Hacking Tools

MODeflattener – Miasm’s OLLVM Deflattener

MODeflattener is a specialized tool designed to reverse OLLVM’s control flow flattening obfuscation through static analysis techniques.

Developed using Miasm’s intermediate representation capabilities, it systematically reconstructs the original program logic from obfuscated binaries by analyzing and patching key structural components.

Core Functionality

Control Flow Deobfuscation
The tool identifies two critical components in flattened functions:

  • Pre-dispatcher: Located by analyzing block predecessors (the block with maximum incoming edges)1
  • Dispatcher: Determined as the first successor of the pre-dispatcher1

These form the “backbone” that coordinates execution through a state variable system. MODeflattener traces this variable’s modifications across basic blocks to map the original control flow.

Technical Process

  1. State Variable Analysis
    Identifies the register/memory location storing the dispatch state, initialized before the dispatcher and modified at each block’s end1.
  2. Relevant Block Classification
    • Simple blocks: Unconditional state updates
    • Conditional blocks: Use CMOV instructions for state branching1
  3. SSA-Based Simplification
    Applies Miasm’s do_propagate_expressions to resolve phi nodes in SSA form, revealing conditional paths: pythonssa_simplifier = IRCFGSimplifierSSA(lifter) ssa = ssa_simplifier.ircfg_to_ssa(ircfg, head) This exposes branch conditions like 0x401a9d: {'cond': 'CMOVB', 'false_next': 0x401bb0, 'true_next': 0x401af5}1.
  4. Instruction Patching
    • Removes state variable operations via def-use chain analysis
    • Replaces CMOV with conditional jumps (e.g., CMOVBJB)
    • NOPs out the entire dispatcher backbone1

Operational Workflow

textInput Binary → Identify Dispatcher → Analyze State Var → 
Classify Blocks → SSA Simplification → Generate Patches →
Rebuild Control Flow → Output Deobfuscated Binary

Enhanced Features

  • Integration with IDA Pro: Includes a nop-hider script to clean graph views
  • Automated Detection: Incorporates Tim Blazytko’s heuristics for flattened function identification1
  • Call Instruction Fixing: Adjusts relative addresses during patching to maintain functionality

The tool successfully restructures flattened control flow into human-readable graphs while preserving executable logic.

Its open-source implementation on GitHub provides practical utilities for reverse engineers tackling OLLVM-obfuscated malware or protected software1.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

JBDev : A Tool For Jailbreak And TrollStore Development

JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…

5 hours ago

Kereva LLM Code Scanner : A Revolutionary Tool For Python Applications Using LLMs

The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…

7 hours ago

Nuclei-Templates-Labs : A Hands-On Security Testing Playground

Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…

9 hours ago

SSH-Stealer : The Stealthy Threat Of Advanced Credential Theft

SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…

9 hours ago

ollvm-unflattener : A Tool For Reversing Control Flow Flattening In OLLVM

Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…

9 hours ago

Cybersecurity – Tools And Their Function

Cybersecurity tools play a critical role in safeguarding digital assets, systems, and networks from malicious…

1 day ago