Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?


Failed to load latest commit information.
Latest commit message
Commit time
January 4, 2023 10:13
January 4, 2023 09:50
June 3, 2022 16:23
August 24, 2022 14:15
August 29, 2022 15:41
June 9, 2021 14:36
September 29, 2021 16:50
August 16, 2022 13:42
August 23, 2022 16:58

PyPI - Python Version Last release CI status Downloads License

FLOSS logo

FLARE Obfuscated String Solver

Rather than heavily protecting backdoors with hardcore packers, many malware authors evade heuristic detections by obfuscating only key portions of an executable. Often, these portions are strings and resources used to configure domains, files, and other artifacts of an infection. These key features will not show up as plaintext in output of the strings.exe utility that we commonly use during basic static analysis.

The FLARE Obfuscated String Solver (FLOSS, formerly FireEye Labs Obfuscated String Solver) uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries. You can use it just like strings.exe to enhance basic static analysis of unknown binaries.

FLOSS extracts all the following string types:

  1. static strings: "regular" ASCII and UTF-16LE strings
  2. stack strings: strings constructed on the stack at run-time
  3. tight strings: special form of stack strings, decoded on the stack
  4. decoded strings: strings decoded in a function

Please review the theory behind FLOSS here.

Our blog post talks more about the motivation behind FLOSS and details how the tool works.

FLOSS version 2.0 updates are detailed in this blog post.

Quick Run

To try FLOSS right away, download a standalone executable file from the releases page:

For a detailed description of installing FLOSS, review the documentation here.


Extract obfuscated strings from a malware binary:

$ floss /path/to/malware/binary

Display the help/usage screen to see all available switches.

$ floss -h

For a detailed description of using FLOSS, review the documentation here.

For a detailed description of testing FLOSS, review the documentation here.