Named after one of my favorite games, "nocturne" is a bin2bin x86-64 PE code virtualizer and binary rewriter.

Features

• Native Call Bridge
• 30+ VM Handlers
• Built-in junk code obfuscation
• Thread-safe per-invocation VM state

Usage

To use the Nocturne virtualizer, copy and include "nocturne_sdk.hpp" from core/ into your project.

#include "nocturne_sdk.hpp"

VIRTUALIZE int secret(int x) {
    if (x % 2 == 0) {
        return x / 2;
    } else {
        return x * 3 + 1;
    }
}
VIRTUALIZE_MARK(secret);

Afterwards, run the cli executable.

cli.exe -i <input.exe> -o <output.exe>

Example:

cli.exe -i example.exe -o example_protected.exe

By default, the CLI uses auto mode.

Or, explicitly:

cli.exe -i <input.exe> -o <output.exe> --mode auto

Example:

cli.exe -i example.exe -o example_protected.exe --mode auto

To scan for markers:

cli.exe -i <input.exe> -o <output.exe> --mode markers

Example:

cli.exe -i example.exe -o example_protected.exe --mode markers

Or, if you want to virtualize specific segments of a binary without the SDK:

cli.exe -i <input.exe> -o <output.exe> --mode rva <start_rva> <end_rva>

Example:

cli.exe -i calc.exe -o calc_vmp.exe --mode rva 0x1600 0x1864

Screenshots

Before Virtualization:

After Virtualization:

Obfuscated dispatcher loop:

Dependencies

LIEF
Zydis
argparse

Disclaimer

First and foremost, this is mostly a POC project. Please don't expect it to be too stable. With that being said, I will be progressively adding more features/fixes to this as time goes on.