List of awesome OLLVM

• Obfuscator
• Hikari
• Pluto
• goron
• Arkari
• O-MVLL
• VMP

Obfuscator

https://github.com/obfuscator-llvm/obfuscator

The earliest public Obfuscator-LLVM implementation, supports LLVM 3.3~4.0. Features:

• Instructions Substitution
• Bogus Control Flow
• Control Flow Flattening

Hikari

https://github.com/HikariObfuscator/Hikari

Hikari, supports LLVM 6~8. Features(in addtion to Obfuscator):

• Anti Class Dump
• Function Call Obfuscate
• Function Wrapper
• Indirect Branching
• Split Basic Block
• String Encryption

https://github.com/61bcdefg/Hikari-LLVM15

Hikari-LLVM15, based on Hikari, supports LLVM 15~19, currently closed-source. Features(in addtion to Hikari):

• Anti Debugging
• Anti Hook
• Constant Encryption

goron

https://github.com/amimo/goron

goron, supports LLVM 7~10. Features(in addtion to Obfuscator):

• Indirect Branch
• Indirect Call
• Indirect GlobalVariable

https://github.com/KomiMoe/Arkari

Arkari, based on goron, supports LLVM 14~newest.

⚠️ Note: Goron-style (Goron/Arkari) indirect-related obfuscation can be easily deobfuscated by setting the data segment as read-only.

Pluto

https://github.com/bluesadi/Pluto

Pluto, supports LLVM 14. Features(in addtion to Obfuscator):

• MBA Obfuscation
• Random Control Flow
• Split Basic Block
• Trap Angr

https://github.com/za233/Polaris-Obfuscator

Polaris (formerly Pluto), supports LLVM16. Features(in addtion to Obfuscator):

• Alias Access
• Indirect Branch
• Indirect Call
• String Encryption
• Merge Function
• Linear MBA
• Dirty Bytes Insertion (MIR level)
• Function Splitting (MIR level)
• Junk Instruction Insertion (MIR level)
• Instruction Substitution (MIR level)

O-MVLL

• https://github.com/open-obfuscator/o-mvll

O-MVLL is a LLVM-based obfuscator driven by Python and the LLVM pass manager. Features(in addtion to Obfuscator):

• Anti Hooking
• Arithmetic Obfuscation (MBA Obfuscation)
• Basic Block Duplicate
• Control Flow Breaking
• Function Outline (Function Wrapper)
• Indirect Branch
• Indirect Call
• Opaque Constants (Constant Encryption)

VMP

• https://github.com/NiTianErXing666/SmallVmp
• https://github.com/25077667/VMPilot
• https://github.com/GANGE666/xVMP

List of awesome IDA deobfuscation plugins

• AI
• Ctree
• Decryption
• Lifting
• MBA
• Microcode
• OLLVM
• VMP

AI

• aiDAPal. Use a locally running LLM that has been fine-tuned for Hex-Rays pseudocode to assist with code analysis.
• Gepetto. Query language models to speed up reverse-engineering.
• ida-pro-mcp. AI-powered reverse engineering assistant that bridges IDA Pro with language models through MCP.
• WPeChatGPT. Analyze binary file, based on commonly used AI big models such as OpenAI and DeepSeek.

Other useful repositories:

• GhidraMCP. MCP Server for Ghidra.
• LLM4Decompile. Reverse Engineering: Decompiling Binary Code with Large Language Models.

Ctree

• herast. Framework to automate working with AST in IDA Pro.
• HexRaysCodeXplorer. Hex-Rays Decompiler plugin for better code navigation.
• HexraysToolbox. Find code patterns within the Hexrays ctree.
• HrDevHelper. HexRays ctree visualization plugin.
• strikeout. A Hex-Rays decompiler plugin to patch the Ctree.

Decryption

• AntiXorstr. This plugin is used to recover Xorstr.
• xorstr-decrypt. Attempts to decrypt JM Xorstr in some x64 binaries.

Lifting

• HyRES. HyRES is an innovative hybrid reasoning technique that combines static analysis, large language model (LLM), and heuristic methods to recover data structures from stripped binaries.
• IDA2LLVM. Lifting microcode (IDA IR) into LLVM IR.
• IDA2LLVM. Dynamic Binary Lifting IDA code to LLVM IR.

Other useful repositories:

• Anvill. anvill forges beautiful LLVM bitcode out of raw machine code.
• Llvm-mctoll. This tool statically (AOT) translates (or raises) binaries to LLVM IR.
• McSema. Framework for lifting x86, amd64, aarch64, sparc32, and sparc64 program binaries to LLVM bitcode.
• Miasm. Reverse engineering framework in Python.
• Rellume. Lift machine code to performant LLVM IR.
• RetDec. RetDec is a retargetable machine-code decompiler based on LLVM.
• rev.ng. The rev.ng binary analysis framework and decompiler.

MBA

• D-810. Deobfuscate code at decompilation time by modifying IDA Pro microcode.
• gooMBA. Simplify Mixed Boolean-Arithmetic (MBA) expressions.

Other useful repositories:

• GAMBA. Simplification of General Mixed Boolean-Arithmetic Expressions.
• POCKET. Mixed Boolean Arithmetic Expression Obfuscator.
• SiMBA. Efficient Deobfuscation of Linear Mixed Boolean-Arithmetic Expressions.
• sspam. Symbolic Simplification with PAttern Matching.

Microcode

• genmc. Display Hex-Rays Microcode.
• Lucid. An Interactive Hex-Rays Microcode Explorer.

OLLVM

• AntiOllvm. AntiOllvm Fla with Fake Runtime.
• D-810. Deobfuscate code at decompilation time by modifying IDA Pro microcode.
• HexRaysDeob. A plugin for breaking an obfuscating compiler.
• hrtng. IDA Pro plugin with a rich set of features: decryption, deobfuscation, patching, lib code recognition and various pseudocode transformations.
• MODeflattener. MODeflattener deobfuscates control flow flattened functions obfuscated by OLLVM using Miasm.
• ObfDetect. IDA plugin to pinpoint obfuscated code.
• obpo-plugin. An OLLVM-CFF Deobfuscation Plugin.
• ollvm-unflattener. Obfuscator-llvm Control Flow Flattening Deobfuscator.
• Stadeo. Control-flow-flattening and string deobfuscator.

VMP

• NoVmpy. Proof of Concept, IDA integration of a static devirtualizer for VMProtect x64 3.x. powered by VTIL.
• VMAttack. Use additional analysis features designed to counter virtualization-based obfuscation.