Binary Ninja

Ignitionnet · 05-10-2017, 20:33

Anyone used this software?

https://binary.ninja/

The demo was a pleasure to use and this could save me a bunch of time, just trying to collect experiences from people before I lay down the cash.

Qtx · 08-10-2017, 23:33

Guess it depends on what you want to reverse or decompile. Binary Ninja is picking up traction due to it's nice interface and mostly price.

Radare2 and IDA with plugins covers more file formats and architectures. If you only need to reverse exe's and the basic stuff, then Binary Ninja should be fine.

With IDA being the industry standard you will likely get much better community support with it. Something else to consider.

A slightly biased comparison chart but you are only really interesting in the first few tables anyway: http://rada.re/r/cmp.html

Chinese hackers crowd fund buying expensive tools and a recent spat where 40 people put in to the pot for IDA 7 for mac/windows and most it's plugins ended up with a few of the group trying to sell the software to recoup some money. The others got upset over this and released it to all for free. So if you search for 'IDA 7 Leak', you would come across this leak. Just another avenue if you considered comparing

Ignitionnet · 24-10-2017, 09:07

This is now sorted.

Anyone know how to understand these opcodes?

Qtx · 07-11-2017, 12:08

Code:

section .data
text: db "Here be demons...I mean, here is where the fun starts Ignition", 0x0A
len: equ $-text

section .text
    global _start

_start:
    push 0

    loop:
        mov eax, 4
        mov ebx, 1
        mov ecx, text
        mov edx, len
        int 0x80

        inc dword [esp]
        cmp dword [esp], 500
        jl loop

    pop edx
    mov eax, 1
    mov ebx, 0
    int 0x80

**Paul** · 07-11-2017, 13:45

Quote:

Originally Posted by Ignitionnet

Anyone know how to understand these opcodes?

I used to program in 6502 op code (many years ago now).

Its not that hard to do (or follow) once you have a lookup of what all the codes actually do.
(which is mostly just moving data from memory to registers and back again).

Qtx · 07-11-2017, 15:48

Quote:

Originally Posted by Paul M

(which is mostly just moving data from memory to registers and back again).

mov (%ebx), %eax = Load 4 bytes from the memory address in EBX into EAX.

The ebx and eax type codes are registers and memory addresses.

If you are de-compiling malware you want to watch for the code jumping to memory locations (jmp) and if the commands are changing registers or data at the locations, via mov or push type codes. You can tell the type of register by the e** code. Very simplified and probably worded wrong :P

heero_yuy · 07-11-2017, 18:44

Wow, takes me back to breaking dongle protected code. Just locate all the program points that called INT21: Exit to DOS services. Backtrack a bit and find the test for leave or stay. Patched to stay and try each one. Job done.