Cable Forum

Cable Forum (https://www.cableforum.uk/board/index.php)
-   Security & Virus Discussion (https://www.cableforum.uk/board/forumdisplay.php?f=38)
-   -   Binary Ninja (https://www.cableforum.uk/board/showthread.php?t=33705479)

Ignitionnet 05-10-2017 21:33

Binary Ninja
 
Anyone used this software?

https://binary.ninja/

The demo was a pleasure to use and this could save me a bunch of time, just trying to collect experiences from people before I lay down the cash.

Qtx 09-10-2017 00:33

Re: Binary Ninja
 
Guess it depends on what you want to reverse or decompile. Binary Ninja is picking up traction due to it's nice interface and mostly price.

Radare2 and IDA with plugins covers more file formats and architectures. If you only need to reverse exe's and the basic stuff, then Binary Ninja should be fine.

With IDA being the industry standard you will likely get much better community support with it. Something else to consider.

A slightly biased comparison chart but you are only really interesting in the first few tables anyway: http://rada.re/r/cmp.html

Chinese hackers crowd fund buying expensive tools and a recent spat where 40 people put in to the pot for IDA 7 for mac/windows and most it's plugins ended up with a few of the group trying to sell the software to recoup some money. The others got upset over this and released it to all for free. So if you search for 'IDA 7 Leak', you would come across this leak. Just another avenue if you considered comparing :)

Ignitionnet 24-10-2017 10:07

Re: Binary Ninja
 
This is now sorted.

Anyone know how to understand these opcodes?

Qtx 07-11-2017 13:08

Re: Binary Ninja
 
Code:

section .data
text: db "Here be demons...I mean, here is where the fun starts Ignition", 0x0A
len: equ $-text

section .text
    global _start

_start:
    push 0

    loop:
        mov eax, 4
        mov ebx, 1
        mov ecx, text
        mov edx, len
        int 0x80

        inc dword [esp]
        cmp dword [esp], 500
        jl loop

    pop edx
    mov eax, 1
    mov ebx, 0
    int 0x80


Paul 07-11-2017 14:45

Re: Binary Ninja
 
Quote:

Originally Posted by Ignitionnet (Post 35921653)
Anyone know how to understand these opcodes?

I used to program in 6502 op code (many years ago now).

Its not that hard to do (or follow) once you have a lookup of what all the codes actually do.
(which is mostly just moving data from memory to registers and back again).

Qtx 07-11-2017 16:48

Re: Binary Ninja
 
Quote:

Originally Posted by Paul M (Post 35923617)
(which is mostly just moving data from memory to registers and back again).

mov (%ebx), %eax = Load 4 bytes from the memory address in EBX into EAX.

The ebx and eax type codes are registers and memory addresses.

If you are de-compiling malware you want to watch for the code jumping to memory locations (jmp) and if the commands are changing registers or data at the locations, via mov or push type codes. You can tell the type of register by the e** code. Very simplified and probably worded wrong :P

heero_yuy 07-11-2017 19:44

Re: Binary Ninja
 
Wow, takes me back to breaking dongle protected code. Just locate all the program points that called INT21: Exit to DOS services. Backtrack a bit and find the test for leave or stay. Patched to stay and try each one. Job done. ;)


All times are GMT +1. The time now is 10:49.

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.