Binary Ninja Blog

As we settle into our quarterly release cycle, this stable update includes changes from the past four months of Binary Ninja development. With over 600 commits and 157 issues resolved across an increasing number of repositories (most of which are open source), we continue to simultaneously launch new features, improve existing features, and resolve bugs.

The main new features for this release include new view-synchronization, type and variable cross-references, and a plethora of HLIL improvements. Read on for more!

Major Changes

View Synchronization

One of our oldest (and most voted!) feature requests was for view-synchronization. That is, the ability to view multiple ILs, or an IL plus assembly, at the same time, maintaining selection and location across those views. We’re happy to report this exists in 2.3 with a new feature called “reflection view”. To enable the reflection view, you can either use the command-palette (CMD/CTL + p, Reflection), or the View / Native Docks / Show Reflection menu.

This DockWidget supports a number of settings for customization:

and has a number of UI features to enable/disable syncing and selection synchronization:

In addition to this brand new UI element, switching between views is now also much more reliable! When switching between IL views (using either menus, or I to cycle between them) instances where the location would drift have been minimized.

Type and Variable Cross-References

Another incredibly important feature that have often been requested is support for both variable and type cross-references. There are many different forms this feature takes and we have an entire blog post coming on all the new ways you can explore references in a binary. In the meantime, here’s a screenshot demonstrating a variety of variable references for a range of instructions shown in the cross-references widget to whet your appetite:

HLIL Improvements

Since the release of our HLIL Decompiler, we continue to focus on improvements to the overall usability and analysis quality. Because Binary Ninja’s decompiler produces High Level IL (HLIL) as opposed to C, some users prefer to have a more C-like scoping style. You can now control some HLIL appearances in settings:

The different options are shown below:

Dead Store Elimination

Binary Ninja tries to be conservative with eliminating unused variables on the stack. When the analysis finds a variable that cannot be eliminated but does not appear to be used, the assignment will appear grayed out in the decompiler output. The first two lines of the function below show this:

In this case, these variables are actually unused and can be eliminated. You can tell Binary Ninja to do this by right clicking on the variable and choosing “Allow” from the “Dead Store Elimination” submenu.

Performing this action on both variables in the example results in the following output:

Core Architectures Open Source

Thanks for all your contributions and positive encouragement to our open-sourcing our core architectures. Keep an eye here on our blog for an upcoming post with more details about how we have totally rewritten our AArch64 support from a machine-translation of the official spec and how robust and accurate our analysis is. To whet your appetite, here’s a quick visualization of the instruction space coverage before and after the rewrite!

Python 2.x Support Ended

Over a year after it was officially retired, and finalized as of this stable, Python 2.x is no longer supported and a number of 2.x breaking changes are now are now in the API. Among those changes, expect to see type annotations showing up to improve usability.

UI Updates

• Feature: “Save All” menu added
• Feature: Default file contents lock to prevent accidental modification (2107)
• Improved: IL view changes no longer added to navigation history (2113)
• Improved: Default window size and placement
• Improved: Up/Down arrow keys more consistent in expanding multi-line script editor, and new shift+enter hotkey always executes current script
• Improved: Removing a function automatically updates analysis (2247)
• Improved: Transform dialog now non-modal (2108)
• Improved: Font in Cross Reference widget (1675)
• Fix: Applying a struct type now works the first time instead of making you do it twice sometimes (2234)
• Fix: Filtering in the strings view now matches the displayed strings (2022)
• Fix: Creating a function in linear view stays in linear view (2282)
• Fix: Handling of multiple shortcuts with the same hotkey with different active contexts (2283)
• Fix: Tab-completion pop-up no longer sticks when switching windows
• Fix: Several improvements to handling of selections in linear view
• Fix: “Create function with platform” will now always create the function with the intended platform

Binary Views

• Improved: Multiple improvements to the PDB Plugin loader (2264, 2097, 2095)
• Improved: Better handling of malicious 64bit ELF files masquerading as 32bit
• Improved: .init/.fini functions added with matching entry-point architecture (2114)
• Fix: Strings in RW sections are now shown as annotations when referenced (2094)

Analysis

• Feature: Calling Conventions can opt-out of heuristics to prevent frequently mis-identified ones that are not globally common (such as linux-syscall calling convention which is kernel-only) (2230)
• Improved: Handling of relocation pointers when symbols are present
• Improved: Detection of control-flow guard protected functions
• Improved: Many, many improvements to dataflow including newly supported operations such as add-with-carry and subtract-with-borrow operations as well as better handling of logical operators for unsigned ranges with a constant just to name a few
• Fix: MLIL now correct for address of stack struct member (2123)
• Fix: Missing constant references when loading from BNDB fixed

Architectures

• Improved: x86 SIMD instructions now all lifted as intrinsics
• Fix: POPA/POPAD behavior regarding the stack pointer

Installer

• Improved: Improved zip bundle to better support the subset of linux unzip utilities that do not maintain permissions which caused issue running some modules that use fork such as QWebEngine.

API

• Feature: Multiple IL mappings now available from new APIs (used in reflection multi-match) (2023)
• Feature: ABI versioning prevents outdated native modules from crashing at load-time
• Feature: Rust API currently in development and should see increased utility on dev releases after this stable
• Feature: New BinaryView finalization/initial analysis completion callback (505)
• Feature: DockHandler::notifyOffset can be used to notify when an IL view navigation has changed, and viewLocation added to DockWidget
• Feature: New UIContext callbacks added to allow actions to be taken on files: OnContextOpen, OnContextClose, OnBeforeOpenDatabase, OnAfterOpenDatabase, OnBeforeOpenFile, OnAfterOpenFile, OnBeforeSaveFile, OnAfterSaveFile, OnBeforeCloseFile, OnAfterCloseFile, OnViewChange, OnAddressChange
• Feature: New FlowGraph API to highlight related instructions
• Feature: Project settings APIs to allow creation of settings related to multiple files without being global or purely per-BNDB
• Improved: Improved context-menu organization (2246)
• Improved: Many new APIs for better associations from IL instructions to other ILs (2023)
• Improved: Log handling in headless now defaults to less logs

Miscellaneous

• Feature: new settings: ui.scripting.historySize, ui.log.maxSize, files.pic.autoRebase, ui.window.title.showPath, ui.fileContentsLock, ui.style.hlil.scoping
• Feature: Initial support for M1 Apple Silicon (headless already fully supported, pending QT and PySide, native support will be complete, Rosetta 2 works well in the meantime)
• C++ Template Simplification improvements (2055 and others)
• Various bug fixes and performance improvements

For others not included here, see our list of closed issues.