explaingit

xiaojianbang8888/ollvm_deobfuscator

Analysis updated 2026-05-18

31PythonAudience · researcherComplexity · 4/5LicenseSetup · moderate

TLDR

A command line tool that automatically reverses OLLVM code obfuscation in ARM64 Android shared libraries.

Mindmap

mindmap
  root((repo))
    What it does
      Detects obfuscation type
      Simulates function execution
      Patches confusing jumps
    Tech stack
      Python
      Unicorn emulator
      Capstone
      Keystone
    Use cases
      Reverse control flow flattening
      Reverse indirect branches
      Reverse bogus control flow
    Audience
      Reverse engineers
    Input
      ARM64 shared library
      Function address range

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Recover readable control flow from a control flow flattened Android native function.

USE CASE 2

Resolve indirect branch and indirect call targets in a protected .so file.

USE CASE 3

Strip out bogus, never-taken branches from an obfuscated function.

USE CASE 4

Analyze a modified OLLVM variant that uses a wider state variable.

What is it built with?

PythonUnicornCapstoneKeystone

How does it compare?

xiaojianbang8888/ollvm_deobfuscatorcoleam00/harness-engineering-democolor4-alt/citecheck
Stars313131
LanguagePythonPythonPython
Setup difficultymoderatemoderateeasy
Complexity4/53/52/5
Audienceresearcherdeveloperresearcher

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 1h+

Requires a disassembler like IDA Pro to first locate the target function's address range.

The author states it is intended only for learning and research use, not for other purposes.

In plain English

This is a command line tool for reversing a specific kind of code protection called OLLVM obfuscation, which is often applied to Android native libraries to make them harder to analyze. It targets ARM64 shared library files with the .so extension and works by simulating the protected function's execution using the Unicorn CPU emulator, then rewriting the confusing control flow back into something readable. The tool recognizes four common obfuscation patterns: control flow flattening, where a hidden state machine decides which block of code runs next, indirect branches that compute their jump target instead of writing it directly, indirect function calls reached through several layers of pointers, and bogus control flow, where fake branches are inserted using conditions that can never actually be true. It can also handle a modified variant of one of these patterns that uses a 64 bit state variable. To use it, you first find the start and end address of the target function inside the .so file, typically with a disassembler like IDA Pro, then run the script with those two addresses and the input file. It automatically detects which obfuscation type is present, though you can force a specific type instead. The tool writes a new, patched .so file with the confusing jumps replaced by direct, readable branches, and you can then reload that file into a disassembler to check that the logic makes sense. The README includes several before and after examples with real address ranges, showing how many fake blocks and patches were removed in each case, and lists links to a series of companion articles that explain the theory behind each obfuscation type in more depth. It also notes the project needs Python 3.8 or newer along with the capstone, unicorn, and keystone-engine libraries. The author states the project is intended only for learning and research purposes.

Copy-paste prompts

Prompt 1
Explain how control flow flattening obfuscation works using this repo's approach.
Prompt 2
Walk me through finding the start and end address of a function in IDA Pro before running this tool.
Prompt 3
Show me how to run ollvm_deobfuscator.py on a sample .so file and interpret the output.
Prompt 4
Compare the four obfuscation types this tool supports and how each is detected.

Frequently asked questions

What is ollvm_deobfuscator?

A command line tool that automatically reverses OLLVM code obfuscation in ARM64 Android shared libraries.

What language is ollvm_deobfuscator written in?

Mainly Python. The stack also includes Python, Unicorn, Capstone.

What license does ollvm_deobfuscator use?

The author states it is intended only for learning and research use, not for other purposes.

How hard is ollvm_deobfuscator to set up?

Setup difficulty is rated moderate, with roughly 1h+ to a first successful run.

Who is ollvm_deobfuscator for?

Mainly researcher.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.