Binary Ninja Blog

EDITOR’S NOTE: This guest-post was brought to you by unknowntrojan, shedding light on one of the lesser-known plugins, coolsigmaker.

A common desire in reverse engineering is to match re-used code across multiple binaries. Whether you’re doing malware lineage tracking, identifying a statically compiled library, or any other use case about identifying similar code, there are multiple technologies that attempt to solve parts of this problem. Other tools for related problems include SigKit (Binary Ninja’s static library detection), IDA’s FLIRT/FLAIR and Lumina features, or even more advanced systems like Diaphora or BinDiff.

Related to those, you might already be familiar with the “SigMaker” style of plugins for various platforms^{[1] [2] [3]}. These plugins generate patterns from code that can be used to find said code across different binaries or find the same function reliably between application updates. This is useful for malware classification and static-library identification among other purposes.

binja_coolsigmaker is just that: a fast and reliable “SigMaker” plugin for Binary Ninja.

Today, we are releasing the newest edition of our flagship product: Binary Ninja Ultimate.

The Ultimate edition includes all of the same features you know and love from Binary Ninja Commercial, but also includes the architectures we’ve been selling separately over our past few releases. This lets us simplify our release pipeline and our pricing at the same time without raising prices for any existing customers. For the next few months, we’ll be selling this edition at a reduced, introductory price as we continue to build out additional features.

Under-the-hood, Binary Ninja Ultimate is a re-brand of our existing Binary Ninja Enterprise client builds, but with named (instead of floating) licenses. This means all current Enterprise customers will get Ultimate features at no extra cost and all future Ultimate customers will have the ability to add an Enterprise server at any time.

Some additional clarifications up-front for our existing customers:

• If you’re a Non-Commercial customer, nothing is changing.
• If you’re a Commercial customer happy with our existing architecture support, nothing is changing.
• If you’re an Enterprise customer, you will receive many new architectures for free with your existing licenses!
• If you had previously purchased a license to nanoMIPS or TriCore (speaking of which, make sure to catch up on our other blog post today with much more detail about our TriCore support), you will receive a free upgrade to Binary Ninja Ultimate.

TriCore firmware is important for security researchers since it is found in a wide range of car components. While we originally announced the availability of a separate paid TriCore plugin in our 4.1 release, we have since updated it and are excited to now ship TriCore to all Binary Ninja Ultimate customers! This not only makes it cheaper and enables access to other architectures, but makes getting access easier than ever. If you haven’t heard of Ultimate yet, check out our other announcement from today!

The Unified Extensible Firmware Interface (UEFI) is a specification that defines the architecture of firmware used for booting computers. It contains the initial code that runs on most modern PCs and mobile devices, operating at the highest privilege levels before the operating system loads. This makes UEFI a fascinating area for reverse engineering.

Let’s delve into some firmware samples and demonstrate how Binary Ninja and our official EFI Resolver plugin can automate the analysis of UEFI binaries. The features highlighted in this blog post represent a culmination of efforts that began prior to the release of Binary Ninja 3.5. This ongoing work includes recent contributions by Zichuan, one of our summer interns!

Much like our 4.0 re-release, we are releasing an updated 4.1 with a few additional changes. As always, you can switch to the dev channel to receive these fixes and more, while build 4.1.5902 released today is for those who prefer to stay on stable releases.

It’s been just under 4 months since we officially launched Sidekick 1.0. During that time, we have been busy making improvements and creating new ways to make reversing even easier. All of that hard work has culminated into the release of Sidekick 2.0, which we are pleased to introduce to you today.

We don’t increment major version numbers lightly, and Sidekick has earned this bump with a major new feature that will change the way you reverse engineer in addition to other improvements and fixes.

Not long ago, we gave a sneak preview of the Analysis Workbench (formerly called the Analysis Console) and wrote a blog introducing its concepts in advance of this release. With the Sidekick 2.0 release today, it’s here and ready to save you time and effort.

Sidekick 2.0 introduces a powerful set of features that significantly enhance firmware analysis capabilities. In this post, we’ll demonstrate how Sidekick, in conjunction with the Firmware Ninja plugin (currently in development) for Binary Ninja, can streamline the process of analyzing Memory Mapped I/O (MMIO) in firmware samples.

Sidekick 2.0 includes a set of powerful features that can help you accomplish a variety of tasks. Today, we will be applying several of them to the task of de-obfuscating strings in a malware sample called Amadey.

Amadey, as explained in its Malpedia entry, is a botnet that periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called “tasks”) for all or specifically targeted computers compromised by the malware. This particular malware sample employs an obfuscation technique that stores the strings referenced by the binary as encrypted strings that are then decrypted during runtime. This makes it more difficult for analysts to reverse engineer and understand what the malware is doing and also prevents anti-virus software from identifying it.

Big thanks to Josh Reynolds from InvokeRE for giving us the Amadey sample and working with our team to improve Sidekick’s malware analysis while we were working on this post.

New in version 4.1, Binary Ninja now has a fallback type library for libc-like libraries. We showed it briefly in the Binary Ninja 4.1 Feature Stream and also showed one screenshot in our 4.1 announcement blog post.

This post will go into more detail as to what it is, how it works, and how it makes your reverse engineering experience better.

What a release! Even we were surprised when we started tallying up all the major improvements since 4.0. Even though this is a minor version increment, the list of improvements is huge. It’s hard to pick favorites as we’ve seen major improvements in decompilation quality, multiple new architectures, type library improvements across most of the supported platforms and so many other important new features.

• Decompiler Improvements
• Linux ARM Builds
• UEFI Enhancements
• BASE
• UI Improvements
  • History Widget
  • Address Display / Stack View
• macOS/iOS/Objective-C Improvements
• Fallback Libc
• Debugger
  • Debugger Annotations and Memory Map API
  • Time-Travel Debugging
• Architecture/Platform Changes
  • Platform Changes
  • Octeon Support
  • TriCore
• Open-Source Contributions
• Many More