ZYRACX330Blake/ZYRA
ZYRA: Your Runtime Armor. ZYRA is an Zig-written obfuscator/packer for executable binaries.
README
ZYRA: Your Runtime Armor 🛡️
What's ZYRA? • Showcase • Installation • Usage • Workflow under the hood • Packed binary structure • To Do • Maldev Tools • Contribution • Star history
What's ZYRA?
ZYRA is a Zig-based obfuscator, packer, and loader designed to protect executable files from static analysis and reverse engineering.
- ✨ Written in Zig for performance and control
- 👌 Easy to install with one-liner command
- 🔄 Generate a much more complicated control flow for packed binary to anti-reversing
- 🛡️ Provides runtime decryption and execution, shielding payloads from inspection
Showcase
If you wonder the effectiveness of ZYRA, you should check this simple "hello world" binary out. In the following example, I'm gonna use Binary Ninja as the decompiler. You can get the example binaries in examples.
Before using ZYRA, we can see that it's as simple as f**k to reverse engineer.
But after ZYRA, it's much more complicated! You can see the control flow graph is so complicated to trace (but it's not perfect yet).
Installation
ZYRA is now currently support Linux only, but the Windows version will be released soon.
You can simply copy and paste the following one-liner to install ZYRA.
bash <(curl -sSL https://raw.githubusercontent.com/CX330Blake/ZYRA/main/install.sh)
WARNING
Never execute any untrusted script on your machine. Read the script first.
On the other hand, you can clone this repo and use the following command to build your own ZYRA binary.
git clone https://github.com/CX330Blake/ZYRA
cd ZYRA
# You can change the build flag on your own
zig build --release=fast
Usage
___ _ _ ____ ____
/ \_/ |__/ |__|
/__ | | \ | |
Zyra Packer v0.1.1
Copyright (C) 2025 @CX330Blake.
All rights reserved.
Zyra Packer v0.1.1 - Binary packer and obfuscator
Usage: zyra [options] <FILE>
Options:
-h, --help Show this help message
-v, --verbose Verbose output
-o, --output FILE Output file name (default: input.zyra)
-k, --key HEX Encryption key in hex (default: 0x42)
Examples:
zyra /bin/ls # Pack ls -> ls.zyra
zyra -o myapp.exe program # Pack program -> myapp.exe
zyra -k FF -v /usr/bin/cat # Pack with key 0xFF, verbose
Workflow under the hood
- Generate the embedded stub (generate_embedded_stub.zig)
- Encrypt the payload (src/main.zig)
- Embed & pack those payload in the stub (src/packer/packer.zig)
- Decrypt and execute in runtime (src/packer/stub.zig)
Packed binary structure
| Section | Description |
|---|---|
| stub binary | The "outer" binary |
| "PAYLOAD_START_MARKER" | Payload begin |
| payload_len (u64 LE) | - |
| key (u8) | Decrypt key |
| encrypted_payload (bytes) | - |
To-Do
Add support for anti-debugging.
Add more advanced techniques.
- Encryption
- RC4
- ChaCha20
- TEA
- etc
- Packing
- Run-length encoding
- LZ77
- Huffman coding
- etc
- Encryption
Write unit tests (need help)
Maldev Tools
- Black-Hat-Zig
- Malware development walkthrough using Zig
- ZYPE: Your Payload Encryptor
- Generate a code template in Zig containing your encrypted/obfuscated payload and the corresponding decrypting/deobfuscating function.
Contribution
This project is maintained by @CX330Blake. PRs are welcome if you also want to contribute to this project.