Metamorphic binary transformation engine for analysis, mutation, and validation
r2morph is a framework for analyzing and transforming binary executables through semantic‑preserving mutations. It leverages radare2 and r2pipe to perform deep binary analysis, apply metamorphic transformations, and validate results across PE/ELF/Mach‑O targets.
| Feature | Description |
|---|---|
| Deep Binary Analysis | radare2‑backed analysis and disassembly |
| Metamorphic Mutations | Instruction substitution, NOP insertion, block reordering, opaque predicates, dead code |
| Multi‑Format | PE, ELF, Mach‑O support |
| CLI + Python API | Use via command line or library integration |
| Validation & Regression | Built‑in benchmark, regression, and fuzzing utilities |
| Relocations & Code Caves | Code cave discovery and reference updates |
| Enhanced Analysis (Optional) | Angr symbolic execution, Frida instrumentation, Syntia integration |
| macOS/Windows Code Signing | Format‑specific helpers and signing workflows |
- Python 3.10+
- radare2 installed
git clone https://github.com/radareorg/radare2
cd radare2
sys/install.sh# Basic installation
pip install r2morph
# Enhanced analysis capabilities
pip install "r2morph[enhanced]"
# All optional features
pip install "r2morph[all]"git clone https://github.com/seifreed/r2morph.git
cd r2morph
pip install -e .
# Dev tooling
pip install -e ".[dev]"# Basic transform
r2morph input_binary output_binary
# Chain mutations
r2morph input.exe output.exe -m nop -m substitute -v
# Aggressive mutation
r2morph -i input.exe -o output.exe --aggressive# Analyze and mutate
r2morph input_binary output_binary
# Specify mutations
r2morph input.exe output.exe -m nop -m substitute
# Verbose output
r2morph input.exe output.exe -vfrom r2morph import MorphEngine
from r2morph.mutations import NopInsertionPass, InstructionSubstitutionPass
with MorphEngine() as engine:
engine.load_binary("input.exe").analyze()
engine.add_mutation(NopInsertionPass())
engine.add_mutation(InstructionSubstitutionPass())
result = engine.run()
engine.save("output.exe")
print(f"Applied {result['total_mutations']} mutations")from r2morph import Binary
from r2morph.detection import ObfuscationDetector
from r2morph.analysis.symbolic import AngrBridge, PathExplorer
from r2morph.instrumentation import FridaEngine
from r2morph.devirtualization import VMHandlerAnalyzer, MBASolver
with Binary("vmprotected.exe") as binary:
binary.analyze()
detector = ObfuscationDetector()
result = detector.analyze_binary(binary)
if result.vm_detected:
angr_bridge = AngrBridge(binary)
explorer = PathExplorer(angr_bridge)
vm_result = explorer.explore_vm_handlers()
frida_engine = FridaEngine()
runtime_result = frida_engine.instrument_binary("vmprotected.exe")
vm_analyzer = VMHandlerAnalyzer(binary)
handlers = vm_analyzer.analyze_vm_architecture()
mba_solver = MBASolver()
simplified = mba_solver.simplify_handlers(handlers)See docs/enhanced_analysis.md for more details.
Basic Mutations
- Instruction Substitution
- NOP Insertion
- Register Reassignment
- Block Reordering
- Instruction Expansion
Advanced Mutations
- Opaque Predicates
- Dead Code Injection
- Control Flow Flattening
from r2morph import Binary
with Binary("/path/to/binary") as binary:
binary.analyze()
functions = binary.get_functions()
print(f"Found {len(functions)} functions")
arch = binary.get_arch_info()
print(f"Architecture: {arch['arch']} ({arch['bits']}-bit)")- Python 3.10+
- radare2
- See
pyproject.tomlfor full dependency list - For local development:
requirements-dev.txt
Contributions are welcome! Please feel free to submit a Pull Request.
- Fork the repository
- Create your feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
If you find r2morph useful, consider supporting its development:
This project is licensed under the MIT License - see the LICENSE file for details.
Attribution Required:
- Author: Marc Rivero | @seifreed
- Repository: github.com/seifreed/r2morph
Made with dedication for the reverse engineering community