Hacking Tools

MODeflattener – Miasm’s OLLVM Deflattener

MODeflattener is a specialized tool designed to reverse OLLVM’s control flow flattening obfuscation through static analysis techniques.

Developed using Miasm’s intermediate representation capabilities, it systematically reconstructs the original program logic from obfuscated binaries by analyzing and patching key structural components.

Core Functionality

Control Flow Deobfuscation
The tool identifies two critical components in flattened functions:

  • Pre-dispatcher: Located by analyzing block predecessors (the block with maximum incoming edges)1
  • Dispatcher: Determined as the first successor of the pre-dispatcher1

These form the “backbone” that coordinates execution through a state variable system. MODeflattener traces this variable’s modifications across basic blocks to map the original control flow.

Technical Process

  1. State Variable Analysis
    Identifies the register/memory location storing the dispatch state, initialized before the dispatcher and modified at each block’s end1.
  2. Relevant Block Classification
    • Simple blocks: Unconditional state updates
    • Conditional blocks: Use CMOV instructions for state branching1
  3. SSA-Based Simplification
    Applies Miasm’s do_propagate_expressions to resolve phi nodes in SSA form, revealing conditional paths: pythonssa_simplifier = IRCFGSimplifierSSA(lifter) ssa = ssa_simplifier.ircfg_to_ssa(ircfg, head) This exposes branch conditions like 0x401a9d: {'cond': 'CMOVB', 'false_next': 0x401bb0, 'true_next': 0x401af5}1.
  4. Instruction Patching
    • Removes state variable operations via def-use chain analysis
    • Replaces CMOV with conditional jumps (e.g., CMOVBJB)
    • NOPs out the entire dispatcher backbone1

Operational Workflow

textInput Binary → Identify Dispatcher → Analyze State Var → 
Classify Blocks → SSA Simplification → Generate Patches →
Rebuild Control Flow → Output Deobfuscated Binary

Enhanced Features

  • Integration with IDA Pro: Includes a nop-hider script to clean graph views
  • Automated Detection: Incorporates Tim Blazytko’s heuristics for flattened function identification1
  • Call Instruction Fixing: Adjusts relative addresses during patching to maintain functionality

The tool successfully restructures flattened control flow into human-readable graphs while preserving executable logic.

Its open-source implementation on GitHub provides practical utilities for reverse engineers tackling OLLVM-obfuscated malware or protected software1.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Pystinger : Bypass Firewall For Traffic Forwarding Using Webshell

Pystinger is a Python-based tool that enables SOCKS4 proxying and port mapping through webshells. It…

23 hours ago

CVE-Search : A Tool To Perform Local Searches For Known Vulnerabilities

Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…

1 day ago

CVE-Search : A Tool To Perform Local Searches For Known Vulnerabilities

Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…

2 days ago

How to Bash Append to File: A Simple Guide for Beginners

If you are working with Linux or writing bash scripts, one of the most common…

2 days ago

Mastering the Bash Case Statement with Simple Examples

What is a bash case statement? A bash case statement is a way to control…

2 days ago

How to Check if a File Exists in Bash – Simply Explained

Why Do We Check Files in Bash? When writing a Bash script, you often work…

4 days ago