Software reverse engineering is a very useful tool in digital forensics. Not only can it tells us a lot about the inner workings of the software of interest, it can also lead us to quirks and even vulnerabilities not even available in the source (e.g. compiler quirks). With enough effort it even turns proprietary implementations into open-source, what's not to like?

Of course, with a technique this powerful, there will always be downsides. Reverse engineering large binaries can be a monumental task. Where a few kB's of storage seem tiny, a few kB's of code can be huge if you have to reverse it all. A secondary problem to this, is that all this work is quite hard to reuse in the future. Binary code can differ, even with the same source, purely based on compiler options. SRE tools change, making your scripts obsolete. Decompilers change, making your signatures obsolete and so on.

We present an open-source machine learning model, server and Ghidra plugin for creating function signatures from aarch64 assembly. These function signatures can be stored and compared to a database of known functions to easily reuse all the blood, sweat and tears you put into reversing that library that has since been updated twice.

All code is of course open source and available at https://github.com/NetherlandsForensicInstitute/asmtransformers