Starting this year I started learning bunch of security topics and Ghidra is something I started learning. I decompiled some games and getting comfortable how to work a project, teach Ghidra structures etc.
Am I right in looking at Malimite here and reading "Built on top of Ghidra decompilation to offer direct support for Swift, Objective-C, and Apple resources." that this is not a Ghidra extension but rather it is using a piece of Ghidra (the decompilation) like a backend? Malimite here is presented as its own piece of software.
Asking as a Ghidra noob who doesn't know all the ways Ghidra can be used: Would it make sense for something like this to be a Ghidra extension instead? I.e. give Ghidra some tooling/plugin to understand iOS apps or their languages better, instead of a new app that just uses parts of Ghidra. Also the Malimite screenshot in the page looks similar to Ghidra CodeBrowser tool.
Asking because it feels like it could be: from the little I've used Ghidra so far, looks like it is designed to be extendable, scriptable, usable by a team collaborating, etc. And Ghidra seems more holistic than just focusing on decompiling code.
Thanks for for the two replies, the replies make a lot of sense to me. It's hard for someone who is just starting out to find information on the "workflow" side of things, what kind tools people use and in my early journey to reverse engineering, so right now I assume to be somewhat blind to deficiencies in some tools I've tried so far.
Before Ghidra, I had been looking around /r/reverseengineering reddit and random Google searches to find what kind of tools people work with and how a reverse engineering work goes in general, and I'm happy there's a lot of blog posts that describe a project reverse engineering some project this and that.
Found a few things like "binwalk" to inspect a random binary for structure (apparently it was rewritten in Rust recently and not totally sure it's actually better (yet) than their slower Python-written older version also called "binwalk"). Also learned things like setting up mitmproxy (and how to Python script it) I was able to get to my entire home network through a Synology NAS with an iptables+mitmproxy setup I'm abusing as a firewall and as an inspection tool. On Linux specifically I learned some basics of seccomp() and existence of qemu-emulation, thought I might try some kind of "behavioral inspection" of untrusted binaries at some point with these tools or similar to them.
And on top of that, learned about cryptography at a more deep level, I think my entire interest this year started from me and my friend getting fed up with VSCode live share bugs and quirks (I do code teaching), doing research on alternatives, finding an alternative VSCode extension that seemed sketchy and then wanting to learn how do I "security audit" the thing. Ended up deobfuscating the JavaScript, reading its crypto, learning a lot about historical attacks on crypto and what is the typical kind of mistake that happens, AES-GCM misuse (IIRC it affected other AEAD schemes too, Invisible Salamanders), SHA length extension attacks, canonicalization attacks, re-using nonces in a scheme where that's really bad to do (AES-GCM again was my context but I think it applied to stream ciphers in general that take a nonce), the PS3 mess up with their private keys, Signal double ratchet thing, legal basics how much risk you do in reverse engineering against uncooperative companies (EFF had guides on legal side of it), and so on. Important to my security audit thing but also if I have ever have to "roll some crypto" and not completely make it totally amateur crap that breaks immediately when an actually competent cryptographer sees it and laughs at it.
Soooo many tools and things to learn. The above is just what I happened to remember on top of my head. I don't intend to become some superhacker but I want to be able to do some basic "sketchiness" check on applications I don't trust.
I looked at pictures off the Internet on the JADX tool, and yeah it clearly has a bit of a focus than Ghidra itself, and now Malimite makes a whole lot more sense as its own tool. While I thought Ghidra is mind-blowing (maybe a noob's first impressions and it isn't actually that amazing :) it definitely is also ugly and a bit heavy) there seems to be a rich set of tools to use.
My targets on reverse engineering are not currently any mobile apps or macOS apps, I have my interests right now elsewhere, but your Malimite tool here entered my notes to check out for iOS/macOS app decompilation if that comes up. I was already aware of the macOS .app structure, I've messed with them but not in any sophisticated reverse engineering sense. There's a video game called Don't Starve for example that contains a .zip file with lots of .lua code inside that is just readable as-is, not much effort or special tooling required.
Also technically you are the first human I've asked a question on reverse engineering (learned of existence of JADX and a more rich ecosystem of tools) and got an answer so I got happy for a sort-of "did first human interaction on an reverse engineering topic" achievement, even if it was just baby steps.
Oh come'on, her voice is totally fine. She's a really good presenter and produces interesting, fairly advanced content in an accessible, entertaining way. I think criticizing her for something she can't change like this is extremely impolite.
Malimite is first and foremost intended to be a tool to help Reverse Engineer iOS/Mac binaries, much like JADX for Android.
As it turns out, LLMs are quite good at “converting” C-Pseudocode into an approximation of the original Swift or Objective-C code. Therefore, you can optionally use the LLM extension to help analysis.
Of course, it’s not 100% accurate, but significantly easier to read, and I find it to save hours of manual research.
In the 1980s/early 1990s when HyperCard was king, that would have made sense. And in the late 1990s/early 2000s when Applescript was a thing people cared about, too. But yes, for the last twenty years or so, English-like programming languages weren't the thing.
; in: THE 'END
; (THE 'END)
;
; caught ERROR:
; Error while parsing arguments to special operator THE:
; too few elements in
; ('END)
; to satisfy lambda list
; (VALUE-TYPE FORM):
; exactly 2 expected, but got 1
This is all well and good, but at least for iOS my understanding is you cannot decompile unless you have a jailbroken iPhone or security research device. Makes things a bit difficult.
Shooting people is not illegal in the US -- I'm not sure this is the best analogy or there will be huge limitations when discussing decompilation efforts.
Plenty of people are shot or killed lawfully with firearms.
I doubt that will happen for a tool with an arbitrary usecase of assisting in research however some projects related to reverse-engineering have been censored under the DMCA takedown regime.
Hi everyone, I'm the creator of Malimite. I actually released this as part of a conference talk at Objective By the Sea, which you can see here:
https://youtu.be/vWdKjVCZtTI
It gives a good overview of the development process as well as my motivations for creating it. The tool will also be on homebrew shortly :)
Hi, is there any hope of getting Malimite to decompile libs from the Dyld cache?
Figuring out how an API works is one of the most important RE use cases, at least on Mac OS, where private APIs are still somewhat usable.
Starting this year I started learning bunch of security topics and Ghidra is something I started learning. I decompiled some games and getting comfortable how to work a project, teach Ghidra structures etc.
Am I right in looking at Malimite here and reading "Built on top of Ghidra decompilation to offer direct support for Swift, Objective-C, and Apple resources." that this is not a Ghidra extension but rather it is using a piece of Ghidra (the decompilation) like a backend? Malimite here is presented as its own piece of software.
Asking as a Ghidra noob who doesn't know all the ways Ghidra can be used: Would it make sense for something like this to be a Ghidra extension instead? I.e. give Ghidra some tooling/plugin to understand iOS apps or their languages better, instead of a new app that just uses parts of Ghidra. Also the Malimite screenshot in the page looks similar to Ghidra CodeBrowser tool.
Asking because it feels like it could be: from the little I've used Ghidra so far, looks like it is designed to be extendable, scriptable, usable by a team collaborating, etc. And Ghidra seems more holistic than just focusing on decompiling code.
It might be better to think of Malimite as "JADX but for iOS/Mac".
(JADX is a very popular Android decompiler)
Ghidra is quite limiting, and the workflow makes iOS reverse engineering quite cumbersome.
Malimite is intended to have a swappable back-end, so theoretically compilers other than Ghidra can be used in the future.
What parts of ghidra do you find most limiting? I thought it was supposed to be "almost as good" as IDA in terms of features, if not UX polish.
Ghidra is very feature-rich for code decompilation, however it doesn't handle dropping in an entire application bundle; only single executables.
Apple application files are special, bundling up resources and (potentially multiple) executables into the same package.
Many of these resource files are important for analysis, but have custom encodings by Apple. Malimite "digests" this information into a logical way.
Thanks for for the two replies, the replies make a lot of sense to me. It's hard for someone who is just starting out to find information on the "workflow" side of things, what kind tools people use and in my early journey to reverse engineering, so right now I assume to be somewhat blind to deficiencies in some tools I've tried so far.
Before Ghidra, I had been looking around /r/reverseengineering reddit and random Google searches to find what kind of tools people work with and how a reverse engineering work goes in general, and I'm happy there's a lot of blog posts that describe a project reverse engineering some project this and that.
Found a few things like "binwalk" to inspect a random binary for structure (apparently it was rewritten in Rust recently and not totally sure it's actually better (yet) than their slower Python-written older version also called "binwalk"). Also learned things like setting up mitmproxy (and how to Python script it) I was able to get to my entire home network through a Synology NAS with an iptables+mitmproxy setup I'm abusing as a firewall and as an inspection tool. On Linux specifically I learned some basics of seccomp() and existence of qemu-emulation, thought I might try some kind of "behavioral inspection" of untrusted binaries at some point with these tools or similar to them.
And on top of that, learned about cryptography at a more deep level, I think my entire interest this year started from me and my friend getting fed up with VSCode live share bugs and quirks (I do code teaching), doing research on alternatives, finding an alternative VSCode extension that seemed sketchy and then wanting to learn how do I "security audit" the thing. Ended up deobfuscating the JavaScript, reading its crypto, learning a lot about historical attacks on crypto and what is the typical kind of mistake that happens, AES-GCM misuse (IIRC it affected other AEAD schemes too, Invisible Salamanders), SHA length extension attacks, canonicalization attacks, re-using nonces in a scheme where that's really bad to do (AES-GCM again was my context but I think it applied to stream ciphers in general that take a nonce), the PS3 mess up with their private keys, Signal double ratchet thing, legal basics how much risk you do in reverse engineering against uncooperative companies (EFF had guides on legal side of it), and so on. Important to my security audit thing but also if I have ever have to "roll some crypto" and not completely make it totally amateur crap that breaks immediately when an actually competent cryptographer sees it and laughs at it.
Soooo many tools and things to learn. The above is just what I happened to remember on top of my head. I don't intend to become some superhacker but I want to be able to do some basic "sketchiness" check on applications I don't trust.
I looked at pictures off the Internet on the JADX tool, and yeah it clearly has a bit of a focus than Ghidra itself, and now Malimite makes a whole lot more sense as its own tool. While I thought Ghidra is mind-blowing (maybe a noob's first impressions and it isn't actually that amazing :) it definitely is also ugly and a bit heavy) there seems to be a rich set of tools to use.
My targets on reverse engineering are not currently any mobile apps or macOS apps, I have my interests right now elsewhere, but your Malimite tool here entered my notes to check out for iOS/macOS app decompilation if that comes up. I was already aware of the macOS .app structure, I've messed with them but not in any sophisticated reverse engineering sense. There's a video game called Don't Starve for example that contains a .zip file with lots of .lua code inside that is just readable as-is, not much effort or special tooling required.
Also technically you are the first human I've asked a question on reverse engineering (learned of existence of JADX and a more rich ecosystem of tools) and got an answer so I got happy for a sort-of "did first human interaction on an reverse engineering topic" achievement, even if it was just baby steps.
LaurieWired's YouTube channel is pretty good. It features many quality deep dives on super nerdy topics. https://www.youtube.com/@lauriewired
wow, is that a voice filter? or is she really doing a baby voice?
That's just my natural speaking voice. I'm a small person, and everyone sounds different.
I'd be happy to focus on the tool, or the content of the channel, rather than how I sound.
Oh come'on, her voice is totally fine. She's a really good presenter and produces interesting, fairly advanced content in an accessible, entertaining way. I think criticizing her for something she can't change like this is extremely impolite.
That’s a rude thing to say to a stranger; her voice is perfectly fine.
Do you also comment like that on every man’s channel that you watch?
(This is LLM-powered and based on Ghidra, fwiw)
It’s more like LLM-optional.
Malimite is first and foremost intended to be a tool to help Reverse Engineer iOS/Mac binaries, much like JADX for Android.
As it turns out, LLMs are quite good at “converting” C-Pseudocode into an approximation of the original Swift or Objective-C code. Therefore, you can optionally use the LLM extension to help analysis.
Of course, it’s not 100% accurate, but significantly easier to read, and I find it to save hours of manual research.
The prompts used are in this file: https://github.com/LaurieWired/Malimite/blob/main/src/main/j...
Who would have guessed just a few years ago that the final programming language would be English.
In the 1980s/early 1990s when HyperCard was king, that would have made sense. And in the late 1990s/early 2000s when Applescript was a thing people cared about, too. But yes, for the last twenty years or so, English-like programming languages weren't the thing.
The last trump has not sounded just yet. The day of judgement is still not quite at hand. It is - for now - still all to play for.
(in (the 'end) (will (speak we) lisp))
Kind of amused she uses raw format strings to generate JSON
Yea, and I want my decompiler to be deterministic, so LLM stuff is a no-no.
This is all well and good, but at least for iOS my understanding is you cannot decompile unless you have a jailbroken iPhone or security research device. Makes things a bit difficult.
Jailbreak not required. I use TrollStore/TrollDecrypt but I'm sure there are other methods.
For reference, it's possible because of a AMFI/CoreTrust bug in older iOS:
https://github.com/opa334/TrollStore/blob/main/README.md
> It works because of an AMFI/CoreTrust bug where iOS does not correctly verify code signatures of binaries in which there are multiple signers.
> Supported versions: 14.0 beta 2 - 16.6.1, 16.7 RC (20H18), 17.0
This seemed to happen because they didn't have time to release 17 with the bug fixed, which is why 16.7 Final is not supported; per https://x.com/MasterMike88/status/1743974453459956209
but how can one get IPA file to start with?
This is nice. What is the approach like to extracting ipa files that are already installed on the devices? Is it doable without jail break?
[dead]
this is pretty cool wonder how long till apple files a complaint to gh
On what grounds could they complain?
Isn't decompiling illegal in the US?
It's usually against EULA, but that has nothing to do with the law, no?
But is it illegal to provide tools for decompilation? As in shooting people is illegal, but selling guns is not.
Shooting people is not illegal in the US -- I'm not sure this is the best analogy or there will be huge limitations when discussing decompilation efforts.
Plenty of people are shot or killed lawfully with firearms.
I doubt that will happen for a tool with an arbitrary usecase of assisting in research however some projects related to reverse-engineering have been censored under the DMCA takedown regime.