Skip to content

Conversation

Copy link

Copilot AI commented Sep 4, 2025

This PR implements support for handling obfuscated x86 ELF files that have incorrect endianness bits in their headers, a common anti-analysis technique.

Problem

A classic obfuscation technique involves changing the endianness bit (EI_DATA) in an x86 ELF header to big-endian, even though x86 architecture is inherently little-endian. This throws off Binary Ninja's ELF parsing, but the binary runs fine since the endianness bit is typically not checked by x86 Linux loaders.

Solution

This PR adds two complementary features:

1. Automatic x86 Endianness Override

A new setting files.elf.overrideX86Endianness (default: true) automatically forces little-endian interpretation for x86/x86_64 ELF files regardless of the header's EI_DATA field.

Example scenario:

Obfuscated x86 ELF:
- Header: EI_DATA = 2 (big-endian)  ← Incorrect/obfuscated
- Machine: EM_386 (3) or EM_X86_64 (62)
- Result: Automatically treated as little-endian ✓

2. Manual Endianness Override

A new loader setting loader.elf.endianness with options "default", "little", "big" allows users to manually override endianness for any ELF file via the "Open with Options" dialog.

User workflow:

  1. Right-click ELF file → "Open with Options"
  2. Set "ELF Endianness Override" to desired value
  3. Binary Ninja uses the specified endianness regardless of header

Implementation Details

  • Pattern: Follows the existing ARM BE8 detection pattern for consistency
  • Scope: Affects both data parsing and code endianness in ParseHeaders()
  • Precedence: Manual override takes precedence over automatic detection
  • Logging: Appropriate log messages when overrides are applied
  • Compatibility: Fully backward compatible (settings are optional)

Testing

Comprehensive test coverage validates:

  • Normal x86 ELF files work unchanged
  • Obfuscated x86/x86_64 files are automatically corrected
  • Non-x86 architectures are unaffected by auto-override
  • Manual overrides work for any architecture
  • Disabled auto-override preserves original behavior

Fixes #7339.


✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copy link
Author

Copilot AI commented Sep 4, 2025

@xusheng6 👋 This repository doesn't have Copilot instructions. With Copilot instructions, I can understand the repository better, work faster and produce higher quality PRs.

I can generate a .github/copilot-instructions.md file for you automatically. Click here to open a pre-filled issue and assign it to me. I'll write the instructions, and then tag you for review.

@CLAassistant
Copy link

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

Copilot AI changed the title [WIP] Support automatically and manually override the endianness of an ELF file Support automatic and manual endianness override for x86 ELF files Sep 4, 2025
Copilot AI requested a review from xusheng6 September 4, 2025 02:58
Copilot finished work on behalf of xusheng6 September 4, 2025 02:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Support automatically and manually override the endianness of an ELF file

3 participants