Control Flow Flattening deobfuscation using symbolic execution

Control Flow Flattening obfuscation method replaces jumps in program code (both conditional and unconditional) with a jump to a dispatcher block, which determines the real control flow. It complicates reverse engineering of the program, because researcher can't easily say which block of code will be executed after another one. In the paper, we propose the algorithm which recovers the original control flow for given obfuscated program. This algorithm is based on symbolic execution, which helps us to find all possible triples $(a_i, x_i, b_i)$, where $a_i$ is the address from which the dispatcher was reached, $x_i$ is the value of the control register at which the jump to address $b_i$ occurs. Then the set of triples is converted to the set of patches to the original program. In comparison with other algorithms, this algorithm doesn't imply any restrictions on the structure of obfuscated functions, but also doesn't affect anything except the control flow.