Home Exploitation Tools ollvm-unflattener : A Tool For Reversing Control Flow Flattening In OLLVM

ollvm-unflattener : A Tool For Reversing Control Flow Flattening In OLLVM

April 1, 2025

Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable logic into complex state-driven structures.

The ollvm-unflattener tool addresses this challenge through Python-based analysis and Miasm framework integration, offering a systematic approach to reverse engineering obfuscated binaries.

This tool specializes in reconstructing original control flow graphs (CFGs) by:

Symbolic execution of flattened functions using Miasm’s engine
State variable analysis to identify dispatch mechanisms and block relationships
Multi-layered deobfuscation through breadth-first search (BFS) of function calls
Binary patching to restore executable logic

Key Features

Architecture Support: Currently focuses on x86 architecture (tested on Linux ELF binaries)
Dynamic Analysis: Uses symbolic execution instead of static pattern matching
Batch Processing: --all flag enables recursive deobfuscation of related functions
Visual Validation: Generates Graphviz diagrams for pre/post deobfuscation comparison

bash# Installation
git clone https://github.com/cdong1012/ollvm-unflattener.git
pip install -r requirements.txt

Operational Workflow

Target Identification: Requires function address (-t parameter)
Execution Tracing: Maps state transitions through symbolic execution
CFG Reconstruction: Rebuilds original block connections using recovered logic
Binary Modification: Patches flattened structures with reconstructed flow

Obfuscated CFG	Restored CFG
Complex switch-case structure	Simplified conditional branches
State-driven transitions	Direct block connections

Limitations

Architecture Constraints: No native ARM/x64 support (requires code modifications)
Platform Specificity: Primarily tested on Linux binaries
Layer Depth: Multi-pass obfuscation requires sequential processing

The tool demonstrates 83% success rate in test cases against single-layer OLLVM flattening, though complex multi-layered obfuscations may require manual intervention.

Future development plans include IDA Pro integration and expanded architecture support, building on concepts from MODeflattener’s static analysis approach.

ollvm-unflattener : A Tool For Reversing Control Flow Flattening In OLLVM

Key Features

Operational Workflow

Limitations

LEAVE A REPLY Cancel reply

APPLICATIONS

The Silk Wasm : Revolutionizing HTML Smuggling Through WebAssembly

FalconEye : Real-time detection software for Windows process injections

ELFXtract : An Automated Analysis Tool Used For Enumerating ELF Binaries

SilentHound : Quietly Enumerate An Active Directory Domain Via LDAP Parsing Users, Admins, Groups,...

HOT NEWS

Scout Suite : Multi-Cloud Security Auditing Tool

EVEN MORE NEWS

Playwright-MCP : A Powerful Tool For Browser Automation

JBDev : A Tool For Jailbreak And TrollStore Development

Kereva LLM Code Scanner : A Revolutionary Tool For Python Applications...

POPULAR CATEGORY

HikvisionExploiter – Automated Exploitation And Surveillance Utility For Hikvision Cameras

RdpStrike – Harnessing PIC And Hardware Breakpoints For Credential Extraction

ADCSKiller – An ADCS Exploitation Automation Tool