explaingit

eversinc33/karyo

17C++Audience · developerComplexity · 5/5Setup · hard

TLDR

A C++ library for security researchers that uses symbolic execution on LLVM bitcode to analyze obfuscated VMP-protected software, it tells you what a register holds after a handler runs, or builds a formula if inputs are unknown.

Mindmap

mindmap
  root((karyo))
    What it does
      Symbolic execution library
      VMP handler analysis
      Register value tracing
    How it works
      LLVM bitcode input
      Concrete and symbolic modes
      Expression tree output
    Use Cases
      Software protection analysis
      Obfuscated code reasoning
      Reverse engineering toolchain
    Setup
      C++ and CMake
      LLVM required
      Optional test targets
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Analyze VMP-protected software handlers to determine the exact register value produced after execution, given known inputs.

USE CASE 2

Run symbolic queries on obfuscated code to get a formula showing how outputs depend on inputs when register values are unknown.

USE CASE 3

Integrate Karyo into a C++ reverse engineering pipeline that uses LLVM bitcode as the intermediate representation.

Tech stack

C++LLVMCMake

Getting it running

Difficulty · hard Time to first run · 1day+

Requires C++, CMake, and a compatible LLVM installation, you must also bring your own LLVM bitcode lifted from the target binary before using the library.

License terms are not mentioned in the repository description.

In plain English

Karyo is a small C++ programming library aimed at security researchers and reverse engineers who analyze obfuscated software. Its main purpose is to help understand how a specific class of software protection, known as VMP handlers, actually behaves at the machine level. The project description notes that all code was generated by AI. The library works by taking machine code that has been translated into an intermediate format called LLVM bitcode and then running it in a mode that mixes real, known values with placeholder symbolic ones. Rather than executing the code as a normal program would, it traces through the logic and produces either a concrete result or an expression tree showing how the output depends on the inputs. This approach is called symbolic execution. The primary use case is asking a question like: given a particular code handler from a protected program, what value ends up in a specific processor register when the handler finishes? The library can answer that as a fixed number when inputs are known, or as a formula when they are not. Integration requires a C++ build environment using CMake and a compatible version of the LLVM compiler infrastructure. The readme includes short code examples showing how to set up register values, run a handler function, and read back results. Tests and examples are optional build targets that can be enabled at compile time. This is a narrow, specialist tool. It is not aimed at general developers or beginners, and it is not a standalone application. If you are not already working with LLVM-based binary lifting and software protection analysis, this library is unlikely to be relevant to your work.

Copy-paste prompts

Prompt 1
I have LLVM bitcode lifted from a VMP handler. Show me how to use the Karyo library to run symbolic execution and read back the value in RAX after the handler finishes.
Prompt 2
Using Karyo's C++ API, write an example that sets two input registers to symbolic (unknown) values, executes a handler, and prints the resulting expression tree.
Prompt 3
How do I build Karyo with CMake and link it into a C++ project that already depends on LLVM 17?
Prompt 4
Write a Karyo example that first runs a handler with concrete register values, then with symbolic values, and compares the two results to verify the handler's logic.
Open on GitHub → Explain another repo

← eversinc33 on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.