Skip to content

Kagura

LLVM-based code obfuscation and anti-tamper toolkit for mobile, desktop, and WebAssembly targets.

Built on the New Pass Manager (LLVM 17+). Loaded as a pass plugin via -fpass-plugin — no LLVM source tree modification required.

Supported platforms: iOS · Android · macOS · Windows (MSVC/Clang-CL) · Linux · WebAssembly

New here?

Start with the Quick Start — five minutes from install to your first obfuscated binary.

Citing Kagura

If you build research or production work on Kagura, please cite the paper — see Citation. The DOI is 10.5281/zenodo.20361447.

Community

Questions, ideas, and use-case sharing live in GitHub Discussions. Bug reports and feature requests go in Issues — templates provided.


Why Kagura?

Shipping compiled native code means shipping a reverse-engineer's starting point. Static analysis tools (IDA Pro, Ghidra, Binary Ninja) and dynamic instrumentation frameworks (Frida, Substrate) can reconstruct logic, extract keys, and bypass security checks within hours on unprotected binaries.

Kagura addresses this at the IR level — before the compiler turns IR into machine code — so every protection is architecture-agnostic and works across all targets from a single build step.

Threat Kagura countermeasure
Static string extraction (strings, IDA imports) kagura-str / kagura-str-aes — strings are XOR/AES-encrypted blobs until first use
Decompiler-readable control flow kagura-fla + kagura-bcf — CFG becomes a switch-dispatched state machine with opaque dead branches
Memory editor / GameGuardian value freeze kagura-mvo / kagura-pe / Protected<T> — values stored XOR-encrypted at every alloca site
Frida / Substrate dynamic instrumentation kagura-anti-debug + loaded-library scan — detects and responds to hooking frameworks at runtime
Binary patching (NOP-ing integrity checks) kagura-bbcheck — per-basic-block opcode checksums abort on binary modification
Import table analysis (IDA external calls) kagura-ci — external calls routed through runtime-resolved thunk table
Jailbreak / root detection bypass Runtime module: Mach-O integrity, ELF tampering, Magisk/Zygisk/LSPosed detection

Documentation map

  • Getting Started

    Install, build, and run your first obfuscated binary in under five minutes.

  • Passes

    Reference for every IR pass — flags, effects, code-size and runtime overhead.

  • Integration

    Xcode, Gradle/NDK, Unity, Unreal, CMake, Bazel, CocoaPods, SPM.

  • Cookbook

    Banking, mobile game, SDK vendor, DRM — recipe-style guides with policy + verification.

  • Security Model

    What Kagura protects, what it doesn't, and assumptions you can't violate.

  • Configuration

    JSON policy DSL, strength profiles, CLI tuning parameters, deterministic pass order.

  • Runtime

    Anti-tamper API and Protected<T> for HP / currency / game-state values.

  • Project

    Testing & evaluation, architecture, contributor workflow.


At a glance

clang -fpass-plugin=KaguraObfuscator.dylib \
      -mllvm -kagura-config=kagura.json \
      -O1 your_file.c -o your_file
{
  "profile": "BALANCED",
  "passes": { "str": true, "fla": true, "bcf": true, "mvo": true },
  "tuning": { "bcf_prob": 40, "seed": 12345 }
}

See Quick Start for a full walkthrough.


Citation

If you use Kagura in your research or build on it, please cite the paper:

@software{kagura,
  author    = {yotti},
  title     = {Kagura: LLVM-based Code Obfuscation and Anti-Tamper Toolkit},
  year      = {2025},
  publisher = {Zenodo},
  doi       = {10.5281/zenodo.20361447},
  url       = {https://doi.org/10.5281/zenodo.20361447}
}

License

MIT — see LICENSE.