0基础学习ollvm反混淆之-0x02-控制流平坦化（FLA)

fla D810直接完美还原

编译

~/yourpath/clang-15 test.c  -mllvm -enable-cffobf -o ./flaCFG -isysroot `xcrun --show-sdk-path` -target arm64-apple-darwin -arch arm64

ida 伪代码

int __fastcall main(int argc, const char **argv, const char **envp)
{
  int v3; // w8
  int v4; // w8
  int i; // [xsp+28h] [xbp-78h]
  int v7; // [xsp+2Ch] [xbp-74h]
  char v8[100]; // [xsp+34h] [xbp-6Ch] BYREF

  scanf("%s", v8);
  v7 = strcmp(v8, "1");
  for ( i = 407310663; ; i = -1203880797 )
  {
    while ( 1 )
    {
      while ( 1 )
      {
        while ( 1 )
        {
          while ( 1 )
          {
            while ( i == -1203880797 )
              i = 470625047;
            if ( i != -1140541029 )
              break;
            if ( !strcmp(v8, "2") )
              v4 = -175610688;
            else
              v4 = 1782813863;
            i = v4;
          }
          if ( i != -175610688 )
            break;
          printf("This is '2' branch");
          i = -1203880797;
        }
        if ( i != 407310663 )
          break;
        if ( v7 )
          v3 = -1140541029;
        else
          v3 = 414587861;
        i = v3;
      }
      if ( i != 414587861 )
        break;
      printf("This is '1' branch");
      i = 470625047;
    }
    if ( i == 470625047 )
      break;
    printf("This is 'else' branch");
  }
  return 0;
}

D810这款ida插件去混淆

• 使用D810去混淆https://gitlab.com/eshard/d810
  

  

  image3454×1396 364 KB

• 去混淆后
  

  

  image2688×1404 221 KB

参考链接

• https://eshard.com/posts/D810-a-journey-into-control-flow-unflattening
• https://oacia.dev/ollvm-study/
• https://www.i3r0nya.cn/security-note/ollvm-deobfuscate/

你这个样本太简单了 找个cff混淆后函数长度超过1M的样本玩玩