Binary Ninja IOS App Reversing

Jan 20, 2025

2 mins read

Reverse Engineering Binja Ios
Reverse engineering Binja Ios

Recently I ran into a headache of Out-Of-Memory errors when using Binary Ninja. Specifically, this was in relation to dissassembling a Mach-O aarch64 binary from an iOS app grabbed from decrypt.day.

Usually I have more than enough memory on my analysis host (64GB), but this time I didn’t. And that sucked.

By breaking out steps, you can achieve somewhere in the range of an additional ~10GB of overhead, which may make all the difference.

If you are working in Debian/Ubuntu over RDP, mutter will yell at you near constantly that “This app is not responding do you wanna kill it or wait” and keep popping up the dialog over and over, stealing away window control. Disabled the check-alive entirely with gsettings set org.gnome.mutter check-alive-timeout 0 to make it shut up forever. My box is hung when I say it’s hung.

  1. Open Binja

From the base Binja UI, open the Python console and enter the following:

# Set Analysis to simple control flow
Settings().set_string("triage.analysisMode", "controlFlow")
# Disable Linear sweep
Settings().set_string("triage.linearSweep", "none")
  1. Open for Triage

Select File -> Open for Triage (CTL + Alt + O) and open the relevant file.

  1. Allow analysis to run

Let it do it’s thing, load the symboles etc… this will take far less memory.

  1. Save

Again in the Python console:

# Do not bloat the bndb database (sqlite)
Settings().set_bool("analysis.database.purgeSnapshots", True)
# Make copy of settings
settings = SaveSettings()
# Save the analysis database, with purge settings included
bv.create_database(f"{bv.file.filename}.bndb", None, settings)

This will ensure that for any future saves / OOM hangs your precious memory is not wasted on caching unused snapshots in the bndb.

  1. Close Binja

Open a system monitoring tool that can view memory allocations then close the Binja app. The window will disappear instantly, but as you will see it will take upwards of 3-4min for Binja to fully clean up after itself and free all the memory it had allocated.

  1. Open Binja

Re-Open Binja, select to open the previously saved .bndb, and wait for the quick analysis to kick in.

  1. Explore

Symbols etc… will have been loaded and dissassembly will be enabled, but MLIL/HLIL will not yet be analyzed. You can now selectively browse the binary and click to enable “Full analysis” on select functions where needed.

Sharing is caring!