AntiOllvm is an Arm64-based simulated execution framework designed to remove OLLVM's flattening obfuscation. By identifying specific patterns, it can reconstruct the complete set of if-else branches, facilitating reverse engineering and analysis.
- Arm64 Support: Optimized for Arm64 architectures.
- Obfuscation Removal: Specifically targets and removes OLLVM's flattening obfuscation.
- CFG Reconstruction: Rebuilds comprehensive control flow graphs with complete if-else branches.
- IDA Integration: Seamlessly works with IDA for analysis and rebuilding CFGs.
- Extensible: Easily customizable analyzer for various use cases.
Coming Soon...
Follow these steps to extract the Control Flow Graph (CFG) information using the provided IDA Python script.
# Edit ida_get_cfg.py
def main():
# Choose your function address
func_addr = 0x181c6c # Replace with your function address
# Edit your output file path
output_file = "C:/Users/PC5000/PycharmProjects/py_ida/cfg_output_" + hex(func_addr) + ".json"
# Run the script
# 1. Open IDA
# 2. Navigate to File -> Script file -> Choose ida_get_cfg.py
# 3. Check the output file for the CFG information
Execute the AntiOllvm tool with the CFG output.
./AntiOllvm.exe -s cfg_output_xxxx.json
Generate the machine code using the provided Python script. This script relies on the Keystone Engine, so ensure it's installed.
pip install keystone-engine
json_file_path = "fix.json" # Replace with your fix.json path
python gen_machine_code.py
Reconstruct the CFG within IDA using the generated machine code.
# Run the script
# Steps:
1. Open IDA
2. Navigate to File -> Script file -> Choose ida_rebuild_cfg.py
3. Select the output `fix.json` file from `gen_machine_code.py`
4. Enjoy the reconstructed CFG!
Clone the repository and build the project using your preferred IDE.
git clone https://github.com/IIIImmmyyy/AntiOllvm.git
- Open the project in Rider or Visual Studio.
- Build the project.
- If you are a Chinese user, you can learn more from the Kanxue Forum. [原创] 自写简易Arm64模拟执行去除控制流平坦化