Industrial-strength code obfuscation with 16+ sophisticated techniques to protect critical software from reverse engineering and analysis.
Learn MoreReplace simple instructions with functionally equivalent complex sequences, making static analysis significantly more challenging.
Mixed Boolean-Arithmetic expressions that transform simple operations into complex mathematical puzzles.
Inject fake conditional branches and dead code paths to confuse disassemblers and control flow analysis.
Transform nested control structures into flat switch-based state machines, obscuring program logic.
Replace direct jumps with indirect branches through opaque predicates, hindering static analysis.
Obfuscate array access patterns using mathematical overflow techniques to hide memory access patterns.
Hide function call patterns and relationships using indirect calling mechanisms and dynamic resolution.
Encrypt and dynamically decrypt string constants at runtime to prevent easy extraction of sensitive data.
Hide dlsym calls and dynamic loading patterns to prevent runtime symbol resolution tracking.
Obfuscate dlopen calls and dynamic library loading to hide dependency analysis.
Transform comparison operations using complex mathematical expressions and opaque predicates.
Add redundant boolean operations and noise to mask critical logical operations.
Obfuscate conditional selection operations using bitwise masking and mathematical transforms.
Wrap branch instructions in layers of indirection to complicate control flow reconstruction.
Obfuscate memory access patterns through register spilling and complex addressing modes.
Ultimate protection through custom virtual machine bytecode translation - our crown jewel technique.
Engineered primarily for Darwin systems with full Linux compatibility.
Darwin (Primary)
Linux (Supported)Built on LLVM infrastructure for maximum compatibility and performance.
// Run core passes on each function
runInstructionSubstitution(F);
runMBALayering(F);
runBogusControlFlow(F);
runFlattening(F);
runOpaqueIndirectCF(F);
runOverflowIndexing(F);
runCallObfuscation(F);
runStringLiteralObfuscation(F);
runObfuscateDlsymNameCopies(F);
runHideDlopenCalls(F);
runCmpObfuscation(F);
runBooleanNoise(F);
runSelectMasking(F);
runIndirectBranchWrap(F);
runMemLaunderSpill(F);
// Then, virtualize the already-obfuscated result
runVMVirtualize(F);Function-level granular control allows selective obfuscation of critical code paths while maintaining performance.
Intelligent algorithms minimize runtime overhead while maximizing protection effectiveness.
Seamless integration with existing LLVM-based build systems and toolchains.
See how readability changes before and after protection.
void uses_libs(int v) {
// Multiple string literals + external calls (kept “as calls” with -fno-builtin)
printf("value=%d | tag=%s\n", v, "demo_tag");
const char *s = "ABCDEFGHIJK";
puts(s + 3);
char buf[64];
memmove(buf, "copy-me", 8);
printf("%zu %d\n", strlen(buf), memcmp(buf, "copy-me", 7) == 0);
}__int64 __fastcall uses_libs(int a1)
{
size_t v1; // x19
int v2; // w0
char __s[64]; // [xsp+18h] [xbp-58h] BYREF
printf("value=%d | tag=%s\n", a1, "demo_tag");
puts("DEFGHIJK");
strcpy(__s, "copy-me");
v1 = strlen(__s);
v2 = memcmp(__s, "copy-me", 7u);
return printf("%zu %d\n", v1, v2 == 0);
}void uses_libs()
{
__int64 (__fastcall *v0)(int, int, int, int, int, int, int, int, __int64); // x8
v0 = sub_10000186C; // Shown below
if ( !qword_100028900 )
v0 = (__int64 (__fastcall *)(int, int, int, int, int, int, int, int, __int64))sub_1000019F4;
__asm { BRAA X8, X17 }
}
__int64 sub_10000186C()
{
__int64 v0; // x20
__int64 (__fastcall *v1)(); // x23
__int64 v2; // x20
__int64 v3; // x0
__int64 v4; // x0
__int64 (__fastcall *v5)(int, int, int, int, int, int, int, int, __int64, __int64, __int64, __int64, __int64, int, __int16, char, char, char, char, char); // x8
if ( *(_QWORD *)(v0 + 2296) )
v1 = *(__int64 (__fastcall **)())(v0 + 2296);
else
v1 = sub_100005C18;
v2 = sub_10000625C(0);
sub_10000680C();
v3 = ((__int64 (__fastcall *)(__int64))v1)(v2);
v4 = sub_100006DBC(v3);
v5 = (__int64 (__fastcall *)(int, int, int, int, int, int, int, int, __int64, __int64, __int64, __int64, __int64, int, __int16, char, char, char, char, char))sub_1000018E8;
if ( !qword_100028900 )
v5 = sub_100001A88;
return ((__int64 (__fastcall *)(__int64))v5)(v4);
}This suite of LLVM passes transforms IR to raise the cost of static reverse engineering. It applies multiple techniques (see above) to make analysis slower and less reliable.
It does not make reverse engineering impossible, software "unbreakable", or replace secure design. It does add significant frustration while reversing, but not as a substitute for security (authentication, encryption, or server‑side checks).
Add one build step to your clang/LLVM toolchain. We support Xcode, CMake, and custom pipelines. Most projects can produce a protected build the same day by targeting sensitive modules first.
Short answer: it depends. If the passes are run selectively, typical overhead is minimal. Most projects can even have the passes run on every function and still be perfectly stable. In fact, the biggest overhead is actually an increase in file size, not performance.
Yes. Per‑function and per‑module targeting is supported, so you can protect specific parts of code that matter without impacting the whole binary, especially if its complex.
Email support and regular patch releases are included with licensing for one year after purchase. We also offer paid onboarding/consultation for integration or hardening strategy for complex setups.
Yes! We can provide an evaluation by running the passes on a small project of your choice in order to assess if it meets your needs before licensing.