is the name of the core technology we develop. It is fully open source. With you can lift a binary to a recompilable LLVM module, recompile it for a different architecture, fuzz it, perform instrumenation and run various analyses we provide or write your own.


Supported platforms

Image formats
ELF, preliminary PE/COFF support.
x86, x86-64, ARM, MIPS, s390x, AArch64 (WIP).


Static binary translation can successfully translate large binaries from one architecture to another preserving functionality. As an example, we can translate the Perl interpreter, GCC and Xalan-C++ from x86-64 to x86-64.
Translated programs can be easily instrumented for any purpose. For a simple example check out the Python script (documented version) instrumenting an arbitrary program to dump the identifier of each syscall before its performed.
Translated programs can be fuzzed employing coverage-guided fuzzing (the same technique employed by afl). This is possible thanks to the fact that we employ LLVM and libFuzzer (see the dedicated paper).
In-place patching
In case full program translation is not a viable option, we're also building a solution to unobtrusively replace individual functions in an existing program.
Symbolic execution
We plan to offer to our users the possibility to perform symbolic execution on the LLVM IR obtained by using KLEE.


CFG recovery can recover an highly accurate control-flow graph across multiple architectures, including jump tables due to switch statements, sophisticated and hand-optimized low-level routines and even restrict the set of possible destination for indirect function calls using information about the detect list of arguments and return value.
Function boundaries detection features an accurate algorithm to detect function boundaries which can also identify outlined functions.
Function arguments detection integrates an innovative argument detection technique that is, not only architecture-independent, but also ABI-agnostic, which ensures accurate results when aggressive optimizations are in place.


C++ is written in C++ and follows the good practices of the LLVM codebase. Since our internal format is the LLVM IR, the knowledge to acquire is very limited.
Since LLVM offers a C API, it is possible to interact with directly from C and, therefore, from any language featuring a C-comatible FFI.
We maintain our own Python interface to LLVM: llvmcpy. It's great for quick and dirty operations or prototyping analyses.

Explore features

Why don't you subscribe to our newsletter and get access to nightly builds? Srls - P. IVA: IT02776470359 - Via San Martino 23 - 42121 - Reggio Emilia, Italy -
Twitter - GitHub - Privacy policy