There's some other cool tricks you can do, where you symbolically execute using angr or another emulator such as https://github.com/cea-sec/miasm to be able to use control flow graph unflattening. You can also use Intel's PIN framework to do some interesting analysis. Some helpful articles here:

- https://calwa.re/reversing/obfuscation/binary-deobfuscation-...

- https://www.nccgroup.com/us/research-blog/a-look-at-some-rea...