Overview β’ Features β’ Usage β’ Architecture β’ Obfuscation β’ Testing β’ Contributing
OrgaNULL is an advanced binary packer that leverages cellular automaton-based obfuscation combined with modern cryptographic techniques to create heavily protected executables.
OrgaNULL:
- LOADS the target binary and extracts its payload
- ENCRYPTS using ChaCha20 stream cipher with 256-bit keys
- OBFUSCATES with Cellular Automaton (Rule 30) masking
- EMBEDS pure x86-64 assembly unpacking stub
- OUTPUTS a heavily obfuscated, ready-to-execute binary
The core of OrgaNULL is a dual-layer protection system combining cryptographic strength with algorithmic complexity, making analysis exceptionally difficult.
- Python 3.7 or higher
- GCC toolchain for assembly compilation
- Linux system with
memfd_createandfexecvesupport - LIEF library for binary manipulation
- Cryptography library for ChaCha20
Install Python dependencies:
pip install -r requirements.txt
1. PACK A BINARY
python3 organull/organull.py <input_binary> <output_packed_binary>
2. EXECUTE THE PACKED BINARY
./<output_packed_binary>
The unpacking stub automatically decrypts and executes the original binary in memory.
CUSTOM CA EVOLUTION STEPS:
python3 organull/organull.py <input_binary> <output_packed_binary> --ca-steps 200
ENABLE DEBUG STUB:
python3 organull/organull.py <input_binary> <output_packed_binary> --debug-stub
PARAMETERS:
--ca-steps N- Number of cellular automaton evolution steps (default: 100)--debug-stub- Compile unpacking stub with debug messages
EXAMPLE:
python3 organull/organull.py ./my_binary ./my_binary_packed --ca-steps 200 --debug-stub
OrgaNULL can be used as a library:
from organull import pack_binary # Pack a binary with default settings pack_binary("input_binary", "packed_binary") # Pack with custom settings pack_binary("input_binary", "packed_binary", debug_stub=True)
- β Dual-layer obfuscation combining crypto + CA
- π ChaCha20 encryption with 256-bit keys
- 𧬠Cellular Automaton masking using Rule 30
- πΎ In-memory execution via memfd_create/fexecve
- π‘οΈ Anti-debugging protection with ptrace checks
- π― Position Independent Code for ASLR compatibility
- βοΈ Pure assembly unpacking for maximum efficiency
- Multi-format support: ELF and PE binaries
- Dynamic obfuscation: Unique CA masks per block
- Anti-analysis: Assembly-based unpacking complexity
- No disk artifacts: Direct memory execution
- ASLR compatible: Dynamic base address calculation
- Configurable intensity: Adjustable CA evolution steps
OrgaNULL features a clean separation between high-level logic and low-level operations:
| Component | File | Purpose |
|---|---|---|
| Main Packer | organull/organull.py |
CLI interface & orchestration |
| CA Engine | organull/ca_engine.py |
Rule 30 cellular automaton implementation |
| Crypto Engine | organull/crypto_engine.py |
ChaCha20 encryption/decryption |
| Unpacking Stub | organull/complete_unpacking_stub.s |
Pure x86-64 assembly unpacker |
| Stub Compiler | organull/compile_complete_unpacking_stub.py |
Assembly compilation script |
| API Interface | organull/__init__.py |
Package exports and public API |
OrgaNULL employs a sophisticated multi-layer protection system:
Click to expand encryption details
- 256-bit encryption keys for maximum security
- 96-bit nonces for unique encryption per block
- Stream cipher design for efficient encryption
- Zero-padding for proper block alignment
- Modern cryptographic standard with proven security
Click to expand CA details
- Rule 30 implementation - Chaotic, pseudo-random evolution
- Unique masks per block - Block index XORed with key material
- Configurable evolution steps - Adjustable complexity (default: 100)
- 32-byte block processing - Optimal for performance
- Deterministic yet complex - Reproducible but hard to analyze
Click to expand assembly features
- Pure x86-64 assembly - No high-level language overhead
- CA evolution in assembly - Direct algorithm implementation
- ChaCha20 decryption in assembly - Native crypto operations
- Dynamic base address calculation - ASLR compatibility
- Anti-debugging checks - Ptrace-based detection
- In-memory execution - memfd_create + fexecve syscalls
Click to expand advanced techniques
- Ptrace-based anti-debugging - Prevents debugger attachment
- In-memory execution - No disk artifacts for forensics
- Assembly complexity - Difficult to analyze and reverse
- ASLR compatibility - Works with randomized addresses
- Dynamic base calculation - Runtime address resolution
- Relative addressing - Position-independent code
- Dual-layer encryption - Crypto + CA masking
- Configurable complexity - Adjustable CA evolution steps
- Unique per-block masks - No pattern repetition
Run all tests:
# Main integration test python3 tests/run_packer_test.py # Unit tests python3 tests/test_ca_engine.py python3 tests/test_crypto_engine.py # All tests python -m unittest discover tests/
- β CA engine correctness
- β Crypto engine functionality
- β Assembly stub compilation
- β End-to-end packing/unpacking
- β Binary format compatibility
The obfuscation process is sophisticated yet systematic:
The input binary is loaded and analyzed using LIEF. The payload is extracted while preserving necessary metadata.
ChaCha20 stream cipher encrypts the entire payload using a randomly generated 256-bit key and 96-bit nonce.
Each 32-byte block of encrypted data is masked with a unique pattern generated by evolving a Rule 30 cellular automaton.
The assembly unpacking stub is compiled with embedded configuration parameters (key, nonce, CA steps, payload size).
The encrypted and masked payload is embedded into a new binary along with the compiled stub. The entry point is adjusted to execute the stub first.
When executed, the stub:
- Performs anti-debugging checks (ACTIVE - ptrace detection)
- Regenerates CA masks and removes them
- Decrypts the payload with ChaCha20
- Creates an in-memory file descriptor
- Executes the original binary from memory
β οΈ ANTI-DEBUGGING ACTIVE: The unpacking stub now performs ptrace-based debugger detection. If a debugger is detected, the binary exits silently with code 4, preventing runtime analysis.
OrgaNULL is a powerful research tool with important considerations:
- β Strong cryptographic foundation (ChaCha20)
- β Additional CA-based obfuscation layer
- β Assembly unpacking increases analysis difficulty
- β In-memory execution avoids disk artifacts
- β Anti-debugging protections
β οΈ x86-64 Linux systems onlyβ οΈ Not suitable for production security applicationsβ οΈ Assembly complexity may cause compatibility issuesβ οΈ Significant increase in packed binary sizeβ οΈ Requires memfd_create and fexecve support
- π Multi-architecture support (ARM, x86)
- π Additional obfuscation techniques
- π― Enhanced anti-analysis features
- β‘ Optimized stub size and performance
- π§ͺ Extended compatibility testing
Bug Fixes & Improvements:
- β Anti-debugging protection now ACTIVE - Enabled ptrace-based debugger detection in unpacking stub
- β Fixed duplicate code blocks in main packer module
- β
Added missing
cryptographydependency to requirements.txt - β Corrected test suite key material lengths (all tests now pass)
- β Fixed import statements in integration test suite
- β Enhanced test runner with automatic executable permissions
- β Created comprehensive CLAUDE.md for AI-assisted development
Security Enhancements:
- π‘οΈ Packed binaries now resist debugger attachment via ptrace checks
- π‘οΈ Silent exit on debugger detection (exit code 4)
- π‘οΈ No error messages or hints provided to reverse engineers
Testing:
- β All unit tests passing (CA engine: 5/5, Crypto engine: functional)
- β Integration tests verified on x86-64 Linux
- β Assembly stub compilation tested in both debug and release modes
Contributions are welcome!
OrgaNULL / OrgaNULL is available in the public domain. See UNLICENSE.md for details.
boredom, compounds, a restless mind
orgaNULL - f*ck the Hayflick Limit