Aether is a native macOS disassembler built with Swift and SwiftUI. It breaks down binaries into their purest essence — just like the ancient Greek element that permeated the cosmos.
"Beyond the binary, into the essence."
Download Aether v2.0.0 — macOS 14.0 (Sonoma) or later
If the application appears corrupted or macOS displays a message stating the app is damaged, open Terminal and run the following command:
xattr -cr /path/to/Application.app
Replace /path/to/Application.app with the actual path to the application. This command removes extended attributes, including the quarantine flag, that may prevent the app from launching.
- Threat Scoring: Automated threat level assessment (Clean/Low/Medium/High/Critical) with 0-100 scoring
- Malware Dashboard: Unified view combining all analysis results in a single panel
- Comprehensive Reports: Detailed findings with severity levels and actionable insights
- Shannon Entropy: Calculate entropy for the entire binary and individual sections
- Section Assessment: Automatically flag sections as packed, encrypted, or normal
- Entropy Heatmap: Block-level entropy visualization to identify suspicious regions
- URL Detection: Extract embedded URLs from binary strings
- IP Addresses: Find hardcoded IPv4 addresses
- Domains & Emails: Identify network indicators
- File Paths & Registry Keys: Detect filesystem and registry artifacts
- Crypto Wallets: Find cryptocurrency wallet addresses
- Mutex Names: Extract synchronization object names
- Section Analysis: Detect suspicious section names (UPX, VMProtect, Themida, etc.)
- Entropy Anomalies: Flag sections with abnormally high entropy
- Severity Classification: Anomalies rated as Low/Medium/High/Critical
- Signature Matching: Detect UPX, VMProtect, Themida, ASPack, and more
- Section Name Analysis: Match against known packer section patterns
- Import Fingerprinting: Identify packers by their import patterns
- Confidence Scoring: Each detection includes a confidence level
- Import/Export Browser: Browse PE imports and exports with full detail
- Imphash Calculation: Compute import hash for malware classification
- Improved Parsing: More robust PE format handling
- Visual Browser: Navigate PE imports and exports in a dedicated view
- DLL Grouping: Imports organized by source DLL
- Export Details: View exported symbols with ordinals and addresses
Three new AI features that you can use on-demand when analyzing binaries:
- Interactive Conversation: Chat with AI about your binary in real-time
- Context-Aware: AI knows the loaded binary, selected function, and decompiled code
- Follow-up Questions: Ask clarifying questions and get detailed explanations
- Quick Suggestions: Pre-built prompts to get started quickly
- Natural Language Explanation: Understand what any function does in plain English
- Complexity Rating: See if a function is simple, medium, or high complexity
- Pattern Recognition: Automatically identifies patterns like crypto, networking, file I/O
- Detailed Analysis: Multi-paragraph explanation of function behavior and purpose
- Smart Suggestions: AI analyzes code and suggests meaningful variable names
- Selective Application: Choose which renames to accept with checkboxes
- Preview Changes: See how the code will look before applying
- Batch Operations: Select All / Deselect All for quick decisions
- Reasoning Provided: Each suggestion includes why that name was chosen
- Go to Settings (gear icon) → AI tab
- Enter your AI API key
- Click the AI menu in the toolbar:
- Chat with AI... — Open interactive chat panel
- Explain Function — Get explanation of selected function
- Rename Variables — Get AI suggestions for variable names
- AI features only appear when API key is configured
- Dynamic Instrumentation: Generate ready-to-use Frida scripts for iOS and macOS
- 6 Hook Types: Trace, Bypass, Intercept, Memory Dump, String Patch, Anti-Debug
- Platform Support: iOS and macOS with platform-specific optimizations
- AI-Enhanced Scripts: Optional AI-powered script generation
- Export Options: Copy to clipboard or save as .js file
- Multi-Architecture Support: ARM64 and x86_64
- Multiple Binary Formats: Mach-O, ELF, PE/COFF, JAR/Java Class
- Modern UI: Native SwiftUI interface with dark mode
- Disassembly View: Syntax-highlighted assembly with address navigation
- Hex View: Synchronized hex dump viewer
- Control Flow Graph (CFG): Visual representation of code flow
- Decompiler: Pseudo-C code generation
- Function Analysis: Automatic function detection and naming
- String Analysis: Extract and navigate to strings
- Cross-References: Track code and data references
- Symbol Support: Full symbol table parsing
- Project System: Save and restore analysis sessions
| Feature | Shortcut | Description |
|---|---|---|
| Analyze All | ⇧⌘A | Run full binary analysis |
| Find Functions | ⇧⌘F | Detect and list all functions |
| Show CFG | ⌘G | Display control flow graph |
| Decompile | ⇧⌘D | Generate decompiled code |
| Generate Pseudo-Code | ⇧⌘P | Generate structured pseudo-code |
| Call Graph | ⌘K | Show interactive call graph |
| Frida Script | - | Generate Frida hooking scripts |
| Malware Analysis | - | Full malware threat assessment |
| Crypto Detection | - | Detect cryptographic algorithms |
| Deobfuscation Analysis | - | Analyze obfuscation techniques |
| Type Recovery | - | Recover data types |
| Idiom Recognition | - | Recognize code patterns |
| Show Jump Table | ⇧⌘J | View all branches and jumps |
| Feature | Description |
|---|---|
| Chat with AI | Interactive chat about the binary |
| Explain Function | Natural language explanation of selected function |
| Rename Variables | AI-suggested meaningful variable names |
| Security Analysis | Identify vulnerabilities and bypass techniques |
| Analyze Binary | Full binary security assessment |
| Format | Description |
|---|---|
| IDA Python | Script for IDA Pro |
| Ghidra XML | Project file for Ghidra |
| Radare2 | r2 command script |
| Binary Ninja | Python script for BN |
| JSON | Structured data export |
| CSV | Spreadsheet-compatible |
| HTML | Web report with styling |
| Markdown | Documentation format |
| C Header | Function declarations |
- Download Aether.dmg
- Open the DMG and drag Aether to Applications
- Launch Aether from Applications
git clone https://github.com/Pinperepette/Aether.git
cd Aether
swift build -c releaseThe built application will be available at .build/release/Aether.
- Open a binary: Drag and drop a file onto the window, or use
File → Open Binary(⌘O) - Navigate: Click on functions in the sidebar to jump to their code
- Analyze: Use
Analysis → Analyze All(⇧⌘A) for full analysis - View CFG: Select a function and press ⌘G to see the control flow graph
- Decompile: Press ⇧⌘D to generate pseudo-C code
- Pseudo-Code: Press ⇧⌘P to generate structured pseudo-code
- Call Graph: Press ⌘K to view function call relationships
- Malware Analysis: Use Analysis → Malware Analysis for threat assessment
- Export: Use the Export menu to save analysis in various formats
| Action | Shortcut |
|---|---|
| Open Binary | ⌘O |
| Close | ⌘W |
| Go to Address | ⇧⌘G |
| Search | ⌘F |
| Analyze All | ⇧⌘A |
| Find Functions | ⇧⌘F |
| Show CFG | ⌘G |
| Decompile | ⇧⌘D |
| Pseudo-Code | ⇧⌘P |
| Call Graph | ⌘K |
| Jump Table | ⇧⌘J |
| Format | Extensions | Architectures |
|---|---|---|
| Mach-O | (various) | ARM64, x86_64 |
| ELF | .so, .elf, (none) | ARM64, x86_64 |
| PE/COFF | .exe, .dll | x86, x86_64 |
| Java | .jar, .class | JVM Bytecode |
Aether/
├── App/ # Application entry point and state management
├── Core/
│ ├── Binary/ # Binary format loaders (Mach-O, ELF, PE, JAR)
│ ├── Disassembler/ # Disassembly engine
│ ├── Analysis/ # Function, string, xref, crypto, malware, entropy analysis
│ ├── Decompiler/ # Pseudo-code generation
│ └── Emulation/ # Lightweight CPU emulator
├── UI/ # SwiftUI views and components
│ ├── GraphView/ # CFG and Call Graph visualization
│ └── AnalysisViews/ # Analysis result views (including Malware Dashboard)
├── Models/ # Data models
└── Services/ # Export manager, Frida generator, AI client, Plugin system
Contributions are welcome! Please feel free to submit a Pull Request.
This project is licensed under the MIT License - see the LICENSE file for details.
Aether — Peel back the layers. See the code beneath.
