Skip to content

RPISEC/llvm-deobfuscator

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

35 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

llvm-deobfuscator

Performs the inverse operation of the control flow flattening pass performed by LLVM-Obfuscator. It does not yet undo the bogus control flow and expression substitution passes.

Makes use of the BinaryNinja SSA form to determine all usages of the state variable. To use, right click on the state variable and click "Deobfuscate (OLLVM)". Note that the instruction writing to the state variable is typically in the first basic block of the function, and looks something like:

mov dword [rbp-0xf8], 0x962e7c4e

with minor variations in the large constant and variable offset.

For more information on llvm obfuscator itself, the source is an obvious ground truth :)

Installation

Should just be able to git clone the repository into your plugins repository.

Other Protections