MODeflattener
Miasm's Ollvm Deflattener
MODeflattener deobfuscates control flow flattened functions obfuscated by OLLVM using Miasm.
https://mrt4ntr4.github.io/MODeflattener/
| Flattened Flow | Deflattened Flow |
|---|---|
 |
 |
Installation
git clone https://github.com/mrT4ntr4/MODeflattener.git
cd MODeflattener
pip3 install -r requirements.txt
Usage
└──╼ $python3 modeflattener.py -h
usage: modeflattener [-h] [-a] [-l LOG] filename patch_filename address
positional arguments:
filename file to deobfuscate
patch_filename deobfuscated file name
address obfuscated function address
optional arguments:
-h, --help show this help message and exit
-a, --all find functions recursively and deobfuscate if flattened
-l LOG, --log LOG logging level (default=INFO)
Bonus
- Tim Blazytko's flattening heuristic script
While disassembling the specified function we can look out for other functions used by it and can make use of this script to automatically detect whether it is a flattened one and try to deobfuscate it. This has already been integrated into the tool! - nop-hider idapython script
This script hides the nop instructions from IDA graph view as the backbone is converted into a long nop chain after deobfuscation.
References
Dissecting LLVM Obfuscator - RPISEC
Automated Detection of Control-flow Flattening - Tim Blazytko
1 Nov 19, 2021
1 Mar 05, 2022
10 Nov 02, 2022
1 Dec 14, 2022
2 Jul 11, 2022
3 Nov 08, 2022
2 Nov 05, 2022
1 Dec 08, 2021
7 Oct 03, 2022
248 Dec 28, 2022
3 Feb 15, 2022
5.3k Jan 03, 2023
10 Oct 03, 2021
3 Oct 19, 2022
52 Dec 22, 2022
2 Oct 06, 2022
106 Dec 22, 2022
7 Aug 19, 2022
1 Dec 22, 2021
71 Jan 09, 2023