Can't Unflattening

[miunasu]

can't unflattening

i had try alt+f5, but the context menu still haven't the option of unflattening

example 0x10014EE0 0x10045234
OS:windows 11
IDA:IDA9.1pro
hrt: hrtng-3.7.69
malware has been upload to vt
hash:0b1e94529ac4422cd8693f7e8ef6d098a6539deee323c0430f50607eca811f43

[srgblv]

Hey Miunasu. Interesting case.

At first alt+f5 is a thing not related to unflattening. Unflattening has no associated any shortcut or context menu items. It automatically turns on then appropriate code pattern is detected.

Unflattening usually doesn't work as intended because of opaque predicates are used to break flattening control value calculation by the microcode optimizer. Just solve opaque predicates and everything will be ok.

As for proc at 0x10014EE0 try to replace these small proc calls to inlined code with smth like "Magic" call replacement or FunctionInliner Then try to remove predicates with gooMBA or d810

In any way this case has no simple solution and requires sufficient time to additional research. Good luck.

[miunasu]

Appreciate it! I will try it.