Overview

VTIL (Virtual-machine Translation Intermediate Language) is an open-source, optimizing compiler toolset purpose-built for binary de-obfuscation and de-virtualization. It provides a flexible intermediate representation (IR) and a rich optimization pipeline that makes it straightforward to lift native machine code, transform it, analyze it symbolically, and emit optimized output.

What problem does it solve?

Commercial software protectors (such as VMProtect, Themida, and Code Virtualizer) defeat traditional disassemblers by translating native x86/x64 code into a proprietary bytecode interpreted by an embedded VM. VTIL provides the building blocks to lift that bytecode back to a clean, machine-independent IR, run optimization passes to simplify it, and recover human-readable semantics.

Key design principles

• Extremely nonrestrictive IL - Mixing operand sizes, implicit zero extension, non-SSA register assignments, and combining physical registers with temporaries are all permitted by design.
• Preserves native ISA concepts - The native stack, physical registers, and CPU flag semantics are first-class citizens in the IR.
• Inline native emission - Native instructions can be embedded directly within an IL stream.
• Architecture agnostic - The same optimizer and analysis passes work regardless of source architecture.

Core components

• VTIL-Core - IR definition, optimizer passes, symbolic evaluation engine, and code emitters.
• VTIL-NativeLifters - x86/x64 lifters that translate native instructions to VTIL IR.
• VTIL-BinaryNinja - Plugin for the Binary Ninja reverse engineering platform.
• VTIL-Python - Python bindings for scripted analysis.
• VTIL-Sandbox - Local VTIL inspector with API backend and interactive frontend.
• VTIL-Utils - Command-line utility for dumping, lifting, and optimizing VTIL files.