Skip to content

Instantly share code, notes, and snippets.

@0xdevalias

0xdevalias/reverse-engineering-macos.md

Last active April 24, 2026 09:30
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save 0xdevalias/256a8018473839695e8684e37da92c25 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save 0xdevalias/256a8018473839695e8684e37da92c25 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. 0xdevalias revised this gist Apr 10, 2026. 1 changed file with 5 additions and 0 deletions.
    5 changes: 5 additions & 0 deletions reverse-engineering-macos.md
    View file
    Original file line number Diff line number Diff line change
    @@ -432,6 +432,11 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    #### WARP
    - https://docs.binary.ninja/guide/warp.html
    - > WARP
    - > Binary Ninja ships a first party plugin for WARP, a format for transferring analysis information including function names, parameter names, and types. The plugin is responsible for matching unique functions in a binary and automatically applying information to the analysis. It also provides the user the ability to select from a set of possible functions when identifying the unique function fails.
    - https://docs.binary.ninja/guide/warp.html#creating-warp-files
    - > Creating WARP Files
    - https://binary.ninja/2025/08/22/warp.html
    - > Get Back To WARP
    - > Since Binary Ninja 4.2, users have been able to enable WARP, and now with Binary Ninja 5.1 we are finally enabling it by default! WARP has received many features users have been asking for, and a healthy amount of polish on top of that as well. In this blog we’ll describe what WARP is, how it works, and how you can use it to improve your reverse engineering experience.
  2. 0xdevalias revised this gist Apr 10, 2026. 1 changed file with 3 additions and 0 deletions.
    3 changes: 3 additions & 0 deletions reverse-engineering-macos.md
    View file
    Original file line number Diff line number Diff line change
    @@ -432,6 +432,9 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    #### WARP
    - https://binary.ninja/2025/08/22/warp.html
    - > Get Back To WARP
    - > Since Binary Ninja 4.2, users have been able to enable WARP, and now with Binary Ninja 5.1 we are finally enabling it by default! WARP has received many features users have been asking for, and a healthy amount of polish on top of that as well. In this blog we’ll describe what WARP is, how it works, and how you can use it to improve your reverse engineering experience.
    > - https://binary.ninja/2024/11/20/4.2-frogstar.html#warp-advanced-function-matching-algorithm-alpha
    > - > WARP: Advanced Function Matching Algorithm Alpha
    > > This release features a new way to transfer function information between binaries. Unlike our existing SigKit tool, WARP is meant for whole function matching. This means fewer false positives and more opportunities to match on smaller functions, thanks to WARP’s function constraints.
  3. 0xdevalias revised this gist Apr 10, 2026. 1 changed file with 2 additions and 0 deletions.
    2 changes: 2 additions & 0 deletions reverse-engineering-macos.md
    View file
    Original file line number Diff line number Diff line change
    @@ -389,6 +389,8 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    - > Binary Ninja Basics
    - https://www.youtube.com/playlist?list=PLCVV6Y9LmwOhma0VEJDO07uYxFqtEmkrT
    - > Training
    - https://www.youtube.com/watch?v=QmsUmvHOjck
    - > Beginner C++ Reverse Engineering - Binary Ninja Live Stream
    - https://github.com/Vector35/binaryninja-api/wiki/Ninjas-In-Training
    - > Ninjas In Training
    > List of resources for folks beginning their journey into reverse engineering. If appropriate, resources are labelled as B for Beginner, I for Intermediate, and A for Advanced. Feel free to join the slack and hop in the `#ninjas-in-training` channel for specific questions.
  4. 0xdevalias revised this gist Apr 10, 2026. 1 changed file with 37 additions and 0 deletions.
    37 changes: 37 additions & 0 deletions reverse-engineering-macos.md
    View file
    Original file line number Diff line number Diff line change
    @@ -136,10 +136,28 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    #### Binary Ninja Blog

    - https://binary.ninja/blog/
    - https://www.youtube.com/watch?v=iD8UidhFbhg
    - > Binary Ninja: 5.3 Feature Stream!
    - https://binary.ninja/2025/12/05/5.2-release-2.html
    - > 5.2 Release 2
    - https://binary.ninja/2025/11/13/binary-ninja-5.2-io.html
    - > Binary Ninja 5.2 (Io)
    - https://www.youtube.com/watch?v=I-IuXV44mps
    - > Binary Ninja: 5.2 Feature Stream!
    - https://binary.ninja/2025/08/14/5.1-release-2.html
    - > 5.1 Release 2
    - https://binary.ninja/2025/07/24/5.1-helion.html
    - > 5.1 Helion
    - https://www.youtube.com/watch?v=UG5PHLJPe_0
    - > Binary Ninja: 5.1 Feature Stream
    - https://binary.ninja/2025/05/23/5.0-release-2.html
    - > 5.0 Release 2
    - https://binary.ninja/2025/04/23/5.0-gallifrey.html
    - > 5.0 Gallifrey
    - https://binary.ninja/2025/04/23/5.0-gallifrey.html#sidekick-31
    - > Sidekick 3.1
    - https://www.youtube.com/watch?v=cVZnGjUT-q4
    - > Binary Ninja: 5.0 Feature Stream
    - https://binary.ninja/2025/02/26/sidekick-3.0.html
    - > Sidekick 3.0
    - https://binary.ninja/2025/02/26/sidekick-in-action-finding-vulnerabilities-in-dnsmasq.html
    @@ -148,28 +166,47 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    - > Sidekick in Action: Analyzing LockBit 3.0
    - https://binary.ninja/2024/11/20/4.2-frogstar.html
    - > 4.2 Frogstar
    - https://www.youtube.com/watch?v=9ONb2LaOt8A
    - > Binary Ninja: 4.2 Feature Stream
    - https://binary.ninja/2024/08/16/4.1-release-2.html
    - > 4.1 Release 2
    - https://binary.ninja/2024/08/12/sidekick-2.0.html
    - > Sidekick 2.0
    - https://binary.ninja/2024/07/17/4.1-elysium.html
    - > 4.1 Elysium
    - https://www.youtube.com/watch?v=IdNFMIQ9roQ
    - > Binary Ninja: 4.1 Feature Stream!
    - https://binary.ninja/2024/05/27/4.0-update.html
    - > 4.0 Update
    - https://binary.ninja/2024/04/18/sidekick-release.html
    - > Sidekick 1.0 Release
    - https://binary.ninja/2024/02/28/4.0-dorsai.html
    - > 4.0: Dorsai
    - https://www.youtube.com/watch?v=4nskle8sMKQ
    - > Binary Ninja: 4.0 Feature stream!
    - https://binary.ninja/2023/09/15/3.5-expanded-universe.html
    - > 3.5: Expanded Universe
    - https://www.youtube.com/watch?v=E2MCx8oQZW8
    - > Binary Ninja Live Stream: August 4 (3.5 Feature Announcement!)
    - https://binary.ninja/2023/05/03/3.4-finally-freed.html
    - > 3.4: Finally Freed
    - https://www.youtube.com/watch?v=lxXj5ih6M3o
    - > Binary Ninja Live Stream: March 31
    - > 3.4 Feature overview stream!
    - https://binary.ninja/2023/01/18/3.3-the-bytes-must-flow.html
    - > 3.3: The Bytes Must Flow
    - https://www.youtube.com/watch?v=0PFjwoFNQCk
    - > Binary Ninja Live Stream: December 16
    - > 3.3 Release Feature Overview!
    - https://binary.ninja/2022/10/28/3.2-released.html
    - > 3.2 Release
    - https://www.youtube.com/watch?v=hZHtQqF7-eg
    - > Binary Ninja Live Stream: October 28
    - > 3.2 Stable release!
    - https://binary.ninja/2022/05/31/3.1-the-performance-release.html
    - > 3.1 The Performance Release
    - https://www.youtube.com/watch?v=a8ATFKBwoQk
    - > Binary Ninja Live Stream: June 3 (3.1 launch!)
    - https://binary.ninja/2022/01/27/3.0-the-next-chapter.html
    - > 3.0 The Next Chapter
    - https://binary.ninja/2023/02/17/hacking-the-binary-ninja-ui-for-fun-and-profit.html
  5. 0xdevalias revised this gist Oct 1, 2025. 1 changed file with 1 addition and 0 deletions.
    1 change: 1 addition & 0 deletions reverse-engineering-macos.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1251,6 +1251,7 @@ be located next to this file.
    - https://gist.github.com/0xdevalias
    - [Reverse Engineering Golang (0xdevalias' gist)](https://gist.github.com/0xdevalias/4e430914124c3fd2c51cb7ac2801acba#reverse-engineering-golang)
    - [Reverse Engineering Java (0xdevalias' gist)](https://gist.github.com/0xdevalias/bda8eb7844a0d1a14f2d9748fcc86a90#reverse-engineering-java)
    - [GitHub Copilot CLI API (0xdevalias' gist)](https://gist.github.com/0xdevalias/420657a20dfa17536205e5cb4dfef609#github-copilot-cli-api)
    - [Decompilation Outputs](https://gist.github.com/0xdevalias/420657a20dfa17536205e5cb4dfef609#decompilation-outputs)
    - https://github.com/0xdevalias/chatgpt-source-watch : Analyzing the evolution of ChatGPT's codebase through time with curated archives and scripts.
  6. 0xdevalias revised this gist Apr 25, 2025. 1 changed file with 4 additions and 0 deletions.
    4 changes: 4 additions & 0 deletions reverse-engineering-macos.md
    View file
    Original file line number Diff line number Diff line change
    @@ -136,6 +136,10 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    #### Binary Ninja Blog

    - https://binary.ninja/blog/
    - https://binary.ninja/2025/04/23/5.0-gallifrey.html
    - > 5.0 Gallifrey
    - https://binary.ninja/2025/04/23/5.0-gallifrey.html#sidekick-31
    - > Sidekick 3.1
    - https://binary.ninja/2025/02/26/sidekick-3.0.html
    - > Sidekick 3.0
    - https://binary.ninja/2025/02/26/sidekick-in-action-finding-vulnerabilities-in-dnsmasq.html
  7. 0xdevalias revised this gist Apr 24, 2025. 1 changed file with 19 additions and 0 deletions.
    19 changes: 19 additions & 0 deletions reverse-engineering-macos.md
    View file
    Original file line number Diff line number Diff line change
    @@ -75,6 +75,25 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    - > For a more detailed explanation of what Tantō does, please check out this blog post.
    - https://binary.ninja/2022/06/20/introducing-tanto.html
    - > Introducing Tantō: Slicing Functions for Faster Finds
    - https://binary.ninja/2022/06/20/introducing-tanto.html#potential-uses-and-some-speculation
    - > What I’ve found most interesting, and have been speculating about, is using variable slices like these (though not directly through the UI) in the function fingerprinting space. I’ve long suspected that a dataflow-based approach to fingerprinting might prove to be robust against compiler optimizations and versions, as well as source code changes that don’t completely redefine the implementation of a function. Treating each variable slice as a record of what happens to data within a function, a similarity score for two slices could be generated from the count of matching operations, matching constant interactions (`2 + var_a`), and matching variable interactions (`var_f + var_a`). Considering all slices, a confidence metric could be derived for whether two functions match. Significant research would be required to answer these questions concretely… and, if you could solve subgraph isomorphism at the same time, that’d be great!
    - https://bsky.app/profile/elykdeer.bsky.social
    - https://bsky.app/profile/1ns0mn1h4ck.bsky.social/post/3liypgatkt22x
    - > We’re thrilled to announce Kyle Martin’s session at Insomni’hack 2025: "'A Slice of' Modern Program Analysis".
    - > 🔍 Discover the lineup and book your spot: insomnihack.ch/talks/a-slic...
    - https://insomnihack.ch/talks/a-slice-of-modern-program-analysis/
    - > Talk: "A Slice of" Modern Program Analysis
    > March 14, 13:30 (CAMPUS)
    - > This talk introduces Tanto 2.0: an open-source, binary analysis, slicing framework and plugin for Binary Ninja designed to help discover and verify bugs and vulnerabilities faster than ever before. As government-funded programs and private-sector research continue to encounter increasingly complex problems that require more data and context to solve, slicing aims to cut those problems back down to size.
    - https://bsky.app/profile/binary.ninja/post/3lma74a4aem2n
    - > Kyle's talk at Insomni'Hack is live! youtu.be/I0PoE0IdtmE?...
    > Check it out if you're interested in a slice of modern program analysis and try the latest version of Tanto as well, in the plugin manager or at github.com/Vector35/tanto
    - https://www.youtube.com/watch?v=I0PoE0IdtmE
    - > YouTube: "A Slice Of" Modern Program Analysis - Kyle Martin (50:02)
    - https://github.com/Vector35/tanto#insomnihack-2025-slides
    - > **Insomni'Hack 2025 Slides**
    >
    > [Here are the slides](https://github.com/Vector35/tanto/blob/master/A%20Slice%20of%20Modern%20Program%20Analysis%20-%20Insomni%27hack%202025.pdf) for the talk [@ElykDeer](https://github.com/ElykDeer) gave at Insomni'Hack 2025: ["A Slice of" Modern Program Analysis](https://www.youtube.com/watch?v=I0PoE0IdtmE)
    - https://github.com/fosdickio/binary_ninja_mcp
    - > Binary Ninja MCP
    - > A Binary Ninja plugin containing an MCP server that enables seamless integration with your favorite LLM/MCP client.
  8. 0xdevalias revised this gist Apr 20, 2025. 1 changed file with 151 additions and 46 deletions.
    197 changes: 151 additions & 46 deletions reverse-engineering-macos.md
    View file
    Original file line number Diff line number Diff line change
    @@ -7,6 +7,11 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    <!-- TOC start (generated with https://bitdowntoc.derlin.ch/) -->
    - [Reverse Engineering Tools](#reverse-engineering-tools)
    - [Binary Ninja](#binary-ninja)
    - [Binary Ninja Plugins/Themes](#binary-ninja-pluginsthemes)
    - [Binary Ninja Blog](#binary-ninja-blog)
    - [Binary Ninja Docs](#binary-ninja-docs)
    - [Binary Ninja Training](#binary-ninja-training)
    - [Binary Ninja GitHub Issues](#binary-ninja-github-issues)
    - [WARP](#warp)
    - [Ghidra](#ghidra)
    - [Hex-Rays IDA](#hex-rays-ida)
    @@ -42,6 +47,75 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    - https://sidekick.binary.ninja/
    - > Sidekick Makes Reverse Engineering Easy
    > Don't open that binary alone! Take Sidekick, your AI-powered assistant, with you. Sidekick can help answer your questions about the binary, recover structures, name things, describe and comment code, find points of interest, and much more.
    #### Binary Ninja Plugins/Themes

    - https://extensions.binary.ninja/
    - > Binary Ninja Extensions
    - This is the new official site/list.
    - https://zerotistic.github.io/binja-plugins/
    - > Interactive Binja Plugin List
    - This is an older/unofficial site/list.
    - https://github.com/Zerotistic/binja-plugins
    - > Interactive Binja Plugin List
    >
    > _Note: this is heavily inspired by [ida-plugins](https://github.com/vmallet/ida-plugins) from vmallet_
    >
    > This is a comprehensive list of plugins for Binary Ninja that is more interactive, that is, it can be sorted and filtered to help with finding plugins of interest. It also has extra metadata like the language the plugin is written in and an attempt at putting plugins into categories.
    - https://github.com/Vector35/official-plugins
    - > Official Binary Ninja Plugins
    - https://github.com/Vector35/community-plugins
    - > Binary Ninja Community Plugins
    - https://github.com/Vector35/community-themes
    - > Binary Ninja Community Themes
    - Some notable plugins I've stumbled across:
    - https://github.com/Vector35/tanto
    - > Tantō is a plugin for Binary Ninja that slices programs so you can understand them faster.
    - > Tantō slices functions into more consumable chunks
    - > For a more detailed explanation of what Tantō does, please check out this blog post.
    - https://binary.ninja/2022/06/20/introducing-tanto.html
    - > Introducing Tantō: Slicing Functions for Faster Finds
    - https://github.com/fosdickio/binary_ninja_mcp
    - > Binary Ninja MCP
    - > A Binary Ninja plugin containing an MCP server that enables seamless integration with your favorite LLM/MCP client.
    - https://github.com/fosdickio/binary_ninja_mcp#supported-integrations
    - > Supported Integrations
    > The following table details which integrations with Binary Ninja are currently supported.
    - https://github.com/MCPPhalanx/binaryninja-mcp
    - > Another™ MCP Server for Binary Ninja
    > The MCP (Model Context Protocol) Server for Binary Ninja
    - https://github.com/MCPPhalanx/binaryninja-mcp#-but-why-another
    - > ... but why Another?
    > See: Key Differences from the Existing Plugin
    - https://github.com/Vector35/community-plugins/issues/305
    - > **Key Differences from the Existing Plugin**
    >
    > - **Headless Mode Support** – Run headlessly with a simple command: `uvx binaryninja-mcp server file_to_reverse.elf`
    > - **Multi-Binary Loading** – Open and manage multiple binaries simultaneously in both **UI and headless** modes. MCP clients can retrieve a list of opened files.
    > - **Alternative Architectural Design**:
    > - Uses **SSE transport** instead of a handcrafted HTTP server for improved responsiveness.
    > - Implements a built-in **SSE-to-stdio relay**, ensuring compatibility with stdio-transport-only clients like Claude Desktop.
    > - **Configurable via Binary Ninja Settings** – Manage server parameters effortlessly, including listening configurations.
    > - **Packaged as a PyPI Module** – The plugin version is strictly bound to the package version, ensuring consistency across updates.
    > - **Extensive Testing Coverage** – CI pipelines, unit tests, and smoke tests validate reliability.
    > - **Minimal Setup Required** – Configure MCP clients with one single command: `uvx binaryninja-mcp client`
    - https://github.com/mrphrazer/reverser_ai
    - > ReverserAI
    - > Provides automated reverse engineering assistance through the use of local large language models (LLMs) on consumer hardware.
    - > ReverserAI is a research project designed to automate and enhance reverse engineering tasks through the use of locally-hosted large language models (LLMs). Operating entirely offline, this initial release features the automatic suggestion of high-level, semantically meaningful function names derived from decompiler output. ReverserAI is provided as a Binary Ninja plugin; however, its architecture is designed to be extended to other reverse engineering platforms such as IDA and Ghidra.
    - https://github.com/WhatTheFuzz/binaryninja-openai
    - > BinaryNinja-OpenAI
    - > Integrates OpenAI with BinaryNinja via a plugin.
    - https://github.com/ahaggard2013/binaryninja-ollama
    - > Binary Ninja Ollama
    - > Binary Ninja Ollama integrates with your own locally hosted ollama server to rename functions and variables with AI
    - https://github.com/jtang613/BinAssist
    - > BinAssist
    - > A plugin that provides LLM helpers to explain code and assist in RE.
    - > This is a LLM plugin aimed at enabling the use of local LLM's (ollama, text-generation-webui, lm-studio, etc) for assisting with binary exploration and reverse engineering. It supports any OpenAI v1-compatible API. Recommended models are LLaMA-based models such as llama3.1:8b, but others should work as well.
    #### Binary Ninja Blog

    - https://binary.ninja/blog/
    - https://binary.ninja/2025/02/26/sidekick-3.0.html
    - > Sidekick 3.0
    @@ -77,6 +151,9 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    - > 3.0 The Next Chapter
    - https://binary.ninja/2023/02/17/hacking-the-binary-ninja-ui-for-fun-and-profit.html
    - > Hijacking the Binary Ninja UI for Fun and Profit
    #### Binary Ninja Docs

    - https://docs.binary.ninja/guide/
    - > User Guide
    - https://docs.binary.ninja/guide/migration/
    @@ -206,20 +283,20 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    - > Binary Ninja Workflows is an analysis orchestration framework which simplifies the definition and execution of a computational binary analysis pipeline. The extensible pipeline accelerates program analysis and reverse engineering of binary blobs at various levels of abstraction. Workflows supports hybridized execution models, where the ordering of activities in the pipeline can be well-known and procedural, or dynamic and reactive. Currently, the core Binary Ninja analysis is made available as a procedural model and is the aggregate of both module and function-level analyses.
    - https://github.com/Vector35/binaryninja-api/tree/dev/examples/workflows
    - I saw a note somewhere that suggested this feature would allow implementing deoptimisers / similar (eg. fast modulo / division, etc) that could simplify the view of the decompiled output
    - https://docs.binary.ninja/dev/plugins.html
    - > Writing Plugins
    - https://docs.binary.ninja/dev/plugins.html#ui-plugins
    - > UI Plugins
    - https://binary.ninja/2023/02/17/hacking-the-binary-ninja-ui-for-fun-and-profit.html
    - > Hijacking the Binary Ninja UI for Fun and Profit
    - https://binary.ninja/2024/02/15/command-palette.html
    - > Taking Action With the Command Palette
    - https://github.com/Vector35/binaryninja-api/issues/5628
    - > Add support for popups (not message boxes) in the API
    - > Making a new window or making the tooltips arbitrarily configurable is actually already possible but using the QT API.
    - https://github.com/Vector35/binaryninja-api/issues/5628#issuecomment-2180961499
    - > Here's an example of tooltip code you can use
    - > Some extra context for the code above: It doesn't use an "actual" Qt Tooltip because tooltips can't be an 'active' window (see [documentation](https://doc.qt.io/qt-6/qtooltip.html)). This means they can't respond to things like key-press events, even if you try to catch the event yourself. As a result, the code above fakes one with `Qt.FramelessWindowHint` and `Qt.WindowStaysOnTopHint`.
    - https://docs.binary.ninja/dev/plugins.html
    - > Writing Plugins
    - https://docs.binary.ninja/dev/plugins.html#ui-plugins
    - > UI Plugins
    - https://binary.ninja/2023/02/17/hacking-the-binary-ninja-ui-for-fun-and-profit.html
    - > Hijacking the Binary Ninja UI for Fun and Profit
    - https://binary.ninja/2024/02/15/command-palette.html
    - > Taking Action With the Command Palette
    - https://github.com/Vector35/binaryninja-api/issues/5628
    - > Add support for popups (not message boxes) in the API
    - > Making a new window or making the tooltips arbitrarily configurable is actually already possible but using the QT API.
    - https://github.com/Vector35/binaryninja-api/issues/5628#issuecomment-2180961499
    - > Here's an example of tooltip code you can use
    - > Some extra context for the code above: It doesn't use an "actual" Qt Tooltip because tooltips can't be an 'active' window (see [documentation](https://doc.qt.io/qt-6/qtooltip.html)). This means they can't respond to things like key-press events, even if you try to catch the event yourself. As a result, the code above fakes one with `Qt.FramelessWindowHint` and `Qt.WindowStaysOnTopHint`.
    - https://docs.binary.ninja/dev/api.html
    - > Using the Binary Ninja API
    - https://api.binary.ninja/
    @@ -231,43 +308,65 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    - > Public API, examples, documentation and issues for Binary Ninja
    - https://docs.binary.ninja/dev/cookbook.html
    - > Cookbook
    - https://github.com/Vector35/binaryninja-api/wiki/Ninjas-In-Training
    - > Ninjas In Training
    > List of resources for folks beginning their journey into reverse engineering. If appropriate, resources are labelled as B for Beginner, I for Intermediate, and A for Advanced. Feel free to join the slack and hop in the `#ninjas-in-training` channel for specific questions.
    - Some interesting/relevant issues I have run into:
    - https://github.com/Vector35/binaryninja-api/issues/5262
    - > [docs] Improve 'Finding System Headers' examples for C++
    - https://github.com/Vector35/binaryninja-api/issues/5257
    - > Support parsing C++ templates (at least concrete specializations)
    - https://github.com/Vector35/binaryninja-api/issues/3305
    - > Templatized types (in some form) in BN's type system
    - https://github.com/Vector35/binaryninja-api/issues/4551
    - > Demangled type names reference missing types
    - https://github.com/Vector35/binaryninja-api/issues/2735
    - > macOS Type Libraries
    - https://github.com/Vector35/binaryninja-api/issues/2736
    - > iOS Type Libraries
    - https://github.com/Vector35/binaryninja-api/issues/3017
    - > Show vtable function calls as normal function call
    - https://github.com/Vector35/binaryninja-api/issues/3017#issuecomment-1694528273
    - > With the addition of `__data_var_refs` (see: [C++ Types user docs](https://docs.binary.ninja/guide/cpp.html#defining-a-virtual-function-table)) this is effectively solved. The next step is to automate the parsing and symbolizing of both MSVC ([#3930](https://github.com/Vector35/binaryninja-api/issues/3930)) and Itanium RTTI ([#3857](https://github.com/Vector35/binaryninja-api/issues/3857)).
    - https://github.com/Vector35/binaryninja-api/issues/3930
    - > MSVC RTTI analysis
    - https://github.com/Vector35/binaryninja-api/issues/3857
    - > GCC/Clang RTTI analysis
    - https://github.com/Vector35/binaryninja-api/issues/4959
    - > Incorrect `typeinfo_name_for` definitions in mach-o binaries
    - https://github.com/Vector35/official-plugins
    - > Official Binary Ninja Plugins
    - https://github.com/Vector35/community-plugins
    - > Binary Ninja Community Plugins
    - https://github.com/Vector35/community-themes
    - > Binary Ninja Community Themes
    - https://docs.sidekick.binary.ninja/latest/
    - > Binary Ninja Sidekick User Documentation
    - > Sidekick is an AI-powered extension to the Binary Ninja desktop application, providing new capabilities to help users analyze and understand binary programs.
    - https://docs.sidekick.binary.ninja/latest/guide/analysis/bnql/
    - > Binary Ninja Query Language
    >
    > The Binary Ninja Query Language (BNQL) is designed to retrieve Binary Ninja API objects that represent the functions, variables, sections, strings, symbols, and various other entities of a binary. Queries make use of relationships between these entities to efficiently find the right objects. Queries may also access object indexes, which contain lists of objects pertaining to user-defined topics.
    >
    > Queries do not replace the need to analyze decompiled code or data. A typical analysis involves:
    >
    > - Writing queries to find relevant code, data, or metadata
    > - Examining the decompiled code and data returned by the query
    > - Based on the findings, deciding what to query next
    #### Binary Ninja Training
    - https://www.youtube.com/@Vector35
    - https://www.youtube.com/playlist?list=PLCVV6Y9LmwOgqqT5obf0OmN9fp5495bLr
    - > Binary Ninja Basics
    - https://www.youtube.com/playlist?list=PLCVV6Y9LmwOhma0VEJDO07uYxFqtEmkrT
    - > Training
    - https://github.com/Vector35/binaryninja-api/wiki/Ninjas-In-Training
    - > Ninjas In Training
    > List of resources for folks beginning their journey into reverse engineering. If appropriate, resources are labelled as B for Beginner, I for Intermediate, and A for Advanced. Feel free to join the slack and hop in the `#ninjas-in-training` channel for specific questions.
    - https://zerotistic.blog/
    - > Zerotistic's blog
    - > Automation nerd, vulnerability researcher and probably unhinged
    - https://zerotistic.blog/posts/binary-ninja-zero-to-hero-1/
    - > Binary Ninja: Zero to Hero 1
    - https://zerotistic.blog/posts/binary-ninja-zero-to-hero-2/
    - > Binary Ninja: Zero to Hero 2
    - https://zerotistic.blog/posts/binary-ninja-rump/
    - > Binary Ninja: how to reverse with style
    #### Binary Ninja GitHub Issues
    - Some interesting/relevant issues I have run into:
    - https://github.com/Vector35/binaryninja-api/issues/5262
    - > [docs] Improve 'Finding System Headers' examples for C++
    - https://github.com/Vector35/binaryninja-api/issues/5257
    - > Support parsing C++ templates (at least concrete specializations)
    - https://github.com/Vector35/binaryninja-api/issues/3305
    - > Templatized types (in some form) in BN's type system
    - https://github.com/Vector35/binaryninja-api/issues/4551
    - > Demangled type names reference missing types
    - https://github.com/Vector35/binaryninja-api/issues/2735
    - > macOS Type Libraries
    - https://github.com/Vector35/binaryninja-api/issues/2736
    - > iOS Type Libraries
    - https://github.com/Vector35/binaryninja-api/issues/3017
    - > Show vtable function calls as normal function call
    - https://github.com/Vector35/binaryninja-api/issues/3017#issuecomment-1694528273
    - > With the addition of `__data_var_refs` (see: [C++ Types user docs](https://docs.binary.ninja/guide/cpp.html#defining-a-virtual-function-table)) this is effectively solved. The next step is to automate the parsing and symbolizing of both MSVC ([#3930](https://github.com/Vector35/binaryninja-api/issues/3930)) and Itanium RTTI ([#3857](https://github.com/Vector35/binaryninja-api/issues/3857)).
    - https://github.com/Vector35/binaryninja-api/issues/3930
    - > MSVC RTTI analysis
    - https://github.com/Vector35/binaryninja-api/issues/3857
    - > GCC/Clang RTTI analysis
    - https://github.com/Vector35/binaryninja-api/issues/4959
    - > Incorrect `typeinfo_name_for` definitions in mach-o binaries
    #### WARP
    @@ -348,6 +447,12 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    - https://www.hex-rays.com/wp-content/static/tutorials/mac_debugger_primer2/mac_debugger_primer2.pdf
    - > Debugging Mac OSX Applications with IDA Pro
    - https://hex-rays.com/products/ida/news/8_3/
    - https://vmallet.github.io/ida-plugins/
    - > The Interactive IDA Plugin List
    > A comprehensive list of plugins for IDA Pro.
    - https://github.com/vmallet/ida-plugins
    - > Interactive IDA Plugin List
    > This is a comprehensive list of plugins for IDA Pro that is more interactive, that is, it can be sorted and filtered to help with finding plugins of interest. It also has extra metadata like the language the plugin is written in, when the plugin was last updated, and an attempt at putting plugins into categories.
    ### radare2
  9. 0xdevalias revised this gist Apr 19, 2025. 1 changed file with 6 additions and 0 deletions.
    6 changes: 6 additions & 0 deletions reverse-engineering-macos.md
    View file
    Original file line number Diff line number Diff line change
    @@ -43,6 +43,12 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    - > Sidekick Makes Reverse Engineering Easy
    > Don't open that binary alone! Take Sidekick, your AI-powered assistant, with you. Sidekick can help answer your questions about the binary, recover structures, name things, describe and comment code, find points of interest, and much more.
    - https://binary.ninja/blog/
    - https://binary.ninja/2025/02/26/sidekick-3.0.html
    - > Sidekick 3.0
    - https://binary.ninja/2025/02/26/sidekick-in-action-finding-vulnerabilities-in-dnsmasq.html
    - > Sidekick in Action: Finding Vulnerabilities in dnsmasq
    - https://binary.ninja/2025/02/26/sidekick-in-action-analyzing-lockbit.html
    - > Sidekick in Action: Analyzing LockBit 3.0
    - https://binary.ninja/2024/11/20/4.2-frogstar.html
    - > 4.2 Frogstar
    - https://binary.ninja/2024/08/16/4.1-release-2.html
  10. 0xdevalias revised this gist Apr 19, 2025. 1 changed file with 11 additions and 0 deletions.
    11 changes: 11 additions & 0 deletions reverse-engineering-macos.md
    View file
    Original file line number Diff line number Diff line change
    @@ -13,6 +13,7 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    - [radare2](#radare2)
    - [Rizin / Cutter](#rizin--cutter)
    - [Frida / etc](#frida--etc)
    - [rr - Record and Replay Framework (time travel debugger)](#rr---record-and-replay-framework-time-travel-debugger)
    - [Reversing C++ Binaries](#reversing-c-binaries)
    - [Unsorted](#unsorted)
    - [C++ vtables](#c-vtables)
    @@ -527,6 +528,16 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    > Specific Software
    > Other
    ### rr - Record and Replay Framework (time travel debugger)
    - https://rr-project.org/
    - > rr aspires to be your primary C/C++ debugging tool for Linux, replacing — well, enhancing — gdb. You record a failure once, then debug the recording, deterministically, as many times as you want. The same execution is replayed every time.
    >
    > rr also provides efficient reverse execution under gdb. Set breakpoints and data watchpoints and quickly reverse-execute to where they were hit.
    - https://github.com/rr-debugger/rr
    - > Record and Replay Framework
    - > rr is a lightweight tool for recording, replaying and debugging execution of applications (trees of processes and threads). Debugging extends gdb with very efficient reverse-execution, which in combination with standard gdb/x86 features like hardware data watchpoints, makes debugging much more fun.
    ## Reversing C++ Binaries
    ### Unsorted
  11. 0xdevalias revised this gist Mar 4, 2025. 1 changed file with 4 additions and 2 deletions.
    6 changes: 4 additions & 2 deletions reverse-engineering-macos.md
    View file
    Original file line number Diff line number Diff line change
    @@ -4,7 +4,7 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.

    ## Table of Contents

    <!-- TOC start (generated with https://derlin.github.io/bitdowntoc/) -->
    <!-- TOC start (generated with https://bitdowntoc.derlin.ch/) -->
    - [Reverse Engineering Tools](#reverse-engineering-tools)
    - [Binary Ninja](#binary-ninja)
    - [WARP](#warp)
    @@ -1104,16 +1104,18 @@ be located next to this file.
    ### My Other Related Deepdive Gist's and Projects
    - https://gist.github.com/0xdevalias
    - [Reverse Engineering Golang (0xdevalias' gist)](https://gist.github.com/0xdevalias/4e430914124c3fd2c51cb7ac2801acba#reverse-engineering-golang)
    - [GitHub Copilot CLI API (0xdevalias' gist)](https://gist.github.com/0xdevalias/420657a20dfa17536205e5cb4dfef609#github-copilot-cli-api)
    - [Decompilation Outputs](https://gist.github.com/0xdevalias/420657a20dfa17536205e5cb4dfef609#decompilation-outputs)
    - https://github.com/0xdevalias/chatgpt-source-watch : Analyzing the evolution of ChatGPT's codebase through time with curated archives and scripts.
    - [Reverse engineering ChatGPT's frontend web app + deep dive explorations of the code (0xdevalias' gist)](https://gist.github.com/0xdevalias/4ac297ee3f794c17d0997b4673a2f160#reverse-engineering-chatgpts-frontend-web-app--deep-dive-explorations-of-the-code)
    - [Deobfuscating / Unminifying Obfuscated Web App Code (0xdevalias' gist)](https://gist.github.com/0xdevalias/d8b743efb82c0e9406fc69da0d6c6581#deobfuscating--unminifying-obfuscated-web-app-code)
    - [Reverse Engineering Webpack Apps (0xdevalias' gist)](https://gist.github.com/0xdevalias/8c621c5d09d780b1d321bfdb86d67cdd#reverse-engineering-webpack-apps)
    - [Reverse Engineered Webpack Tailwind-Styled-Component (0xdevalias' gist)](https://gist.github.com/0xdevalias/916e4ababd3cb5e3470b07a024cf3125#reverse-engineered-webpack-tailwind-styled-component)
    - [React Server Components, Next.js v13+, and Webpack: Notes on Streaming Wire Format (`__next_f`, etc) (0xdevalias' gist))](https://gist.github.com/0xdevalias/ac465fb2f7e6fded183c2a4273d21e61#react-server-components-nextjs-v13-and-webpack-notes-on-streaming-wire-format-__next_f-etc)
    - [Fingerprinting Minified JavaScript Libraries / AST Fingerprinting / Source Code Similarity / Etc (0xdevalias' gist)](https://gist.github.com/0xdevalias/31c6574891db3e36f15069b859065267#fingerprinting-minified-javascript-libraries--ast-fingerprinting--source-code-similarity--etc)
    - [JavaScript Web App Reverse Engineering - Module Identification (0xdevalias' gist)](https://gist.github.com/0xdevalias/28c18edfc17606f09cf413f97e404a60#javascript-web-app-reverse-engineering---module-identification)
    - [Reverse Engineered Webpack Tailwind-Styled-Component (0xdevalias' gist)](https://gist.github.com/0xdevalias/916e4ababd3cb5e3470b07a024cf3125#reverse-engineered-webpack-tailwind-styled-component)
    - [Bypassing Cloudflare, Akamai, etc (0xdevalias' gist)](https://gist.github.com/0xdevalias/b34feb567bd50b37161293694066dd53#bypassing-cloudflare-akamai-etc)
    - [Debugging Electron Apps (and related memory issues) (0xdevalias gist)](https://gist.github.com/0xdevalias/428e56a146e3c09ec129ee58584583ba#debugging-electron-apps-and-related-memory-issues)
    - [devalias' Beeper CSS Hacks (0xdevalias' gist)](https://gist.github.com/0xdevalias/3d2f5a861335cc1277b21a29d1285cfe#beeper-custom-theme-styles)
  12. 0xdevalias revised this gist Jan 6, 2025. 1 changed file with 17 additions and 4 deletions.
    21 changes: 17 additions & 4 deletions reverse-engineering-macos.md
    View file
    Original file line number Diff line number Diff line change
    @@ -543,10 +543,12 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    - > Virtual Function Tables
    > Virtual functions are implemented by compilers using a virtual function table structure that is pointed to by instances of the class. The layout of these structures is compiler dependent, so when reverse engineering a C++ binary these structures must be created to match the in-memory layout used by the binary.
    - https://clang.llvm.org/doxygen/VTableBuilder_8cpp_source.html
    - https://www.seandeaton.com/gotta-re-em-all-reversing-c-virtual-function-tables-with-binary-ninja/
    - > Gotta RE 'em All: Reversing C++ Virtual Function Tables with Binary Ninja
    - https://learn.microsoft.com/en-us/cpp/cpp/constructors-cpp?view=msvc-170
    - > Constructors (C++)
    - https://www.seandeaton.com/tag/reverse-engineering/
    - https://www.seandeaton.com/gotta-re-em-all-reversing-c-virtual-function-tables-with-binary-ninja/
    - > Gotta RE 'em All: Reversing C++ Virtual Function Tables with Binary Ninja
    - TODO: add summary of relevant bits here
    - https://learn.microsoft.com/en-us/cpp/cpp/constructors-cpp?view=msvc-170
    - > Constructors (C++)
    - https://shaharmike.com/cpp/
    - https://shaharmike.com/cpp/vtable-part1/
    - > C++ vtables - Part 1 - Basics
    @@ -590,6 +592,17 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    - https://shaharmike.com/cpp/vtable-part4/
    - > C++ vtables - Part 4 - Compiler-Generated Code
    - TODO: add summary of relevant bits here
    - https://alschwalm.com/blog/static/
    - https://alschwalm.com/blog/static/2016/12/17/reversing-c-virtual-functions/
    - > Reversing C++ Virtual Functions: Part 1
    - > There are a few posts in various parts of the internet discussing reverse engineering C++, and these often address virtual functions to a large or small extent. However, I wanted to take some time to write about dealing with virtual functions in large, ‘enterprisy’ code-bases. These can often include thousands of classes and massive type hierarchies, so I think it is worth describing some techniques for reversing them. But before that I’m going to go through some more simple cases. If you are already familiar with virtual function reversing, then you my want to proceed directly to part 2.
    - TODO: add summary of relevant bits here
    - https://alschwalm.com/blog/static/2017/01/24/reversing-c-virtual-functions-part-2-2/
    - > Reversing C++ Virtual Functions: Part 2
    - > In the previous part I described one approach to 'devirtualize' function calls in a small C++ program. Naturally there were several limitations to that approach, namely that it is very manual. If the target binary contains thousands of vtables, it is not practical to manually locate the tables and create these structures and relationships.
    >
    > So, in this part I will go through a more precise description of the layout of vtables and how we can find them programmatically. I will also show how we can sometimes recover relationships between these vtables (and therefore, between the types they are associated with).
    - TODO: add summary of relevant bits here
    - https://web.mit.edu/tibbetts/Public/inside-c/www/
    - > The Secret Life of C++: What Your Compiler Doesn't Want You To Know
    - > C++ is filled with strange and wonderful features, with a few more added in C++11. We will explore in detail how these features are implemented under the covers, in terms of the assembly code generated. Features to be explored include construction and destruction, copying, references, virtual methods, method dispatch, object layout, exceptions, templates, anonymous functions, captures, and more.
  13. 0xdevalias revised this gist Jan 6, 2025. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion reverse-engineering-macos.md
    View file
    Original file line number Diff line number Diff line change
    @@ -14,7 +14,7 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    - [Rizin / Cutter](#rizin--cutter)
    - [Frida / etc](#frida--etc)
    - [Reversing C++ Binaries](#reversing-c-binaries)
    - [Unsorted](#unsorted)
    - [Unsorted](#unsorted)
    - [C++ vtables](#c-vtables)
    - [`std::string`](#stdstring)
    - [`std::vector`](#stdvector)
  14. 0xdevalias revised this gist Jan 6, 2025. 1 changed file with 17 additions and 1 deletion.
    18 changes: 17 additions & 1 deletion reverse-engineering-macos.md
    View file
    Original file line number Diff line number Diff line change
    @@ -529,7 +529,7 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    ## Reversing C++ Binaries
    ## Unsorted
    ### Unsorted
    - http://www.max-sperling.bplaced.net/?cat=80
    - > Category: Data structures
    @@ -543,6 +543,10 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    - > Virtual Function Tables
    > Virtual functions are implemented by compilers using a virtual function table structure that is pointed to by instances of the class. The layout of these structures is compiler dependent, so when reverse engineering a C++ binary these structures must be created to match the in-memory layout used by the binary.
    - https://clang.llvm.org/doxygen/VTableBuilder_8cpp_source.html
    - https://www.seandeaton.com/gotta-re-em-all-reversing-c-virtual-function-tables-with-binary-ninja/
    - > Gotta RE 'em All: Reversing C++ Virtual Function Tables with Binary Ninja
    - https://learn.microsoft.com/en-us/cpp/cpp/constructors-cpp?view=msvc-170
    - > Constructors (C++)
    - https://shaharmike.com/cpp/
    - https://shaharmike.com/cpp/vtable-part1/
    - > C++ vtables - Part 1 - Basics
    @@ -952,6 +956,18 @@ be located next to this file.
    ## Unsorted
    - https://github.com/dhinakg/aeota
    - > aeota
    > AEA OTA/IPSW decryption
    - Usage example: https://www.seandeaton.com/comparing-binary-ninja-performance-on-the-m1-m2-ultra-and-m3-pro/#:~:text=%23%20Decrypt%20using%20the%20dhinakg/aeota%20project
    - https://newosxbook.com/tools/XPoCe.html
    - > XPoCe - XPC Snooping utilties for MacOS and iOS
    - > XPC* is the enhanced IPC framework used in *OS. Ever since its introduction in 10.7/iOS 5, its use has exploded, as AAPL is rewriting most of its daemons to use it in place of the venerable raw Mach messages. Mach still provides the medium, but message payloads are now dictionary objects - reducing (but not eliminating) type confusion mistakes, and greatly simplifying parsing. In addition, XPC is closely tied to GCD (offering much better performance) and entitlements (greater security).
    - https://newosxbook.com/tools/XPoCe2.html
    - > XPoCe - XPC Snooping utilties for MacOS and iOS (version 2.0)
    - > The original version of XPoCe, my XPC message tracer, relied on library injection. Now that I've just about perfected my debugger framework, coreruption, it made sense to launch a common test case for it - and have it trace XPC messages, by attaching to any PID on the system (yes, even iTunes, XCode, and launchd :-)
    - > I started working on a simple dyld injected library called XPCSnoop back when I embarked on my quest to expose launchd(1) and provided it as a bonus download along with my version of launchctl(8) (Update on that: Quest is going well, launchd, your day in the sun is coming :-)). But as with other quick and dirty projects, it started taking a life of its own, and became super useful. So I've added more features, and am releasing it as its own little tool.
    - > A MUCH better alternative can be found in XPoCe v2
    - https://github.com/mroi/apple-internals
    - > Apple Internals
    > This repository provides tools and information to help understand and analyze the internals of Apple’s operating system platforms.
  15. 0xdevalias revised this gist Jan 3, 2025. 1 changed file with 12 additions and 12 deletions.
    24 changes: 12 additions & 12 deletions reverse-engineering-macos.md
    View file
    Original file line number Diff line number Diff line change
    @@ -6,26 +6,26 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.

    <!-- TOC start (generated with https://derlin.github.io/bitdowntoc/) -->
    - [Reverse Engineering Tools](#reverse-engineering-tools)
    - [Binary Ninja](#binary-ninja)
    - [Binary Ninja](#binary-ninja)
    - [WARP](#warp)
    - [Ghidra](#ghidra)
    - [Hex-Rays IDA](#hex-rays-ida)
    - [radare2](#radare2)
    - [Rizin / Cutter](#rizin--cutter)
    - [Frida / etc](#frida--etc)
    - [Ghidra](#ghidra)
    - [Hex-Rays IDA](#hex-rays-ida)
    - [radare2](#radare2)
    - [Rizin / Cutter](#rizin--cutter)
    - [Frida / etc](#frida--etc)
    - [Reversing C++ Binaries](#reversing-c-binaries)
    - [Unsorted](#unsorted)
    - [C++ vtables](#c-vtables)
    - [`std::string`](#stdstring)
    - [`std::vector`](#stdvector)
    - [C++ vtables](#c-vtables)
    - [`std::string`](#stdstring)
    - [`std::vector`](#stdvector)
    - [Universal (Fat) Binaries](#universal-fat-binaries)
    - [Reverse Engineering Audio VST Plugins](#reverse-engineering-audio-vst-plugins)
    - [Compiler Optimisations](#compiler-optimisations)
    - [Fast Division / Modulus](#fast-division--modulus)
    - [Fast Division / Modulus](#fast-division--modulus)
    - [Unsorted](#unsorted-1)
    - [See Also](#see-also)
    - [My StackOverflow/etc answers](#my-stackoverflowetc-answers)
    - [My Other Related Deepdive Gist's and Projects](#my-other-related-deepdive-gists-and-projects)
    - [My StackOverflow/etc answers](#my-stackoverflowetc-answers)
    - [My Other Related Deepdive Gist's and Projects](#my-other-related-deepdive-gists-and-projects)
    <!-- TOC end -->

    ## Reverse Engineering Tools
  16. 0xdevalias revised this gist Jan 3, 2025. 1 changed file with 59 additions and 0 deletions.
    59 changes: 59 additions & 0 deletions reverse-engineering-macos.md
    View file
    Original file line number Diff line number Diff line change
    @@ -7,6 +7,7 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    <!-- TOC start (generated with https://derlin.github.io/bitdowntoc/) -->
    - [Reverse Engineering Tools](#reverse-engineering-tools)
    - [Binary Ninja](#binary-ninja)
    - [WARP](#warp)
    - [Ghidra](#ghidra)
    - [Hex-Rays IDA](#hex-rays-ida)
    - [radare2](#radare2)
    @@ -261,6 +262,64 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    - https://www.youtube.com/playlist?list=PLCVV6Y9LmwOhma0VEJDO07uYxFqtEmkrT
    - > Training
    #### WARP
    > - https://binary.ninja/2024/11/20/4.2-frogstar.html#warp-advanced-function-matching-algorithm-alpha
    > - > WARP: Advanced Function Matching Algorithm Alpha
    > > This release features a new way to transfer function information between binaries. Unlike our existing SigKit tool, WARP is meant for whole function matching. This means fewer false positives and more opportunities to match on smaller functions, thanks to WARP’s function constraints.
    > - > For more information about WARP, visit the documentation [here](https://docs.binary.ninja/dev/annotation.html?h=warp#warp-signature-libraries)!
    > - https://www.seandeaton.com/binary-ninja-warp-signatures/
    > - > Trying Out Binary Ninja's new WARP Signatures with IPSW Diff'ing
    > > Binary diff'ing is pretty complex, but being able to apply markup from one binary to another is quite powerful. Binary Ninja's new WARP extends previous efforts, using SigKit, to quickly identify library functions.
    > - https://docs.binary.ninja/dev/annotation.html
    > - > Applying Annotations
    > - > - [Symbols](https://docs.binary.ninja/dev/annotation.html?h=sigkit#symbols) covers how to work with Symbols in a binary
    > > - [Types](https://docs.binary.ninja/dev/annotation.html?h=sigkit#types) documents creating and interacting with types through the API
    > > - [Tags](https://docs.binary.ninja/dev/annotation.html?h=sigkit#tags) describes how to create tags and bookmarks
    > > - [Type Libraries](https://docs.binary.ninja/dev/typelibraries.html) explains how to work with Type Libraries, including multiple sources of information from which Binary Ninja can automatically source for type information from and how you can add to them
    > > - [Signature Libraries](https://docs.binary.ninja/dev/annotation.html?h=sigkit#signature-libraries) explains how to work with the signature library which match statically compiled functions which are then matched with type libraries
    > - https://docs.binary.ninja/dev/annotation.html?h=sigkit#signature-libraries
    > - > Signature Libraries
    > > There are now two different signature library systems: SigKit, and WARP. SigKit will be deprecated in the near future as WARP represents a superset of its features.
    > - https://docs.binary.ninja/dev/annotation.html?h=sigkit#sigkit-signature-libraries
    > - > SigKit Signature Libraries
    > - https://github.com/Vector35/sigkit
    > - > Signature Kit Plugin
    > - > Function signature matching and signature generation plugin for Binary Ninja
    > - > This plugin provides Python tools for generating, manipulating, viewing, loading, and saving signature libraries (`.sig`) for the Signature System.
    > - https://docs.binary.ninja/dev/annotation.html?h=sigkit#warp-signature-libraries
    > - > WARP Signature Libraries
    > > WARP integration is included with Binary Ninja but turned off by default, for more information about WARP itself visit the open source repository here!
    > >
    > > The benefit to using WARP over SigKit is that WARP signatures are more comprehensive and as such will have fewer false positives. Alongside fewer false positives WARP will match more functions with less information due to the matching algorithm taking into account function locality (i.e. functions next to each other). After matching has completed WARP functions will be tagged and the types for those functions will be transferred, this means less work for those looking to transfer analysis information from one version of a binary to another version.
    > - https://github.com/Vector35/warp
    > - > WARP
    > > WARP provides a common format for transferring and applying function information across binary analysis tools.
    > - https://github.com/Vector35/warp#function-identification
    > - > Function Identification
    > > Function identification is the main way to interact with WARP, allowing tooling to utilize WARP's dataset to identify common functions within any binary efficiently and accurately.
    > - https://github.com/Vector35/warp#comparison-of-function-recognition-tools
    > - > Comparison of Function Recognition Tools
    > > WARP vs FLIRT
    > > The main difference between WARP and FLIRT is the approach to identification.
    > - > Function Identification
    > >
    > > - WARP the function identification is described [here](https://github.com/Vector35/warp#function-identification).
    > > - FLIRT uses incomplete function byte sequence with a mask where there is a single function entry (see: [IDA FLIRT Documentation](https://docs.hex-rays.com/user-guide/signatures/flirt/ida-f.l.i.r.t.-technology-in-depth) for a full description).
    > >
    > > What this means in practice is WARP will have less false positives based solely off the initial function identification. When the returned set of functions is greater than one, we can use the list of [Function Constraints](https://github.com/Vector35/warp#function-constraints) to select the best possible match. However, that comes at the cost of requiring a computed GUID to be created whenever the lookup is requested and that the function GUID is *always* the same.
    > - https://docs.binary.ninja/dev/typelibraries.html
    > - > Type Libraries
    > > Type Libraries are collections of type information (structs, enums, function types, etc.) stored in a file with the extension `.bntl`.
    > - https://binary.ninja/2024/10/01/plugin-spotlight-coolsigmaker.html
    > - > A common desire in reverse engineering is to match re-used code across multiple binaries. Whether you're doing malware lineage tracking, identifying a statically compiled library, or any other use case about identifying similar code, there are multiple technologies that attempt to solve parts of this problem. Other tools for related problems include [SigKit](https://github.com/Vector35/sigkit) (Binary Ninja's [static library detection](https://docs.binary.ninja/dev/annotation.html?h=sigkit#signature-library)), IDA's [FLIRT/FLAIR](https://docs.hex-rays.com/user-guide/signatures/flirt) and [Lumina](https://docs.hex-rays.com/user-guide/lumina) features, or even more advanced systems like [Diaphora](http://diaphora.re/) or [BinDiff](https://www.zynamics.com/bindiff.html).
    > >
    > > Related to those, you might already be familiar with the "SigMaker" style of plugins for various platforms[[1]](https://github.com/ajkhoury/SigMaker-x64) [[2]](https://github.com/apekros/binja_sigmaker) [[3]](https://github.com/Alex3434/Binja-SigMaker). These plugins generate patterns from code that can be used to find said code across different binaries or find the same function reliably between application updates. This is useful for malware classification and static-library identification among other purposes.
    > >
    > > [binja_coolsigmaker](https://github.com/unknowntrojan/binja_coolsigmaker) is just that: a fast and reliable "SigMaker" plugin for Binary Ninja.
    >
    > _Originally posted by @0xdevalias in https://github.com/pionxzh/wakaru/issues/74#issuecomment-2568536103_
    ### Ghidra
    - https://ghidra-sre.org/
  17. 0xdevalias revised this gist Jan 2, 2025. 1 changed file with 12 additions and 0 deletions.
    12 changes: 12 additions & 0 deletions reverse-engineering-macos.md
    View file
    Original file line number Diff line number Diff line change
    @@ -41,6 +41,18 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    - > Sidekick Makes Reverse Engineering Easy
    > Don't open that binary alone! Take Sidekick, your AI-powered assistant, with you. Sidekick can help answer your questions about the binary, recover structures, name things, describe and comment code, find points of interest, and much more.
    - https://binary.ninja/blog/
    - https://binary.ninja/2024/11/20/4.2-frogstar.html
    - > 4.2 Frogstar
    - https://binary.ninja/2024/08/16/4.1-release-2.html
    - > 4.1 Release 2
    - https://binary.ninja/2024/08/12/sidekick-2.0.html
    - > Sidekick 2.0
    - https://binary.ninja/2024/07/17/4.1-elysium.html
    - > 4.1 Elysium
    - https://binary.ninja/2024/05/27/4.0-update.html
    - > 4.0 Update
    - https://binary.ninja/2024/04/18/sidekick-release.html
    - > Sidekick 1.0 Release
    - https://binary.ninja/2024/02/28/4.0-dorsai.html
    - > 4.0: Dorsai
    - https://binary.ninja/2023/09/15/3.5-expanded-universe.html
  18. 0xdevalias revised this gist Aug 18, 2024. 1 changed file with 19 additions and 0 deletions.
    19 changes: 19 additions & 0 deletions reverse-engineering-macos.md
    View file
    Original file line number Diff line number Diff line change
    @@ -10,6 +10,7 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    - [Ghidra](#ghidra)
    - [Hex-Rays IDA](#hex-rays-ida)
    - [radare2](#radare2)
    - [Rizin / Cutter](#rizin--cutter)
    - [Frida / etc](#frida--etc)
    - [Reversing C++ Binaries](#reversing-c-binaries)
    - [Unsorted](#unsorted)
    @@ -393,6 +394,24 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    > And it is possible to use almost any languages to do so. Those templates include the .vscode and build files too. so you can quickly start doing real work!
    - https://github.com/radareorg/radare2-testbins
    ### Rizin / Cutter
    - https://rizin.re/
    - > rizin
    > Free and Open Source Reverse Engineering Framework
    - https://github.com/rizinorg/rizin
    - > UNIX-like reverse engineering framework and command-line toolset.
    - > Rizin is a fork of the radare2 reverse engineering framework with a focus on usability, working features and code cleanliness.
    >
    > Rizin is portable and it can be used to analyze binaries, disassemble code, debug programs, as a forensic tool, as a scriptable command-line hexadecimal editor able to open disk files, and much more!
    - https://book.rizin.re/
    - > The Rizin Handbook: A Guide to Reverse Engineering with the Rizin Framework
    - https://cutter.re/
    - > Cutter
    > Free and Open Source RE Platform powered by Rizin
    - https://github.com/rizinorg/cutter
    - > Cutter is a free and open-source reverse engineering platform powered by rizin. It aims at being an advanced and customizable reverse engineering platform while keeping the user experience in mind. Cutter is created by reverse engineers for reverse engineers.
    ### Frida / etc
    - https://frida.re/
  19. 0xdevalias revised this gist Jun 21, 2024. 1 changed file with 30 additions and 5 deletions.
    35 changes: 30 additions & 5 deletions reverse-engineering-macos.md
    View file
    Original file line number Diff line number Diff line change
    @@ -54,6 +54,8 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    - > 3.1 The Performance Release
    - https://binary.ninja/2022/01/27/3.0-the-next-chapter.html
    - > 3.0 The Next Chapter
    - https://binary.ninja/2023/02/17/hacking-the-binary-ninja-ui-for-fun-and-profit.html
    - > Hijacking the Binary Ninja UI for Fun and Profit
    - https://docs.binary.ninja/guide/
    - > User Guide
    - https://docs.binary.ninja/guide/migration/
    @@ -183,11 +185,34 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    - > Binary Ninja Workflows is an analysis orchestration framework which simplifies the definition and execution of a computational binary analysis pipeline. The extensible pipeline accelerates program analysis and reverse engineering of binary blobs at various levels of abstraction. Workflows supports hybridized execution models, where the ordering of activities in the pipeline can be well-known and procedural, or dynamic and reactive. Currently, the core Binary Ninja analysis is made available as a procedural model and is the aggregate of both module and function-level analyses.
    - https://github.com/Vector35/binaryninja-api/tree/dev/examples/workflows
    - I saw a note somewhere that suggested this feature would allow implementing deoptimisers / similar (eg. fast modulo / division, etc) that could simplify the view of the decompiled output
    - https://github.com/Vector35/binaryninja-api
    - > Public API, examples, documentation and issues for Binary Ninja
    - https://github.com/Vector35/binaryninja-api/wiki/Ninjas-In-Training
    - > Ninjas In Training
    > List of resources for folks beginning their journey into reverse engineering. If appropriate, resources are labelled as B for Beginner, I for Intermediate, and A for Advanced. Feel free to join the slack and hop in the `#ninjas-in-training` channel for specific questions.
    - https://docs.binary.ninja/dev/plugins.html
    - > Writing Plugins
    - https://docs.binary.ninja/dev/plugins.html#ui-plugins
    - > UI Plugins
    - https://binary.ninja/2023/02/17/hacking-the-binary-ninja-ui-for-fun-and-profit.html
    - > Hijacking the Binary Ninja UI for Fun and Profit
    - https://binary.ninja/2024/02/15/command-palette.html
    - > Taking Action With the Command Palette
    - https://github.com/Vector35/binaryninja-api/issues/5628
    - > Add support for popups (not message boxes) in the API
    - > Making a new window or making the tooltips arbitrarily configurable is actually already possible but using the QT API.
    - https://github.com/Vector35/binaryninja-api/issues/5628#issuecomment-2180961499
    - > Here's an example of tooltip code you can use
    - > Some extra context for the code above: It doesn't use an "actual" Qt Tooltip because tooltips can't be an 'active' window (see [documentation](https://doc.qt.io/qt-6/qtooltip.html)). This means they can't respond to things like key-press events, even if you try to catch the event yourself. As a result, the code above fakes one with `Qt.FramelessWindowHint` and `Qt.WindowStaysOnTopHint`.
    - https://docs.binary.ninja/dev/api.html
    - > Using the Binary Ninja API
    - https://api.binary.ninja/
    - > Binary Ninja Python API Reference
    - https://api.binary.ninja/cpp/
    - > Binary Ninja C++ API
    - `UIAction.registerAction`: https://api.binary.ninja/cpp/group__action.html#af92fcf662c19e708e006bfc91756183a
    - https://github.com/Vector35/binaryninja-api
    - > Public API, examples, documentation and issues for Binary Ninja
    - https://docs.binary.ninja/dev/cookbook.html
    - > Cookbook
    - https://github.com/Vector35/binaryninja-api/wiki/Ninjas-In-Training
    - > Ninjas In Training
    > List of resources for folks beginning their journey into reverse engineering. If appropriate, resources are labelled as B for Beginner, I for Intermediate, and A for Advanced. Feel free to join the slack and hop in the `#ninjas-in-training` channel for specific questions.
    - Some interesting/relevant issues I have run into:
    - https://github.com/Vector35/binaryninja-api/issues/5262
    - > [docs] Improve 'Finding System Headers' examples for C++
  20. 0xdevalias revised this gist Jun 19, 2024. 1 changed file with 8 additions and 0 deletions.
    8 changes: 8 additions & 0 deletions reverse-engineering-macos.md
    View file
    Original file line number Diff line number Diff line change
    @@ -56,6 +56,14 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    - > 3.0 The Next Chapter
    - https://docs.binary.ninja/guide/
    - > User Guide
    - https://docs.binary.ninja/guide/migration/
    - > Migrating from Other Tools
    - https://docs.binary.ninja/getting-started.html
    - > Getting Started
    - https://docs.binary.ninja/guide/migration/migrationguideida.html
    - > Migrating from IDA
    - https://docs.binary.ninja/guide/migration/migrationguideghidra.html
    - > Migrating from Ghidra
    - https://docs.binary.ninja/guide/types/
    - > There's so many things to learn about working with Types in Binary Ninja that we've organized it into several sections!
    - > Basic Type Editing: Brief overview of the basics
  21. 0xdevalias revised this gist Jun 5, 2024. 1 changed file with 15 additions and 1 deletion.
    16 changes: 15 additions & 1 deletion reverse-engineering-macos.md
    View file
    Original file line number Diff line number Diff line change
    @@ -12,13 +12,15 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    - [radare2](#radare2)
    - [Frida / etc](#frida--etc)
    - [Reversing C++ Binaries](#reversing-c-binaries)
    - [Unsorted](#unsorted)
    - [C++ vtables](#c-vtables)
    - [`std::string`](#stdstring)
    - [`std::vector`](#stdvector)
    - [Universal (Fat) Binaries](#universal-fat-binaries)
    - [Reverse Engineering Audio VST Plugins](#reverse-engineering-audio-vst-plugins)
    - [Compiler Optimisations](#compiler-optimisations)
    - [Fast Division / Modulus](#fast-division--modulus)
    - [Unsorted](#unsorted)
    - [Unsorted](#unsorted-1)
    - [See Also](#see-also)
    - [My StackOverflow/etc answers](#my-stackoverflowetc-answers)
    - [My Other Related Deepdive Gist's and Projects](#my-other-related-deepdive-gists-and-projects)
    @@ -404,6 +406,13 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    ## Reversing C++ Binaries
    ## Unsorted
    - http://www.max-sperling.bplaced.net/?cat=80
    - > Category: Data structures
    - http://www.max-sperling.bplaced.net/?cat=28
    - > Category: Debugging & Memory
    ### C++ vtables
    - See also:
    @@ -544,6 +553,11 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    >
    > There's also going to be overhead from your memory allocator for doing lots of small allocations; I don't know what GCC uses for C++, but assuming it's similar to the `dlmalloc` allocator it uses for C, that could be at least two words per allocation, plus some space to align the size to a multiple of at least 8 bytes.
    ### `std::vector`
    - http://www.max-sperling.bplaced.net/?p=4983
    - > Layout of `std::vector` (`libstdc++`)
    ## Universal (Fat) Binaries
    - https://developer.apple.com/documentation/apple-silicon/building-a-universal-macos-binary
  22. 0xdevalias revised this gist Jun 5, 2024. 1 changed file with 48 additions and 0 deletions.
    48 changes: 48 additions & 0 deletions reverse-engineering-macos.md
    View file
    Original file line number Diff line number Diff line change
    @@ -13,6 +13,7 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    - [Frida / etc](#frida--etc)
    - [Reversing C++ Binaries](#reversing-c-binaries)
    - [C++ vtables](#c-vtables)
    - [`std::string`](#stdstring)
    - [Universal (Fat) Binaries](#universal-fat-binaries)
    - [Reverse Engineering Audio VST Plugins](#reverse-engineering-audio-vst-plugins)
    - [Compiler Optimisations](#compiler-optimisations)
    @@ -496,6 +497,53 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    - https://refspecs.linuxbase.org/LSB_5.0.0/LSB-Core-generic/LSB-Core-generic/cxxclasses.html
    - > Chapter 12. C++ Class Representations
    ### `std::string`
    - https://shaharmike.com/cpp/std-string/
    - > Exploring `std::string`
    - > Every C++ developer knows that `std::string` represents a sequence of characters in memory. It manages its own memory, and is very intuitive to use. Today we’ll explore `std::string` as defined by the C++ Standard, and also by looking at 4 major implementations.
    - > One particular optimization found its way to pretty much all implementations: small objects optimization (aka small buffer optimization). Simply put, Small Object Optimization means that the `std::string` object has a small buffer for small strings, which saves dynamic allocations.
    - > Recent GCC versions use a union of buffer (16 bytes) and capacity (8 bytes) to store small strings. Since `reserve()` is mandatory (more on this later), the internal pointer to the beginning of the string either points to this union or to the dynamically allocated string.
    - > `clang` is by-far the smartest and coolest. While `std::string` has the size of 24 bytes, it allows strings up to 22 bytes(!!) with no allocation. To achieve this libc++ uses a neat trick: the size of the string is not saved as-is but rather in a special way: if the string is short (< 23 bytes) then it stores `size() * 2`. This way the least significant bit is always 0. The long form always bitwise-ors the LSB with 1, which in theory might have meant unnecessarily larger allocations, but this implementation always rounds allocations to be of form `16*n - 1` (where `n` is an integer). By the way, the allocated string is actually of form `16*n`, the last character being `'\0'`
    - https://tastycode.dev/memory-layout-of-std-string/
    - > Memory Layout of `std::string`
    - > Discover how `std::string` is represented in the most popular C++ Standard Libraries, such as MSVC STL, GCC libstdc++, and LLVM libc++.
    - > In this post of Tasty C++ series we’ll look inside of `std::string`, so that you can more effectively work with C++ strings and take advantage and avoid pitfalls of the C++ Standard Library you are using.
    - > In C++ Standard Library, std::string is one of the three contiguous containers (together with `std::array` and `std::vector`). This means that a sequence of characters is stored in a contiguous area of the memory and an individual character can be efficiently accessed by its index at `O(1)` time. The C++ Standard imposes more requirements on the complexity of string operations, which we will briefly focus on later in this post.
    - > If we are talking about the C++ Standard, it’s important to remember that it doesn’t impose exact implementation of `std::string`, nor does it specify the exact size of `std::string`. In practice, as we’ll see, the most popular implementations of the C++ Standard Library allocate 24 or 32 bytes for the same std::string object (excluding the data buffer). On top of that, the memory layout of string objects is also different, which is a result of a tradeoff between optimal memory and CPU utilization, as we’ll also see below.
    - > For people just starting to work with strings in C++, `std::string` is usually associated with three data fields:
    > - Buffer – the buffer where string characters are stored, allocated on the heap.
    > - Size – the current number of characters in the string.
    > - Capacity – the max number of character the buffer can fit, a size of the buffer.
    >
    > Talking C++ language, this picture could be expressed as the following class:
    >
    > ```
    > class TastyString {
    > char * m_buffer; // string characters
    > size_t m_size; // number of characters
    > size_t m_capacity; // m_buffer size
    > }
    > ```
    >
    > This representation takes 24 bytes and is very close to the production code.
    - https://stackoverflow.com/questions/5058676/stdstring-implementation-in-gcc-and-its-memory-overhead-for-short-strings
    - > `std::string` implementation in GCC and its memory overhead for short strings
    - > At least with GCC 4.4.5, which is what I have handy on this machine, `std::string` is a `typdef` for `std::basic_string<char>`, and `basic_string` is defined in `/usr/include/c++/4.4.5/bits/basic_string.h`. There's a lot of indirection in that file, but what it comes down to is that nonempty `std::string`s store a pointer to one of these:
    >
    > ```
    > struct _Rep_base
    > {
    > size_type _M_length;
    > size_type _M_capacity;
    > _Atomic_word _M_refcount;
    > };
    > ```
    >
    > Followed in-memory by the actual string data. So `std::string` is going to have at least three words of overhead for each string, plus any overhead for having a higher capacity than `length` (probably not, depending on how you construct your strings -- you can check by asking the `capacity()` method).
    >
    > There's also going to be overhead from your memory allocator for doing lots of small allocations; I don't know what GCC uses for C++, but assuming it's similar to the `dlmalloc` allocator it uses for C, that could be at least two words per allocation, plus some space to align the size to a multiple of at least 8 bytes.
    ## Universal (Fat) Binaries
    - https://developer.apple.com/documentation/apple-silicon/building-a-universal-macos-binary
  23. 0xdevalias revised this gist Jun 3, 2024. 1 changed file with 23 additions and 0 deletions.
    23 changes: 23 additions & 0 deletions reverse-engineering-macos.md
    View file
    Original file line number Diff line number Diff line change
    @@ -15,6 +15,8 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    - [C++ vtables](#c-vtables)
    - [Universal (Fat) Binaries](#universal-fat-binaries)
    - [Reverse Engineering Audio VST Plugins](#reverse-engineering-audio-vst-plugins)
    - [Compiler Optimisations](#compiler-optimisations)
    - [Fast Division / Modulus](#fast-division--modulus)
    - [Unsorted](#unsorted)
    - [See Also](#see-also)
    - [My StackOverflow/etc answers](#my-stackoverflowetc-answers)
    @@ -742,6 +744,27 @@ be located next to this file.
    - > JUCE is an open-source cross-platform C++ application framework for desktop and mobile applications, including VST, VST3, AU, AUv3, LV2 and AAX audio plug-ins.
    - https://github.com/juce-framework/JUCE/tree/6.0.4/modules
    ## Compiler Optimisations
    ### Fast Division / Modulus
    - https://binary.ninja/2023/09/15/3.5-expanded-universe.html#moddiv-deoptimization
    - > Mod/Div Deoptimization
    - > One of the many things compilers do that can make reverse engineering harder is use a variety of algorithmic optimizations, in particular for modulus and division calculations. Instead of implementing them with the native CPU instructions, they will use shifts and multiplications with magic constants that when operating on a fixed integer size has the same effect as a native division instruction.
    >
    > There are several ways to try to recover the original division which is far more intuitive and easer to reason about.
    - https://lemire.me/blog/2020/02/26/fast-divisionless-computation-of-binomial-coefficients/
    - > Fast divisionless computation of binomial coefficients
    - > We would prefer to avoid divisions entirely. If we assume that k is small, then we can just use the fact that we can always replace a division by a known value with a shift and a multiplication. All that is needed is that we precompute the shift and the multiplier. If there are few possible values of k, we can precompute it with little effort.
    - > I provide a full portable implementation complete with some tests. Though I use C, it should work as-is in many other programming languages. It should only take tens of CPU cycles to run. It is going to be much faster than implementations relying on divisions.
    - > Another trick that you can put to good use is that the binomial coefficient is symmetric: you can replace k by n–k and get the same value. Thus if you can handle small values of k, you can also handle values of k that are close to n. That is, the above function will also work for n is smaller than 100 and k larger than 90, if you just replace k by n–k.
    - > Is that the fastest approach? Not at all. Because n is smaller than 100 and k smaller than 10, we can precompute (memoize) all possible values. You only need an array of 1000 values. It should fit in 8kB without any attempt at compression. And I am sure you can make it fit in 4kB with a little bit of compression effort. Still, there are instances where relying on a precomputed table of several kilobytes and keeping them in cache is inconvenient. In such cases, the divisionless function would be a good choice.
    - > Alternatively, if you are happy with approximations, you will find floating-point implementations.
    - https://github.com/lemire/Code-used-on-Daniel-Lemire-s-blog/blob/master/2020/02/26/binom.c
    - https://github.com/dmikushin/binom/blob/master/include/binom.h
    - https://github.com/bmkessler/fastdiv
    - https://github.com/jmtilli/fastdiv/blob/master/fastdiv.c
    ## Unsorted
    - https://github.com/mroi/apple-internals
  24. 0xdevalias revised this gist May 11, 2024. 1 changed file with 5 additions and 0 deletions.
    5 changes: 5 additions & 0 deletions reverse-engineering-macos.md
    View file
    Original file line number Diff line number Diff line change
    @@ -157,6 +157,11 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    > The debugger plugin is shipped with Binary Ninja. It is open-source under an Apache License 2.0. Bug reports and pull requests are welcome!
    - https://github.com/Vector35/debugger
    - > Binary Ninja debugger
    - https://docs.binary.ninja/dev/bnil-overview.html
    - > Binary Ninja Intermediate Language: Overview
    - https://docs.binary.ninja/dev/bnil-overview.html#reading-il
    - > Reading IL
    > All of the various ILs (with the exception of the SSA forms) are intended to be easily human-readable and look much like pseudo-code. There is some shorthand notation that is used throughout the ILs, though, explained below
    - https://docs.binary.ninja/dev/uidf.html
    - > User Informed Data Flow
    > Binary Ninja now implements User-Informed DataFlow (UIDF) to improve the static reverse engineering experience of our users. This feature allows users to set the value of a variable and have the internal dataflow engine propagate it through the control-flow graph of the function. Besides constant values, Binary Ninja supports various PossibleValueSet states as containers to help inform complex variable values.
  25. 0xdevalias revised this gist May 11, 2024. 1 changed file with 6 additions and 0 deletions.
    6 changes: 6 additions & 0 deletions reverse-engineering-macos.md
    View file
    Original file line number Diff line number Diff line change
    @@ -193,6 +193,12 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    - > GCC/Clang RTTI analysis
    - https://github.com/Vector35/binaryninja-api/issues/4959
    - > Incorrect `typeinfo_name_for` definitions in mach-o binaries
    - https://github.com/Vector35/official-plugins
    - > Official Binary Ninja Plugins
    - https://github.com/Vector35/community-plugins
    - > Binary Ninja Community Plugins
    - https://github.com/Vector35/community-themes
    - > Binary Ninja Community Themes
    - https://www.youtube.com/@Vector35
    - https://www.youtube.com/playlist?list=PLCVV6Y9LmwOgqqT5obf0OmN9fp5495bLr
    - > Binary Ninja Basics
  26. 0xdevalias revised this gist May 3, 2024. 1 changed file with 9 additions and 7 deletions.
    16 changes: 9 additions & 7 deletions reverse-engineering-macos.md
    View file
    Original file line number Diff line number Diff line change
    @@ -859,11 +859,13 @@ be located next to this file.
    - [Reverse Engineering Golang (0xdevalias' gist)](https://gist.github.com/0xdevalias/4e430914124c3fd2c51cb7ac2801acba#reverse-engineering-golang)
    - [GitHub Copilot CLI API (0xdevalias' gist)](https://gist.github.com/0xdevalias/420657a20dfa17536205e5cb4dfef609#github-copilot-cli-api)
    - [Decompilation Outputs](https://gist.github.com/0xdevalias/420657a20dfa17536205e5cb4dfef609#decompilation-outputs)
    - [Deobfuscating / Unminifying Obfuscated Web App Code (0xdevalias gist)](https://gist.github.com/0xdevalias/d8b743efb82c0e9406fc69da0d6c6581#deobfuscating--unminifying-obfuscated-web-app-code)
    - [Fingerprinting Minified JavaScript Libraries / AST Fingerprinting / Source Code Similarity / Etc (0xdevalias gist)](https://gist.github.com/0xdevalias/31c6574891db3e36f15069b859065267#fingerprinting-minified-javascript-libraries--ast-fingerprinting--source-code-similarity--etc)
    - [Reverse Engineering Webpack Apps (0xdevalias gist)](https://gist.github.com/0xdevalias/8c621c5d09d780b1d321bfdb86d67cdd#reverse-engineering-webpack-apps)
    - [Reverse Engineered Webpack Tailwind-Styled-Component (0xdevalias gist)](https://gist.github.com/0xdevalias/916e4ababd3cb5e3470b07a024cf3125#reverse-engineered-webpack-tailwind-styled-component)
    - https://github.com/0xdevalias/chatgpt-source-watch : Analyzing the evolution of ChatGPT's codebase through time with curated archives and scripts.
    - [Reverse engineering ChatGPT's frontend web app + deep dive explorations of the code (0xdevalias' gist)](https://gist.github.com/0xdevalias/4ac297ee3f794c17d0997b4673a2f160#reverse-engineering-chatgpts-frontend-web-app--deep-dive-explorations-of-the-code)
    - [Deobfuscating / Unminifying Obfuscated Web App Code (0xdevalias' gist)](https://gist.github.com/0xdevalias/d8b743efb82c0e9406fc69da0d6c6581#deobfuscating--unminifying-obfuscated-web-app-code)
    - [Reverse Engineering Webpack Apps (0xdevalias' gist)](https://gist.github.com/0xdevalias/8c621c5d09d780b1d321bfdb86d67cdd#reverse-engineering-webpack-apps)
    - [Reverse Engineered Webpack Tailwind-Styled-Component (0xdevalias' gist)](https://gist.github.com/0xdevalias/916e4ababd3cb5e3470b07a024cf3125#reverse-engineered-webpack-tailwind-styled-component)
    - [React Server Components, Next.js v13+, and Webpack: Notes on Streaming Wire Format (`__next_f`, etc) (0xdevalias' gist))](https://gist.github.com/0xdevalias/ac465fb2f7e6fded183c2a4273d21e61#react-server-components-nextjs-v13-and-webpack-notes-on-streaming-wire-format-__next_f-etc)
    - [Fingerprinting Minified JavaScript Libraries / AST Fingerprinting / Source Code Similarity / Etc (0xdevalias' gist)](https://gist.github.com/0xdevalias/31c6574891db3e36f15069b859065267#fingerprinting-minified-javascript-libraries--ast-fingerprinting--source-code-similarity--etc)
    - [Bypassing Cloudflare, Akamai, etc (0xdevalias' gist)](https://gist.github.com/0xdevalias/b34feb567bd50b37161293694066dd53#bypassing-cloudflare-akamai-etc)
    - [Debugging Electron Apps (and related memory issues) (0xdevalias gist)](https://gist.github.com/0xdevalias/428e56a146e3c09ec129ee58584583ba#debugging-electron-apps-and-related-memory-issues)
    - [Reverse engineering ChatGPT's frontend web app + deep dive explorations of the code (0xdevalias gist)](https://gist.github.com/0xdevalias/4ac297ee3f794c17d0997b4673a2f160#reverse-engineering-chatgpts-frontend-web-app--deep-dive-explorations-of-the-code)
    - https://github.com/0xdevalias/chatgpt-source-watch : Analyzing the evolution of ChatGPT's codebase through time with curated archives and scripts.
    - [devalias' Beeper CSS Hacks (0xdevalias gist)](https://gist.github.com/0xdevalias/3d2f5a861335cc1277b21a29d1285cfe#beeper-custom-theme-styles)
    - [devalias' Beeper CSS Hacks (0xdevalias' gist)](https://gist.github.com/0xdevalias/3d2f5a861335cc1277b21a29d1285cfe#beeper-custom-theme-styles)
  27. 0xdevalias revised this gist Apr 30, 2024. 1 changed file with 1 addition and 0 deletions.
    1 change: 1 addition & 0 deletions reverse-engineering-macos.md
    View file
    Original file line number Diff line number Diff line change
    @@ -860,6 +860,7 @@ be located next to this file.
    - [GitHub Copilot CLI API (0xdevalias' gist)](https://gist.github.com/0xdevalias/420657a20dfa17536205e5cb4dfef609#github-copilot-cli-api)
    - [Decompilation Outputs](https://gist.github.com/0xdevalias/420657a20dfa17536205e5cb4dfef609#decompilation-outputs)
    - [Deobfuscating / Unminifying Obfuscated Web App Code (0xdevalias gist)](https://gist.github.com/0xdevalias/d8b743efb82c0e9406fc69da0d6c6581#deobfuscating--unminifying-obfuscated-web-app-code)
    - [Fingerprinting Minified JavaScript Libraries / AST Fingerprinting / Source Code Similarity / Etc (0xdevalias gist)](https://gist.github.com/0xdevalias/31c6574891db3e36f15069b859065267#fingerprinting-minified-javascript-libraries--ast-fingerprinting--source-code-similarity--etc)
    - [Reverse Engineering Webpack Apps (0xdevalias gist)](https://gist.github.com/0xdevalias/8c621c5d09d780b1d321bfdb86d67cdd#reverse-engineering-webpack-apps)
    - [Reverse Engineered Webpack Tailwind-Styled-Component (0xdevalias gist)](https://gist.github.com/0xdevalias/916e4ababd3cb5e3470b07a024cf3125#reverse-engineered-webpack-tailwind-styled-component)
    - [Debugging Electron Apps (and related memory issues) (0xdevalias gist)](https://gist.github.com/0xdevalias/428e56a146e3c09ec129ee58584583ba#debugging-electron-apps-and-related-memory-issues)
  28. 0xdevalias revised this gist Apr 11, 2024. 1 changed file with 2 additions and 0 deletions.
    2 changes: 2 additions & 0 deletions reverse-engineering-macos.md
    View file
    Original file line number Diff line number Diff line change
    @@ -143,6 +143,8 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    - https://blog.trailofbits.com/2017/02/13/devirtualizing-c-with-binary-ninja/
    - > Devirtualizing C++ with Binary Ninja
    - https://github.com/trailofbits/binjascripts/tree/master/vtable-navigator
    - https://gist.github.com/joshwatson/661d763f35f545bb6ee0f37731a79ec7#file-vtable-navigator-py
    - > Binary Ninja IL Example: Navigating to a Virtual Function Based on an Indirect Call
    - https://docs.binary.ninja/guide/objectivec.html
    - > Objective-C (Beta)
    > Recent version of Binary Ninja ship with an additional plugin for assisting with Objective-C analysis. It provides both a workflow and a plugin command for enhancing Objective-C binary analysis.
  29. 0xdevalias revised this gist Apr 11, 2024. 1 changed file with 3 additions and 0 deletions.
    3 changes: 3 additions & 0 deletions reverse-engineering-macos.md
    View file
    Original file line number Diff line number Diff line change
    @@ -140,6 +140,9 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    > Virtual functions are implemented by compilers using a virtual function table structure that is pointed to by instances of the class. The layout of these structures is compiler dependent, so when reverse engineering a C++ binary these structures must be created to match the in-memory layout used by the binary.
    >
    > One of the most common tasks when reversing a C++ binary is discovering which functions a virtual function call can resolve to. Binary Ninja provides a "propagate data variable references" option in the Create Structure dialog to help with this. When this is enabled, pointers found in the data section that are part of any instance of the structure will be considered as cross references of the structure field itself. This allows you to click on the name of a virtual function and see which functions it can potentially call in the cross references view.
    - https://blog.trailofbits.com/2017/02/13/devirtualizing-c-with-binary-ninja/
    - > Devirtualizing C++ with Binary Ninja
    - https://github.com/trailofbits/binjascripts/tree/master/vtable-navigator
    - https://docs.binary.ninja/guide/objectivec.html
    - > Objective-C (Beta)
    > Recent version of Binary Ninja ship with an additional plugin for assisting with Objective-C analysis. It provides both a workflow and a plugin command for enhancing Objective-C binary analysis.
  30. 0xdevalias revised this gist Apr 11, 2024. 1 changed file with 11 additions and 0 deletions.
    11 changes: 11 additions & 0 deletions reverse-engineering-macos.md
    View file
    Original file line number Diff line number Diff line change
    @@ -178,6 +178,16 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    - > macOS Type Libraries
    - https://github.com/Vector35/binaryninja-api/issues/2736
    - > iOS Type Libraries
    - https://github.com/Vector35/binaryninja-api/issues/3017
    - > Show vtable function calls as normal function call
    - https://github.com/Vector35/binaryninja-api/issues/3017#issuecomment-1694528273
    - > With the addition of `__data_var_refs` (see: [C++ Types user docs](https://docs.binary.ninja/guide/cpp.html#defining-a-virtual-function-table)) this is effectively solved. The next step is to automate the parsing and symbolizing of both MSVC ([#3930](https://github.com/Vector35/binaryninja-api/issues/3930)) and Itanium RTTI ([#3857](https://github.com/Vector35/binaryninja-api/issues/3857)).
    - https://github.com/Vector35/binaryninja-api/issues/3930
    - > MSVC RTTI analysis
    - https://github.com/Vector35/binaryninja-api/issues/3857
    - > GCC/Clang RTTI analysis
    - https://github.com/Vector35/binaryninja-api/issues/4959
    - > Incorrect `typeinfo_name_for` definitions in mach-o binaries
    - https://www.youtube.com/@Vector35
    - https://www.youtube.com/playlist?list=PLCVV6Y9LmwOgqqT5obf0OmN9fp5495bLr
    - > Binary Ninja Basics
    @@ -381,6 +391,7 @@ Some notes, tools, and techniques for reverse engineering macOS binaries.
    - https://docs.binary.ninja/guide/cpp.html#virtual-function-tables
    - > Virtual Function Tables
    > Virtual functions are implemented by compilers using a virtual function table structure that is pointed to by instances of the class. The layout of these structures is compiler dependent, so when reverse engineering a C++ binary these structures must be created to match the in-memory layout used by the binary.
    - https://clang.llvm.org/doxygen/VTableBuilder_8cpp_source.html
    - https://shaharmike.com/cpp/
    - https://shaharmike.com/cpp/vtable-part1/
    - > C++ vtables - Part 1 - Basics