Binary Ninja Deep Thoughts

1.3 Released

Thankfully the wait from 1.2 to 1.3 was much less than last time. Our goal is to aim for quarter releases as often as possible, and yet we still managed to pack in a large number of fixes and features into just a few months.

As always, another good reference for what has changed is our list of closed issues.

Highlights

If you just want the highlights, here’s a short list of some of the most noticeable new features:

The rest of the updates are in the following sections:

Semi-Smart Structures

One of our favorite new features of 1.3 is our more intelligent structure creation. With the 2.0 release with decompiler looming, we want to really focus on improving the structure creation workflow and we’ve started the process in 1.3. You can check things out by trying the following new workflows:

  • Highlight the return value from common allocation routines like malloc, or VirtualAlloc in an IL view and press S. This will automatically create a structure of the appropriate size.
  • Select a read or write operation at an offset from a structure and press S to automatically create a structure member
  • Select multiple bytes in linear view and press 1, 2, 4, 8, d, a, o, -, s to quickly create or modify types and structures. This even works inside of existing structures with undefined sections.

Function Fingerprinting

While 1.2 brought a new type library (with even more libraries expected shortly), those are only applicable to situations where you have dynamically linked applications with external functions whose prototypes you’d like to apply. What about statically compiled binaries? The ability to create function fingerprints and apply them to a statically compiled binary is a critically important feature that is now shipping.

Function Fingerprinting Before/After Function Fingerprinting Before/After - Figure 1

You can not only create your own libraries, but we’re also rolling out an extensive set of libraries you’ll be able to download on-demand in future updates. Access this new feature in: Tools/Run Analysis Module/Signature Matcher. Keep an eye on the blog for an upcoming entry dedicated to this feature.

Analysis

  • Feature: Can rebase loaded Binary Views (available via File/Rebase or the Command-Palette if rebasing is possible for that file)
  • Feature: Rebase support for existing BNDBs (using open with options)
  • Feature: maxLookupTableSize setting configures maximum jump table size
  • Feature: Concatenation of simple ranges for dataflow analysis (accessible via .possible_values in ILs)
  • Feature: Added byte range inference on byte size loads for dataflow
  • Feature: Add support for constant propagated dispatch table analysis
  • Feature: Ability to modify/define jump tables by simply changing the type at the table location (use y on the base of the table to change the size and the jump table will automatically adjust)

  • Improved: Jump table solving and convergence
  • Improved: Now overriding call types per call-site (helpful for variadic functions–access via right-click Override Call Type...)
  • Improved: Reduced memory overhead, especially for large functions
  • Improved: Better __noreturn detection
  • Improved: Handling of demangled structures
  • Improved: Coerce DataSymbol to FunctionSymbol when it’s actually a function

  • Fixed: Stale basic block case label annotations

File Formats

  • Fixed: Duplicate external symbols in ELF files
  • Fixed: Relocation handling for files loaded with a custom image base
  • Fixed: Relocation handling for Mach-O symbol tables with a custom image base

Architectures

  • Improved: Lifting of conditional set instructions on x86
  • Improved: Lifting for ARM64 conditional INC/INV/NEG/SET and LDA* instructions
  • Improved: Concrete flags for x86 neg and xor
  • Improved: Allow read only section semantics to be recognized in overlapping sections
  • Fixed: Tailcall translation for thumb2 architecture
  • Fixed: Lifting of x86 instructions with lock prefix

UI

  • Feature: Can now hide the title bar for dockable windows (setting: ui.docks.titleBars)
  • Feature: Tag tooltips show when multiple tags exist at the same address Tag Tooltips
  • Feature: Added News section to the new tab window
  • Feature: FeatureMap can auto rotate to horizontal layouts Horizontal Featuremap
  • Feature: Linear View can now scroll horizontally
  • Feature: Ability to set the license from the UI (under Preferences)
  • Feature: Recent file list can now be selected/copied, and the context-menu supports Open File Location…
  • Feature: Feature Map overlay auto-hides when pixel space is limited
  • Improved: Python console tab-completion handles periods in python parameters
  • Improved: Larger variable data flow preview on hover
  • Improved: Updated to Qt 5.14.0 and new PySide2 (enabling python 3.8 support for UI Plugins)
  • Fixed: Delayed Open with Options dialog for very large files
  • Fixed: ‘Go’ dialog (g hotkey) in disassembly view when no current function or entry point
  • Fixed: Spurious failures for getActiveDockHandler API
  • Fixed: Floating dock widgets close button

Updates

  • Feature: Upon renewal, Binary Ninja now automatically updates the expiration in existing license files
  • Fixed: Download cancellation or network troubles handled more gracefully

Documentation

  • Feature: New MLIL documentation under User Documentation / Developer

Other

  • Feature: Full notarization on MacOS Catalina
  • Fixed: Bug caused by Python 2.7’s old OpenSSL usage crashing when used with Windows Segment Heap
  • Fixed: Some PDB downloads were previously failing
  • Fixed: Symbol recognition in the expression parser
  • Fixed: BN_DISABLE_USER_PLUGINS environment variable