MODeflattener – Miasm’s OLLVM Deflattener

MODeflattener is a specialized tool designed to reverse OLLVM’s control flow flattening obfuscation through static analysis techniques.

Developed using Miasm’s intermediate representation capabilities, it systematically reconstructs the original program logic from obfuscated binaries by analyzing and patching key structural components.

Core Functionality

Control Flow Deobfuscation
The tool identifies two critical components in flattened functions:

Pre-dispatcher: Located by analyzing block predecessors (the block with maximum incoming edges)1
Dispatcher: Determined as the first successor of the pre-dispatcher1

These form the “backbone” that coordinates execution through a state variable system. MODeflattener traces this variable’s modifications across basic blocks to map the original control flow.

Technical Process

State Variable Analysis
Identifies the register/memory location storing the dispatch state, initialized before the dispatcher and modified at each block’s end1.
Relevant Block Classification
- Simple blocks: Unconditional state updates
- Conditional blocks: Use CMOV instructions for state branching1
SSA-Based Simplification
Applies Miasm’s do_propagate_expressions to resolve phi nodes in SSA form, revealing conditional paths: pythonssa_simplifier = IRCFGSimplifierSSA(lifter) ssa = ssa_simplifier.ircfg_to_ssa(ircfg, head) This exposes branch conditions like 0x401a9d: {'cond': 'CMOVB', 'false_next': 0x401bb0, 'true_next': 0x401af5}1.
Instruction Patching
- Removes state variable operations via def-use chain analysis
- Replaces CMOV with conditional jumps (e.g., CMOVB → JB)
- NOPs out the entire dispatcher backbone1

Operational Workflow

textInput Binary → Identify Dispatcher → Analyze State Var → 
Classify Blocks → SSA Simplification → Generate Patches → 
Rebuild Control Flow → Output Deobfuscated Binary

Enhanced Features

Integration with IDA Pro: Includes a nop-hider script to clean graph views
Automated Detection: Incorporates Tim Blazytko’s heuristics for flattened function identification1
Call Instruction Fixing: Adjusts relative addresses during patching to maintain functionality

The tool successfully restructures flattened control flow into human-readable graphs while preserving executable logic.

Its open-source implementation on GitHub provides practical utilities for reverse engineers tackling OLLVM-obfuscated malware or protected software1.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.