Binary Ninja Blog

In this blog post, I will explain how I reverse engineered a Cobalt Strike dropper and obtained its payload. The payload is a custom executable file format based on DLL. The dropper decrypts, loads, and executes the payload. Initially, I thought this must not be a PE executable at all, but I gradually realized it was. Much of the effort was spent on fixing the file so it could be loaded by Binary Ninja for further analysis.

Today, we’re releasing a little side project a few of our developers have been working with the community on: the Decompiler Explorer! This new (free, open source) web service lets you compare the output of different decompilers on small executables. In other words: It’s basically the same thing as Matt Godbolt’s awesome Compiler Explorer, but in reverse.

Not everything in a function is equally important. Sometimes, especially with large functions, you want a way to hide all that extra conditional cruft so you can focus on just the execution path that matters to you. Enter Tantō: a brand-new official plugin for Binary Ninja that splits functions into smaller chunks (or “slices”) to help you understand functions faster.

Are you ready for the next stable Binary Ninja release? 3.1 is live today and contains many major improvements:

• Better Performance
• Non-Commercial Multithreading
• Clang Type Parser
• New Windows Types
• Native Debugger
• Logging System
• Enterprise API

If you were expecting 3.1 to be the “Windows” update, we were too as that was the original plan! However, given the scope of major new features, we split the original release plan into two halves. While many Windows improvements are indeed coming in 3.1, others are now planned for 3.2, the new “Windows” release.

The last time we did a State of the Ninja post was slightly over 2 years ago. Coronavirus was hitting record highs, the world was in lockdown, the episode number was 13… They were trying times to be sure. It was also right before our 2.0 release that included HLIL. Pretty crazy how far we’ve come in such a short span of time, right?

Today, we’re about 3 months past our release of Binary Ninja 3.0. That version came with a huge amount of new features for everyone to play with like:

• A fresh, new UI
• Decompilation to ‘Pseudo C’
• New stack and variable views
• The preliminary release of Workflows

…and a whole bunch of other cool stuff like various API improvements, native builds for the M1 chip, and offline updates for our Enterprise customers.

But, that was 3 months ago. Today, I want to talk about what we’ve been working on since. We’re releasing 3.1 in the next month or so, but some of these features are already done and shipped in our development builds for you to try today.

We are well aware that analyzing large binaries in Binary Ninja right now can use a significant amount of memory. So, as we develop what will become our next release, 3.1, we are focusing on improving performance across the board. As a preliminary step, all Binary Ninja development builds starting from 3.0.3306-dev now include some of these memory usage and performance optimizations.

If you would like to check out these changes and help us test them, you can change your update channel in Preferences -> Update Channel… within Binary Ninja. Just set it to the “Binary Ninja development build” channel, select a version greater than or equal to 3.0.3306-dev, and click “Done”. Once Binary Ninja has downloaded the new version, click the green arrow in the bottom-left corner and Binary Ninja will restart and apply the new update.

We’re excited to announce Binary Ninja 3.0 is live today! Most of our stable releases have been quarterly, but this 3.0 release took over six months, and this list of improvements really justifies it.

So what has this wait brought you? Here’s our top eight favorite (with many more below).

• Fresh UI
• Pseudo C
• API Improvements
• Stack and Variable Views
• Workflows
• Enterprise: Offline Updates
• Function Parameter Detection
• M1 Native

In fact, this release is so chock full of good stuff that five of the top nine all-time most up-voted features are shipping in this release! (Related: go up-vote your favorites for upcoming releases.)

In the first installment of this series, we got a Z80 architecture up and running with disassembly and control graphs. In this second installment, we’ll add lifting and discuss Binary Ninja’s intermediate languages.

We are so happy to announce the release of our long awaited Binary Ninja Enterprise product. Throughout my 17-year reverse engineering and vulnerability research career I’ve wanted a way to collaborate with my teammates and coworkers. We tried many open source solutions which would eventually get out of sync or corrupt our database. We even wrote our own solution thinking, “We’re not going to make the same mistakes all those other schmucks made!” Only after months of wasted effort did we realize how difficult the problem was and that the platform we were trying to implement collaboration with was very deeply incapable of supporting such a feature.

When we started developing Binary Ninja in 2015 we knew at a fundamental level that we needed the product to be able to support collaboration. This goal influenced many of the design decisions throughout our development. Finally, two years ago (almost to the day), we committed the first lines of code on the product that we’re releasing today. We’re so proud of the product our engineers created, especially Glenn and Josh who saw our vision through.

As we kick off this year’s Reverse Engineering Survey (don’t forget to submit before October 7 to be eligible for the prizes), we wanted to spend some time digging into last year’s results and showing some of what we learned. And surprisingly, that includes the question of exactly how humble are reverse engineers! In total, our 2020 survey had 582 responses, of which 52% were Binary Ninja users. That’s not surprising since people likely to hear about the survey are necessarily more likely to already be Binary Ninja users.

Given that, this is definitely a biased sample of the total set of reverse engineers so make sure to take that in mind when considering the results.