Malimite – iOS and macOS Decompiler (opens in new tab)

(github.com)

241 pointstW4r1y ago36 comments

36 comments

Hi everyone, I'm the creator of Malimite. I actually released this as part of a conference talk at Objective By the Sea, which you can see here:

https://youtu.be/vWdKjVCZtTI

It gives a good overview of the development process as well as my motivations for creating it. The tool will also be on homebrew shortly :)

miki1232111y ago

Hi, is there any hope of getting Malimite to decompile libs from the Dyld cache?

Figuring out how an API works is one of the most important RE use cases, at least on Mac OS, where private APIs are still somewhat usable.

jamal-kumar1y ago

this is super cool thanks

running out of phone data in the middle of something important, the worst hahahaha

adeon1y ago

Starting this year I started learning bunch of security topics and Ghidra is something I started learning. I decompiled some games and getting comfortable how to work a project, teach Ghidra structures etc.

Am I right in looking at Malimite here and reading "Built on top of Ghidra decompilation to offer direct support for Swift, Objective-C, and Apple resources." that this is not a Ghidra extension but rather it is using a piece of Ghidra (the decompilation) like a backend? Malimite here is presented as its own piece of software.

Asking as a Ghidra noob who doesn't know all the ways Ghidra can be used: Would it make sense for something like this to be a Ghidra extension instead? I.e. give Ghidra some tooling/plugin to understand iOS apps or their languages better, instead of a new app that just uses parts of Ghidra. Also the Malimite screenshot in the page looks similar to Ghidra CodeBrowser tool.

Asking because it feels like it could be: from the little I've used Ghidra so far, looks like it is designed to be extendable, scriptable, usable by a team collaborating, etc. And Ghidra seems more holistic than just focusing on decompiling code.

lauriewired1y ago

It might be better to think of Malimite as "JADX but for iOS/Mac".

(JADX is a very popular Android decompiler)

Ghidra is quite limiting, and the workflow makes iOS reverse engineering quite cumbersome.

Malimite is intended to have a swappable back-end, so theoretically compilers other than Ghidra can be used in the future.

ghostpepper1y ago

What parts of ghidra do you find most limiting? I thought it was supposed to be "almost as good" as IDA in terms of features, if not UX polish.

1 more reply

evanjrowley1y ago

LaurieWired's YouTube channel is pretty good. It features many quality deep dives on super nerdy topics. https://www.youtube.com/@lauriewired

kkarakk1y ago

wow, is that a voice filter? or is she really doing a baby voice?

brabel1y ago

Oh come'on, her voice is totally fine. She's a really good presenter and produces interesting, fairly advanced content in an accessible, entertaining way. I think criticizing her for something she can't change like this is extremely impolite.

lauriewired1y ago

That's just my natural speaking voice. I'm a small person, and everyone sounds different.

I'd be happy to focus on the tool, or the content of the channel, rather than how I sound.

ghoulishly1y ago

That’s a rude thing to say to a stranger; her voice is perfectly fine.

wiseowise1y ago

Do you also comment like that on every man’s channel that you watch?

saagarjha1y ago

(This is LLM-powered and based on Ghidra, fwiw)

lauriewired1y ago

It’s more like LLM-optional.

Malimite is first and foremost intended to be a tool to help Reverse Engineer iOS/Mac binaries, much like JADX for Android.

As it turns out, LLMs are quite good at “converting” C-Pseudocode into an approximation of the original Swift or Objective-C code. Therefore, you can optionally use the LLM extension to help analysis.

Of course, it’s not 100% accurate, but significantly easier to read, and I find it to save hours of manual research.

rgovostes1y ago

The prompts used are in this file: https://github.com/LaurieWired/Malimite/blob/main/src/main/j...

LeoPanthera1y ago

Who would have guessed just a few years ago that the final programming language would be English.

2 more replies

saagarjha1y ago

Kind of amused she uses raw format strings to generate JSON

zombot1y ago

Yea, and I want my decompiler to be deterministic, so LLM stuff is a no-no.

commandersaki1y ago

This is all well and good, but at least for iOS my understanding is you cannot decompile unless you have a jailbroken iPhone or security research device. Makes things a bit difficult.

surlyville1y ago

Jailbreak not required. I use TrollStore/TrollDecrypt but I'm sure there are other methods.

judge20201y ago

For reference, it's possible because of a AMFI/CoreTrust bug in older iOS:

https://github.com/opa334/TrollStore/blob/main/README.md

> It works because of an AMFI/CoreTrust bug where iOS does not correctly verify code signatures of binaries in which there are multiple signers.

> Supported versions: 14.0 beta 2 - 16.6.1, 16.7 RC (20H18), 17.0

This seemed to happen because they didn't have time to release 17 with the bug fixed, which is why 16.7 Final is not supported; per https://x.com/MasterMike88/status/1743974453459956209

stuckkeys1y ago

This is nice. What is the approach like to extracting ipa files that are already installed on the devices? Is it doable without jail break?

gondo1y ago

but how can one get IPA file to start with?

anxixddjs1y ago

this is pretty cool wonder how long till apple files a complaint to gh

msephton1y ago

On what grounds could they complain?

msk-lywenn1y ago

Isn't decompiling illegal in the US?

2 more replies

j / k navigate · click thread line to collapse

36 comments

lauriewired1y ago

Hi everyone, I'm the creator of Malimite. I actually released this as part of a conference talk at Objective By the Sea, which you can see here:

https://youtu.be/vWdKjVCZtTI

It gives a good overview of the development process as well as my motivations for creating it. The tool will also be on homebrew shortly :)

miki1232111y ago

Hi, is there any hope of getting Malimite to decompile libs from the Dyld cache?

Figuring out how an API works is one of the most important RE use cases, at least on Mac OS, where private APIs are still somewhat usable.

jamal-kumar1y ago

this is super cool thanks

running out of phone data in the middle of something important, the worst hahahaha

adeon1y ago

lauriewired1y ago

It might be better to think of Malimite as "JADX but for iOS/Mac".

(JADX is a very popular Android decompiler)

Ghidra is quite limiting, and the workflow makes iOS reverse engineering quite cumbersome.

Malimite is intended to have a swappable back-end, so theoretically compilers other than Ghidra can be used in the future.

ghostpepper1y ago

What parts of ghidra do you find most limiting? I thought it was supposed to be "almost as good" as IDA in terms of features, if not UX polish.

1 more reply

evanjrowley1y ago

LaurieWired's YouTube channel is pretty good. It features many quality deep dives on super nerdy topics. https://www.youtube.com/@lauriewired

kkarakk1y ago

wow, is that a voice filter? or is she really doing a baby voice?

brabel1y ago

lauriewired1y ago

That's just my natural speaking voice. I'm a small person, and everyone sounds different.

I'd be happy to focus on the tool, or the content of the channel, rather than how I sound.

ghoulishly1y ago

That’s a rude thing to say to a stranger; her voice is perfectly fine.

wiseowise1y ago

Do you also comment like that on every man’s channel that you watch?

saagarjha1y ago

(This is LLM-powered and based on Ghidra, fwiw)

lauriewired1y ago

It’s more like LLM-optional.

Malimite is first and foremost intended to be a tool to help Reverse Engineer iOS/Mac binaries, much like JADX for Android.

Of course, it’s not 100% accurate, but significantly easier to read, and I find it to save hours of manual research.

rgovostes1y ago

The prompts used are in this file: https://github.com/LaurieWired/Malimite/blob/main/src/main/j...

LeoPanthera1y ago

Who would have guessed just a few years ago that the final programming language would be English.

2 more replies

saagarjha1y ago

Kind of amused she uses raw format strings to generate JSON

zombot1y ago

Yea, and I want my decompiler to be deterministic, so LLM stuff is a no-no.

commandersaki1y ago

This is all well and good, but at least for iOS my understanding is you cannot decompile unless you have a jailbroken iPhone or security research device. Makes things a bit difficult.

surlyville1y ago

Jailbreak not required. I use TrollStore/TrollDecrypt but I'm sure there are other methods.

judge20201y ago

For reference, it's possible because of a AMFI/CoreTrust bug in older iOS:

https://github.com/opa334/TrollStore/blob/main/README.md

> It works because of an AMFI/CoreTrust bug where iOS does not correctly verify code signatures of binaries in which there are multiple signers.

> Supported versions: 14.0 beta 2 - 16.6.1, 16.7 RC (20H18), 17.0

This seemed to happen because they didn't have time to release 17 with the bug fixed, which is why 16.7 Final is not supported; per https://x.com/MasterMike88/status/1743974453459956209

stuckkeys1y ago

This is nice. What is the approach like to extracting ipa files that are already installed on the devices? Is it doable without jail break?

gondo1y ago

but how can one get IPA file to start with?

anxixddjs1y ago

this is pretty cool wonder how long till apple files a complaint to gh

msephton1y ago

On what grounds could they complain?

msk-lywenn1y ago

Isn't decompiling illegal in the US?

2 more replies

j / k navigate · click thread line to collapse