Jesko HüttenhainJun 20

I just pushed out #BinaryRefinery v0.8.24 which fixes all the issues I encountered during my recent live stream =D.

The main problems were caused by running an old version of pip in WSL, which caused an old version of LIEF to be installed, hence failing to parse executable formats. The 'solution' is to add a stricter version requirement for LIEF and improve the documentation to include a pip update.

Finally, I have finally fixed the annoying issue that I ran into on the stream with passing arguments to path extractor units that match a file on disk. Starting with v0.8.24, these arguments will no longer read file contents by default.

Jesko HüttenhainJun 19

I will be doing a live stream [stream] later today, kindly hosted by the amazing Dr. Josh Stroschein! I will be using #BinaryRefinery to replicate an analysis that Josh previously presented [source], of a download chain going from exploit document all the way to the AgentTesla payload itself.

[stream]: https://www.youtube.com/live/HuLONk0Rt98
[source]: https://www.youtube.com/playlist?list=PLHJns8WZXCdvfqIp9m0kkjsbg9G8YWdSH

Unraveling a Multi-Stage Downloader with Binary Refinery - Guest Jesko Hüttenhain

YouTube
Jesko HüttenhainMay 21

If you use #BinaryRefinery for unpacking MSI or CAB files, I urge you to update to at least 0.8.18: I recently fixed a very subtle error in my LZX implementation which will make it so that your output is almost correct, with just a few incorrect bytes.

LZX is used for extracting certain CABs, which in turn is used for certain MSIs. The bug is in the x86 filter used by LZX where I treated an integer as unsigned when it needs to be interpreted as signed. I am indebted to a colleague of mine who shall remain anonymous for now for pointing out the erroneous output, this would have been fairly hard to catch otherwise.

Jesko HüttenhainApr 29
FYSA; #BinaryRefinery has switched from pefile to LIEF:
https://github.com/binref/refinery/pull/84
It shouldn't change anything, but if it does, please let me know.
Use LIEF Over Other Executable Parsers by huettenhain · Pull Request #84 · binref/refinery

This PR tracks the switch away from a combination of pefile, pyelftools, and macholib towards LIEF. The main arguments for switching are: It seems like macholib is unmaintained. Similarly, the oth...

GitHub
Jesko HüttenhainMar 30
On a more serious note: I recently added many lines of code to #BinaryRefinery for a fairly niche purpose: Unpacking (malicious) InnoSetup archives that hide their password within the setup #PascalScript. Check it out if that is something you have to deal with. My approach to this was to write an emulator for this arcane language, and I wrote a little blog post about my process!
https://blag.nullteilerfrei.de/2025/03/30/complete-first-correct-later-writing-a-pascal-script-emulator/
Complete First; Correct Later: Writing a Pascal Script Emulator – nullteilerfrei

Jesko HüttenhainJan 27
I have a banger #BinaryRefinery release for y'all. Version 0.8.2 adds support for InnoSetup extraction: Thanks to @malcat for porting part of innoextract to Python, it served as the main template for my code. Many thanks also to @squiblydoo who pointed this out to me.
Jesko HüttenhainDec 20, 2024

I recently added a new #BinaryRefinery tutorial:

https://github.com/binref/refinery/blob/master/tutorials/notebooks/tbr-files.v0x09.exploit.document.ipynb

This one follows the same steps as a very cool #MalCat blog article (thanks to @malcat)

refinery/tutorials/notebooks/tbr-files.v0x09.exploit.document.ipynb at master · binref/refinery

High Octane Triage Analysis. Contribute to binref/refinery development by creating an account on GitHub.

GitHub
Jesko HüttenhainDec 13, 2024
I just released v0.8 of #BinaryRefinery!
https://github.com/binref/refinery/
There are some breaking changes, but you'll notice them only if you are a power user.
The vstack unit now supports using Speakeasy - at the cost of running Unicorn v1. Related post:
https://infosec.exchange/@rattle/113647238266177936
GitHub - binref/refinery: High Octane Triage Analysis

High Octane Triage Analysis. Contribute to binref/refinery development by creating an account on GitHub.

GitHub
Jesko HüttenhainNov 27, 2024
https://www.youtube.com/live/-B072w0qjNk
If you know and love #BinaryRefinery, check out this live stream recording where I get to showcase a few neat examples!
Explore Command-Line Driven Binary Transformations with Binary Refinery and its Jesko Huttenhain

YouTube
Jesko HüttenhainNov 12, 2023

As promised, here are my #BinaryRefinery solutions of #FlareOn10. Didn't quite refine them all, but there might be a nugget or two if you like static analysis:

https://github.com/binref/refinery/blob/master/tutorials/tbr-files.v0x08.flare.on.10.ipynb

refinery/tutorials/tbr-files.v0x08.flare.on.10.ipynb at master · binref/refinery

High Octane Triage Analysis. Contribute to binref/refinery development by creating an account on GitHub.

GitHub