An open-source PE .text reordering / obfuscation tool (research & learning).

---

What is this?

This project is a Windows PE (Portable Executable) .text reordering/obfuscation tool. It parses the input PE, splits .text into small “labels” (code chunks), shuffles them, and then rebuilds a new PE while fixing all affected references/tables (jumps/calls, RIP-relative addressing, base relocations, TLS callbacks, CRT init tables, exception table, export table, switch/jump-tables, etc.).

Note

This is intended for learning/research. Please ensure your usage complies with local laws and the target software license.

---

Installation

Requirements

• Python 3.9+ (3.10/3.11 recommended)
• Windows / WSL / Linux can run the scripts (inputs are Windows PE files)

Dependencies (recommended: venv)

python -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt

Windows PowerShell:

py -m venv .venv
.\.venv\Scripts\Activate.ps1
pip install -r requirements.txt

Tip

Make sure python/pip refer to the same environment (especially on Windows).

---

Usage

python main.py <input.exe> <output.exe> --seed 12345

• --seed: optional; set a fixed seed for reproducible output.

---

Project Structure

.
├─ main.py                    # Entry point: parse/analyze/collect refs/rebuild/write
├─ pe_parser.py               # PE parsing: sections + data directories (import/export/reloc/TLS/exception...)
├─ code_analyzer.py           # Disassemble .text and split into labels (using jmp/ret as split points)
├─ section_label_analyzer.py  # Section-level labels for non-.text sections (usually one label per section)
├─ address_relocator.py       # Reference analysis: jumps, RIP-relative, reloc/TLS/CRT/exception/jump-tables...
├─ pe_rebuilder.py            # Rebuild: shuffle labels, assemble new .text, fix refs, output new PE
├─ pe_structure_fixer.py      # Table fixups: reloc/export/exception/TLS/CRT/data pointers/jump-tables...
├─ diagnose.py                # Diagnostics for rebuilt PE (structure sanity checks)
├─ verify_pointers.py         # Pointer validation (relocs/data pointers/exception table ranges)
├─ compare_sections.py        # Compare key sections between original and rebuilt PE
└─ assets/                    # README UI assets (SVG logo / diagrams)

---

How it works (high-level)

• Parse: PEParser reads PE headers/sections/data directories (imports/exports/relocs/TLS/exception...).
• Split: CodeAnalyzer disassembles .text with Capstone and splits it into labels using jmp/ret as cut points.
• Collect references: AddressRelocator records everything that must be updated after reordering, including:
  • code_jump: relative branches/calls (short/near)
  • rip_relative: RIP-relative memory addressing (e.g. mov reg, [rip+disp32], and FF 15/FF 25)
  • relocation/export/exception/tls_callback/crt_function_pointer
  • jump_table: switch/jump-tables (typical movsxd + add + jmp pattern; fixes int32 relative-offset tables)
  • data_pointer: module-internal address constants stored in data sections (and in .text if embedded data exists)
• Rebuild & fix: PERebuilder shuffles labels, re-assembles .text (inserting NOPs when needed for instruction expansion), and uses PEStructureFixer to write back fixed tables/pointers and emit a new PE.

---

Helper commands

python diagnose.py <output.exe>
python verify_pointers.py <output.exe>
python compare_sections.py <input.exe> <output.exe>

---