, ELF, Mach‑O support |
| CLI + Python API | Use via command line or library integration |
| Validation & Regression | Built‑in benchmark, regression, and fuzzing utilities |
| Relocations & Code Caves | Code cave discovery and reference updates |
| Enhanced Analysis (Optional) | Angr symbolic execution, Frida instrumentation, Syntia integration |
| macOS/Windows Code Signing | Format‑specific helpers and signing workflows |
Installation
Prerequisites
- Python 3.10+
- radare2 installed
Install radare2
git clone https://github.com/radareorg/radare2
cd radare2
sys/install.sh
Install r2morph
# Basic installation
pip install r2morph
# Enhanced analysis capabilities
pip install "r2morph[enhanced]"
# All optional features
pip install "r2morph[all]"
Development Install
git clone https://github.com/seifreed/r2morph.git
cd r2morph
pip install -e .
# Dev tooling
pip install -e ".[dev]"
Quick Start
# Basic transform
r2morph input_binary output_binary
# Chain mutations
r2morph input.exe output.exe -m nop -m substitute -v
# Aggressive mutation
r2morph -i input.exe -o output.exe --aggressive
Usage
Command Line Interface
# Analyze and mutate
r2morph input_binary output_binary
# Specify mutations
r2morph input.exe output.exe -m nop -m substitute
# Verbose output
r2morph input.exe output.exe -v
Python Library
from r2morph import MorphEngine
from r2morph.mutations import NopInsertionPass, InstructionSubstitutionPass
with MorphEngine() as engine:
engine.load_binary("input.exe").analyze()
engine.add_mutation(NopInsertionPass())
engine.add_mutation(InstructionSubstitutionPass())
result = engine.run()
engine.save("output.exe")
print(f"Applied {result['total_mutations']} mutations")
Enhanced Obfuscated Binary Analysis (Optional)
from r2morph import Binary
from r2morph.detection import ObfuscationDetector
from r2morph.analysis.symbolic import AngrBridge, PathExplorer
from r2morph.instrumentation import FridaEngine
from r2morph.devirtualization import VMHandlerAnalyzer, MBASolver
with Binary("vmprotected.exe") as binary:
binary.analyze()
detector = ObfuscationDetector()
result = detector.analyze_binary(binary)
if result.vm_detected:
angr_bridge = AngrBridge(binary)
explorer = PathExplorer(angr_bridge)
vm_result = explorer.explore_vm_handlers()
frida_engine = FridaEngine()
runtime_result = frida_engine.instrument_binary("vmprotected.exe")
vm_analyzer = VMHandlerAnalyzer(binary)
handlers = vm_analyzer.analyze_vm_architecture()
mba_solver = MBASolver()
simplified = mba_solver.simplify_handlers(handlers)
See docs/enhanced_analysis.md for more details.
Supported Transformations
Basic Mutations
- Instruction Substitution
- NOP Insertion
- Register Reassignment
- Block Reordering
- Instruction Expansion
Advanced Mutations
- Opaque Predicates
- Dead Code Injection
- Control Flow Flattening
Examples
Basic Binary Analysis
from r2morph import Binary
with Binary("/path/to/binary") as binary:
binary.analyze()
functions = binary.get_functions()
print(f"Found {len(functions)} functions")
arch = binary.get_arch_info()
print(f"Architecture: {arch['arch']} ({arch['bits']}-bit)")
Requirements
- Python 3.10+
- radare2
- See
pyproject.tomlfor full dependency list - For local development:
requirements-dev.txt
Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
- Fork the repository
- Create your feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
Support the Project
If you find r2morph useful, consider supporting its development:
License
This project is licensed under the MIT License - see the LICENSE file for details.
Attribution Required:
- Author: Marc Rivero | @seifreed
- Repository: github.com/seifreed/r2morph
Made with dedication for the reverse engineering community
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file r2morph-1.0.0.tar.gz.
File metadata
- Download URL: r2morph-1.0.0.tar.gz
- Upload date:
- Size: 183.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
017b5c0d10fcdba58c4215fbd7f8d24d6b5cd6bdc900022c18e600f1a4ca56f5
|
|
| MD5 |
3139529513d0e4953904c39ae33b0ff5
|
|
| BLAKE2b-256 |
4f835455b45dd76bc6a83cb744701403b59b312bcdfdeec82a235a45facf4792
|
File details
Details for the file r2morph-1.0.0-py3-none-any.whl.
File metadata
- Download URL: r2morph-1.0.0-py3-none-any.whl
- Upload date:
- Size: 225.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
25b6a558efe76446c463d93cd12cb0c774ecd3900fe709332763ca9875343286
|
|
| MD5 |
0f46bfc4e718d9a8b5f7dc615f76881f
|
|
| BLAKE2b-256 |
e91f443a37a911631f9c43442e616e5fde9b8ce2d430fb85785abd8530409295
|
