WITNESS

Exploiting LLVM for Multi-Language Virtualization

We present Witness, a tool that exploits the full power of the compilation pipeline to virtualize, encrypt, and entangle your code beyond recognition, producing a unique, irreversible* binary on every build.

* Nothing is truly irreversible. Witness aims to make it exceptionally difficult.

Explore the Architecture
Ring-0 Architecture DRM Architecture Standalone Architecture

One annotation. Your function disappears. What remains cannot be read, cannot be reproduced, and will never be the same twice. 

__attribute__((annotate("witness")))
int protected_function(int x) {
    // everything below is virtualized at compile-time
    return x * x + 1;
}

Annotations stack. Each one adds a layer that compounds the cost of analysis. 

__attribute__((annotate("witness"),
               annotate("antisym"),
               annotate("recursive"),
               annotate("badstack"),
               annotate("true_self_destruct")))
int hardened_function(int x) {
    // virtualized, nested in itself, anti-symbolic,
    // stack-spoofed, destroyed after first call
    return x * x + 1;
}

Witness operates on LLVM IR, the intermediate representation every compiled function passes through before becoming machine code. By virtualizing at this level, full x86-64 coverage is achieved automatically: every instruction the compiler can generate is already captured before it exists.

annotate("witness")

Virtualize the function. Code becomes encrypted bytecode executed by an embedded VM.

annotate("antisym")

Inject anti-symbolic execution traps. Poisons constraint solvers and automated analysis.

falls under witness
annotate("recursive")

Virtualize the virtualizer. Nest the VM inside itself for layered protection.

falls under witness
annotate("badstack")

Spoof the call stack at runtime. Debuggers and profilers see fabricated frames.

falls under witness
annotate("soft_self_destruct")

Erase bytecode after execution. An encrypted snapshot allows the function to be called again.

falls under witness
annotate("true_self_destruct")

Permanently destroy bytecode after first call. The function cannot execute again within the same process.

falls under witness
Unique Builds
0
Plaintext at Rest
0
Shared Structure
1
Line to Protect

Witness can mimic the signatures, structures, and behavioral fingerprints of other virtualizers, packers, and obfuscators. Analysts waste time applying the wrong toolchain. Automated classifiers report the wrong product. The real protection remains unidentified.

C++ Exceptions Variadic SIMD Atomics Inline ASM Kernel Mode Licensing Zero CRT
C C++ Objective-C Fortran D Rust Zig

Any language that compiles through LLVM.

REFUSE TO BE READ

Crack Me
Research Download

Enter Flag

Find the 16-character key.