[adeon]

Starting this year I started learning bunch of security topics and Ghidra is something I started learning. I decompiled some games and getting comfortable how to work a project, teach Ghidra structures etc.

Am I right in looking at Malimite here and reading "Built on top of Ghidra decompilation to offer direct support for Swift, Objective-C, and Apple resources." that this is not a Ghidra extension but rather it is using a piece of Ghidra (the decompilation) like a backend? Malimite here is presented as its own piece of software.

Asking as a Ghidra noob who doesn't know all the ways Ghidra can be used: Would it make sense for something like this to be a Ghidra extension instead? I.e. give Ghidra some tooling/plugin to understand iOS apps or their languages better, instead of a new app that just uses parts of Ghidra. Also the Malimite screenshot in the page looks similar to Ghidra CodeBrowser tool.

Asking because it feels like it could be: from the little I've used Ghidra so far, looks like it is designed to be extendable, scriptable, usable by a team collaborating, etc. And Ghidra seems more holistic than just focusing on decompiling code.

[lauriewired]

It might be better to think of Malimite as "JADX but for iOS/Mac".

(JADX is a very popular Android decompiler)

Ghidra is quite limiting, and the workflow makes iOS reverse engineering quite cumbersome.

Malimite is intended to have a swappable back-end, so theoretically compilers other than Ghidra can be used in the future.

[ghostpepper]

What parts of ghidra do you find most limiting? I thought it was supposed to be "almost as good" as IDA in terms of features, if not UX polish.

[lauriewired]

Ghidra is very feature-rich for code decompilation, however it doesn't handle dropping in an entire application bundle; only single executables.

Apple application files are special, bundling up resources and (potentially multiple) executables into the same package.

Many of these resource files are important for analysis, but have custom encodings by Apple. Malimite "digests" this information into a logical way.

[adeon]

Thanks for for the two replies, the replies make a lot of sense to me. It's hard for someone who is just starting out to find information on the "workflow" side of things, what kind tools people use and in my early journey to reverse engineering, so right now I assume to be somewhat blind to deficiencies in some tools I've tried so far.

Before Ghidra, I had been looking around /r/reverseengineering reddit and random Google searches to find what kind of tools people work with and how a reverse engineering work goes in general, and I'm happy there's a lot of blog posts that describe a project reverse engineering some project this and that.

Found a few things like "binwalk" to inspect a random binary for structure (apparently it was rewritten in Rust recently and not totally sure it's actually better (yet) than their slower Python-written older version also called "binwalk"). Also learned things like setting up mitmproxy (and how to Python script it) I was able to get to my entire home network through a Synology NAS with an iptables+mitmproxy setup I'm abusing as a firewall and as an inspection tool. On Linux specifically I learned some basics of seccomp() and existence of qemu-emulation, thought I might try some kind of "behavioral inspection" of untrusted binaries at some point with these tools or similar to them.

And on top of that, learned about cryptography at a more deep level, I think my entire interest this year started from me and my friend getting fed up with VSCode live share bugs and quirks (I do code teaching), doing research on alternatives, finding an alternative VSCode extension that seemed sketchy and then wanting to learn how do I "security audit" the thing. Ended up deobfuscating the JavaScript, reading its crypto, learning a lot about historical attacks on crypto and what is the typical kind of mistake that happens, AES-GCM misuse (IIRC it affected other AEAD schemes too, Invisible Salamanders), SHA length extension attacks, canonicalization attacks, re-using nonces in a scheme where that's really bad to do (AES-GCM again was my context but I think it applied to stream ciphers in general that take a nonce), the PS3 mess up with their private keys, Signal double ratchet thing, legal basics how much risk you do in reverse engineering against uncooperative companies (EFF had guides on legal side of it), and so on. Important to my security audit thing but also if I have ever have to "roll some crypto" and not completely make it totally amateur crap that breaks immediately when an actually competent cryptographer sees it and laughs at it.

Soooo many tools and things to learn. The above is just what I happened to remember on top of my head. I don't intend to become some superhacker but I want to be able to do some basic "sketchiness" check on applications I don't trust.

I looked at pictures off the Internet on the JADX tool, and yeah it clearly has a bit of a focus than Ghidra itself, and now Malimite makes a whole lot more sense as its own tool. While I thought Ghidra is mind-blowing (maybe a noob's first impressions and it isn't actually that amazing :) it definitely is also ugly and a bit heavy) there seems to be a rich set of tools to use.

My targets on reverse engineering are not currently any mobile apps or macOS apps, I have my interests right now elsewhere, but your Malimite tool here entered my notes to check out for iOS/macOS app decompilation if that comes up. I was already aware of the macOS .app structure, I've messed with them but not in any sophisticated reverse engineering sense. There's a video game called Don't Starve for example that contains a .zip file with lots of .lua code inside that is just readable as-is, not much effort or special tooling required.

Also technically you are the first human I've asked a question on reverse engineering (learned of existence of JADX and a more rich ecosystem of tools) and got an answer so I got happy for a sort-of "did first human interaction on an reverse engineering topic" achievement, even if it was just baby steps.