Sam Russellwww.lodsb.com·Oct 30, 2023Binary Ninja Workflows: Fixing branch obfuscationIf you've been reversing x86/x64 for a while then you will have definitely come across functions that end like this: We know two things here: The RET/RETN opcode in x86/x64 pops the stack and jumps to that address The PUSH before the return here i...1.2K readsreverse engineering
Sam Russellwww.lodsb.com·Aug 18, 2023Control Flow Flattening: How to build your ownI was really really excited when Open Obfuscator was launched. I've enjoyed the challenges that application obfuscation have given us over the years, and it was fun to find a well documented and open source obfuscator that we could play with and try ...10 likes·1.7K readsreverse engineering
Sam Russellwww.lodsb.com·Aug 3, 2023Removing Control Flow Flattening with Binary NinjaIf you've been reversing for a while then eventually you'll come up against a control flow graph that looks like this: This is a simple toy app hosted at https://github.com/samrussell/cff_playground if you feel like following along at home. The plug...10 likes·2.1K readsreverse engineering
Sam Russellwww.lodsb.com·Nov 18, 2022Extracting VMProtect handlers with Binary NinjaI've started looking into the Adylkuzz malware, as mentioned by Tim Blazytko in his article on Automated Detection of Obfuscated Code. Initial analysis shows a TLS entry handler that dumps us straight into a VMProtect VMEnter() function, that looks l...3.8K readsGeneral Programming
Sam Russellwww.lodsb.com·Nov 11, 2022Bulk populating encrypted import tables in Binary NinjaHashing function names slows down reversers It's common for packed and otherwise obfuscated binaries to effectively user their own shellcode to populate the imports that they plan to use. This does two things: It hides imports from the reverser that...366 readsbinary ninja
Sam Russellwww.lodsb.com·Oct 27, 2022Lifting VM based obfuscators in Binary NinjaCarrying on from the previous article, we can take the first of the tigress challenges and finesse it so the VM parser shows up nicely as a big switch/case statement and we can unpick what all the VM handlers do. The next step is to translate the VM ...1.4K readssoftware protection
Sam Russellwww.lodsb.com·Jul 15, 2022Reversing complex jumptables in Binary NinjaI've recently started reversing some of the Tigress obfuscator challenges, and I decided to use this to test out some of the functionality in Binary Ninja. One of the keys to reversing a virtualization obfuscator is identifying the control loop where...1.1K readsGeneral Programming
