xiaojianbang8888/ollvm_deobfuscator — explained in plain English
Analysis updated 2026-05-18
Recover readable control flow from a control flow flattened Android native function.
Resolve indirect branch and indirect call targets in a protected .so file.
Strip out bogus, never-taken branches from an obfuscated function.
Analyze a modified OLLVM variant that uses a wider state variable.
| xiaojianbang8888/ollvm_deobfuscator | coleam00/harness-engineering-demo | color4-alt/citecheck | |
|---|---|---|---|
| Stars | 31 | 31 | 31 |
| Language | Python | Python | Python |
| Setup difficulty | moderate | moderate | easy |
| Complexity | 4/5 | 3/5 | 2/5 |
| Audience | researcher | developer | researcher |
Figures from each repo's GitHub metadata at analysis time.
Requires a disassembler like IDA Pro to first locate the target function's address range.
This is a command line tool for reversing a specific kind of code protection called OLLVM obfuscation, which is often applied to Android native libraries to make them harder to analyze. It targets ARM64 shared library files with the .so extension and works by simulating the protected function's execution using the Unicorn CPU emulator, then rewriting the confusing control flow back into something readable. The tool recognizes four common obfuscation patterns: control flow flattening, where a hidden state machine decides which block of code runs next, indirect branches that compute their jump target instead of writing it directly, indirect function calls reached through several layers of pointers, and bogus control flow, where fake branches are inserted using conditions that can never actually be true. It can also handle a modified variant of one of these patterns that uses a 64 bit state variable. To use it, you first find the start and end address of the target function inside the .so file, typically with a disassembler like IDA Pro, then run the script with those two addresses and the input file. It automatically detects which obfuscation type is present, though you can force a specific type instead. The tool writes a new, patched .so file with the confusing jumps replaced by direct, readable branches, and you can then reload that file into a disassembler to check that the logic makes sense. The README includes several before and after examples with real address ranges, showing how many fake blocks and patches were removed in each case, and lists links to a series of companion articles that explain the theory behind each obfuscation type in more depth. It also notes the project needs Python 3.8 or newer along with the capstone, unicorn, and keystone-engine libraries. The author states the project is intended only for learning and research purposes.
A command line tool that automatically reverses OLLVM code obfuscation in ARM64 Android shared libraries.
Mainly Python. The stack also includes Python, Unicorn, Capstone.
The author states it is intended only for learning and research use, not for other purposes.
Setup difficulty is rated moderate, with roughly 1h+ to a first successful run.
Mainly researcher.
This repo across BitVibe Labs
Verify against the repo before relying on details.