Hacking Tools

ollvm-unflattener : A Tool For Reversing Control Flow Flattening In OLLVM

Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable logic into complex state-driven structures.

The ollvm-unflattener tool addresses this challenge through Python-based analysis and Miasm framework integration, offering a systematic approach to reverse engineering obfuscated binaries.

This tool specializes in reconstructing original control flow graphs (CFGs) by:

  1. Symbolic execution of flattened functions using Miasm’s engine
  2. State variable analysis to identify dispatch mechanisms and block relationships
  3. Multi-layered deobfuscation through breadth-first search (BFS) of function calls
  4. Binary patching to restore executable logic

Key Features

  • Architecture Support: Currently focuses on x86 architecture (tested on Linux ELF binaries)
  • Dynamic Analysis: Uses symbolic execution instead of static pattern matching
  • Batch Processing: --all flag enables recursive deobfuscation of related functions
  • Visual Validation: Generates Graphviz diagrams for pre/post deobfuscation comparison
bash# Installation
git clone https://github.com/cdong1012/ollvm-unflattener.git
pip install -r requirements.txt

Operational Workflow

  1. Target Identification: Requires function address (-t parameter)
  2. Execution Tracing: Maps state transitions through symbolic execution
  3. CFG Reconstruction: Rebuilds original block connections using recovered logic
  4. Binary Modification: Patches flattened structures with reconstructed flow
Obfuscated CFGRestored CFG
Complex switch-case structureSimplified conditional branches
State-driven transitionsDirect block connections

Limitations

  • Architecture Constraints: No native ARM/x64 support (requires code modifications)
  • Platform Specificity: Primarily tested on Linux binaries
  • Layer Depth: Multi-pass obfuscation requires sequential processing

The tool demonstrates 83% success rate in test cases against single-layer OLLVM flattening, though complex multi-layered obfuscations may require manual intervention.

Future development plans include IDA Pro integration and expanded architecture support, building on concepts from MODeflattener’s static analysis approach.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Leave a Comment
Share
Published by
Varshini
Tags: cybersecurityinformationsecuritykalilinuxkalilinuxtoolsollvm-unflattener
9 months ago

Recent Posts

How AI Puts Data Security at Risk

Artificial Intelligence (AI) is changing how industries operate, automating processes, and driving new innovations. However,…

5 hours ago

The Evolution of Cloud Technology: Where We Started and Where We’re Headed

Image credit:pexels.com If you think back to the early days of personal computing, you probably…

4 days ago

The Evolution of Online Finance Tools In a Tech-Driven World

In an era defined by technological innovation, the way people handle and understand money has…

4 days ago

A Complete Guide to Lenso.ai and Its Reverse Image Search Capabilities

The online world becomes more visually driven with every passing year. Images spread across websites,…

5 days ago

How Web Application Firewalls (WAFs) Work

General Working of a Web Application Firewall (WAF) A Web Application Firewall (WAF) acts as…

1 month ago

How to Send POST Requests Using curl in Linux

How to Send POST Requests Using curl in Linux If you work with APIs, servers,…

1 month ago