
Vector 35
2.3K posts

Vector 35
@vector35
Makers of the Binary Ninja - Reverse Engineering Platform. https://t.co/opkys50srq Also posting at https://t.co/2HEfgOtSSR
Melbourne, FL Katılım Ocak 2015
2K Takip Edilen10.2K Takipçiler
Sabitlenmiş Tweet

Binary Ninja 5.3 (Jotunheim) is released: binary.ninja/2026/04/13/bin…
Major highlights: NDS32 support, AArch64 ILP32 ABI, new Universal MachO UI, command palette upgrade, new type library helpers, ghidra export, updated IDB import, HW and conditional breakpoints, and much more!
English

Great writeup!
YungBinary@YungBinary
New blog is out! Digging into an obfuscating compiler used in building EKZ Stealer, a CLI-based infostealer delivered after a Fortinet vulnerability was exploited. We deobfuscate it in #BinaryNinja Workflows by replacing IL expressions - solving opaque predicates, indirect jumps/calls, and control‑flow flattening, all without patching a single byte 😎 esentire.com/blog/fortinet-…
English

We are live! Tune in now for a walkthrough of @Zenyard_ai + Binary Ninja on a real target! We’re covering whole-binary analysis, file-wide renaming, multi-file analysis, and asking grounded agent questions with full-binary context. youtube.com/live/JG15oxrWg…

YouTube
English
Vector 35 retweetledi

Zenyard is coming to Binary Ninja. 🥷
Binary Ninja has become home to some of the most innovative researchers in the space and it was just a matter of time before we launched here.
Kyle Martin from @vector35 , Yuval Luria and Ziv Brandstein from Zenyard on June 24th for a live stream.
We'll show the full workflow on a real target: whole-binary analysis, renaming across the entire file, multi-file analysis and asking the agent questions grounded in full-binary understanding.
👉 youtube.com/live/JG15oxrWg…

YouTube

English

@L0Psec Good catch! We actually forgot to file an issue to track the feature, so added in: github.com/Vector35/binar…
English

Join us live on June 24th at 1pm ET as @Zenyard_ai launches with Binary Ninja! Zenyard’s AI reverse engineering assistant helps to analyze binaries faster and with greater accuracy. We'll be taking a deep dive into what makes Zenyard's integration stand out, have it rebuild Swift code for us, and have it reason about code-flows among multiple binaries. youtube.com/live/JG15oxrWg…

YouTube
English

Wake up binjas, new Binary Ninja 5.3.9757 stable just dropped. No functionality this time (head over to dev for that!) but lots of stability fixes for the appropriately named stable branch:
binary.ninja/2026/06/09/5.3…
English
Vector 35 retweetledi

@0x_nik0 @quarkslab I also created an architecture for binary ninja that actually properly shows functions and operations that in my opinion made it easier to see how the VM works. @vector35 has a really nice tool!
English

Xusheng is streaming live today at 2PM EST with @InvokeReversing! Tune in here: twitch.tv/InvokeReversing
Invoke RE@InvokeReversing
Join us at 2PM EST today for a live stream with Xusheng Li from @vector35 to go over new Time Travel Debugging functionality in Binary Ninja! twitch.tv/InvokeReversing
English

In Sidekick 26.0, Indexes give you a persistent work queue for reverse engineering! Create one from a BNQL query, then keep adding as you find more. Sidekick can also write to indexes during analysis. Later, use the index to filter down, pin what matters, and jump straight to each location. docs.sidekick.binary.ninja/guide/indexes.…

English

The Notebook in Sidekick 26.0 is where you turn chat work into something that sticks. It is a persistent workspace where you track analysis goals and record outcomes. Sidekick reads it as context in Chat, so it can build on what you already established across turns and sessions. docs.sidekick.binary.ninja/guide/notebook…

English

Semantic indexing in Sidekick 26.0 lets you search by what code does instead of what it is named. It builds a local vector index for your binary. Then concept() in BNQL or the Python API can surface matches for things like TLS handshake even when everything is still default named. The index stays local, no binary content goes to the cloud. docs.sidekick.binary.ninja/guide/semantic…

English

In Sidekick 26.0, Chat is where most binary analysis starts. Ask a question and Sidekick uses its tools to query the binary, then the thread builds as you dig deeper. The sidebar keeps it transparent. You get a thread list with live status, changes, findings, and any approvals waiting. Open a thread to see the full conversation plus grouped tool calls so you can audit what ran. docs.sidekick.binary.ninja/guide/chat.html

English

Sidekick 26.0 is out now! Major updates across the board plus a full refresh of the Sidekick website. New specialist agents, a validation agent that cross checks findings against evidence, project scoped workspaces with cross binary search, and built in skills tuned for Binary Ninja. Read about the latest release here: sidekick.binary.ninja/blog/sidekick-…
English

@bbetterengineer Well, _we_ certainly have a preference, but we're biased. :-)
0️⃣1️⃣🥷
English
Vector 35 retweetledi

Dear folks,
How are you doing?
I wanted to share with everyone the news that based on my most recent "When Data Mining Conti Leaks Leads to Actual Binaries and to a Hardcoded C2 With an Encryption Key on Tripod.com - Part Five" blog post - ddanchev.blogspot.com/2026/03/when-d… where I actually found several CWE flaws including a hardcoded decryption key in the actual encrypted file for a Conti Ransomware sample which I obtained from 2020 as I further continued pursuing my belief that this is the case with other related Conti Ransomware binaries today I came across to a second Conti Ransomware sample which is doing exactly the same namely storing the decryption key in the actual encrypted file where I'll soon summarize my findings and publish them.
Also for the record in my previous "When Data Mining Conti Leaks Leads to Actual Binaries and to a Hardcoded C2 With an Encryption Key on Tripod.com" - ddanchev.blogspot.com/2026/05/when-d… blog post series I also came across to a relatively interesting wrapper function called "Asshole".
“AssHole” wrapper purpose and mechanics
Literal marker: "AssHole" at 0x405558.
Alphabet used by transform: "0123456789abcdef" at 0x405544.
And.
Both send_data_to_c2 and recv_command_from_c2 incorporate "AssHole" directly into the transform pipeline:
On send: the outgoing buffer is combined with "AssHole" and passed through encode_obfuscated_hex_string (0x4024a0).
On receive: the received blob is combined with "AssHole" and passed through decode_obfuscated_hex_string (0x402620).
I'll continue pursuing my belief that this hardcoded decryption key mentality might be the case with other related Conti Ransomware samples and I'll soon publish my findings.
The more malware samples the merrier.
Special thanks to @vector35's BinaryNinja reverse engineering product and service of which I'm a proud user.
Thanks,
Dancho
English





