Skip to content

MODeflattener deobfuscates control flow flattened functions obfuscated by OLLVM using Miasm.

License

Notifications You must be signed in to change notification settings

erfze/MODeflattener

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

MODeflattener

Miasm's Ollvm Deflattener

MODeflattener deobfuscates control flow flattened functions obfuscated by OLLVM using Miasm.
https://mrt4ntr4.github.io/MODeflattener/

Flattened Flow Deflattened Flow
obfuscated deobfuscated

Installation

git clone https://github.com/mrT4ntr4/MODeflattener.git
cd MODeflattener
pip3 install -r requirements.txt

Usage

└──╼ $python3 modeflattener.py -h
usage: modeflattener [-h] [-b BASEADDR] [-a] [-l LOG] filename patch_filename address

positional arguments:
  filename           file to deobfuscate
  patch_filename     deobfuscated file name
  address            obfuscated function address

optional arguments:
  -h, --help            show this help message and exit
  -b BASEADDR, --baseaddr BASEADDR
                        file base address
  -a, --all             find and deobfuscate all flattened functions recursively
  -l LOG, --log LOG     logging level (default=INFO)

Supported Architectures

  • x86

Bonus

  • Tim Blazytko's flattening heuristic script

    While disassembling the specified function we can look out for other functions used by it and can make use of this script to automatically detect whether it is a flattened one and try to deobfuscate it. This has already been integrated into the tool!

  • nop-hider idapython script

    This script hides the nop instructions from IDA graph view as the backbone is converted into a long nop chain after deobfuscation.

  • qiling ida plugin

    Obfuscation is a most common software protection technique to deliberately make the source or machine code hard to understand. Thanks to the IDA powerful CFG API, Qiling IDA plugin can implement multiple de-obfuscation techniques with a mixture of static and dynamic analysis.

References

Dissecting LLVM Obfuscator - RPISEC
Automated Detection of Control-flow Flattening - Tim Blazytko

About

MODeflattener deobfuscates control flow flattened functions obfuscated by OLLVM using Miasm.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%