MODeflattener is a specialized tool designed to reverse OLLVM’s control flow flattening obfuscation through static analysis techniques.
Developed using Miasm’s intermediate representation capabilities, it systematically reconstructs the original program logic from obfuscated binaries by analyzing and patching key structural components.
Control Flow Deobfuscation
The tool identifies two critical components in flattened functions:
These form the “backbone” that coordinates execution through a state variable system. MODeflattener traces this variable’s modifications across basic blocks to map the original control flow.
do_propagate_expressions
to resolve phi nodes in SSA form, revealing conditional paths: pythonssa_simplifier = IRCFGSimplifierSSA(lifter) ssa = ssa_simplifier.ircfg_to_ssa(ircfg, head)
This exposes branch conditions like 0x401a9d: {'cond': 'CMOVB', 'false_next': 0x401bb0, 'true_next': 0x401af5}
1.CMOVB
→ JB
)textInput Binary → Identify Dispatcher → Analyze State Var →
Classify Blocks → SSA Simplification → Generate Patches →
Rebuild Control Flow → Output Deobfuscated Binary
The tool successfully restructures flattened control flow into human-readable graphs while preserving executable logic.
Its open-source implementation on GitHub provides practical utilities for reverse engineers tackling OLLVM-obfuscated malware or protected software1.
Pystinger is a Python-based tool that enables SOCKS4 proxying and port mapping through webshells. It…
Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…
Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…
If you are working with Linux or writing bash scripts, one of the most common…
What is a bash case statement? A bash case statement is a way to control…
Why Do We Check Files in Bash? When writing a Bash script, you often work…