Binary Ninja Blog

It’s that time again – we’ve just released another stable version, 2.4. This is the last in our line of 2.x updates, with our next stable update 3.0 coming next. While 3.0 contains a brand new UI overhaul, even this 2.4 release is chock-full of fantastic features, bug-fixes and improvements alike. The most notable new features include:

• Enhanced decompiler array support
• Search improvements
• Filtering and collapsing of types
• Plugin Manager dependency installation
• Automatic structure creation
• Function properties dialog

Major Changes

Enhanced Decompiler Array Support

While our decompiler (HLIL) has had some level of support for array types from the beginning, the 2.4 release dramatically improves the capabilities. Not only does the type parser now include better support for multidimensional arrays, pointers to arrays, and arrays of structs, but the decompilation will show the results beautifully. Check out the before and after for a sample binary below:

Search Improvements

Many major changes to how searching works in Binary Ninja have landed in 2.4:

• IL-Based Search
• Range Searching (including specific addresses or a single function)
• Persistent Search Results
• Secondary Filtering (of persistent results)
• Improved Constant searching (matches signed/unsigned values)

The new find dialog has a number of features to make searching binaries more powerful. You can search the current IL view or constants in the current IL view, have the ability to restrict the search to specific ranges, and most importantly, a new persistent search feature (“Find all”) lets you save a list of search results. This saved search result list allows now only for easier navigation but also additional filtering that supports regular expressions!

Type View Improvements

The two biggest changes to the Type view are the ability to collapse types and the ability to filter types:

Note that the filter drop-down can also be used to only show User Types or Auto Types which is convenient for files that contain large amounts of debug information when you’re adding your own types.

Plugin Dependency Installation

Python plugins installed via the Plugin Manager will now automatically attempt to install any python dependencies specified in a requirements.txt. Note that this feature relies on having pip installed. If the requirements installation fails you can always install the requirements manually if needed.

Automatic Structures

If you’re working with many structures, our existing smart structure workflow made creating structures and members a breeze. Just hit s at the creation of a variable from an allocation and an appropriately sized structure is created and applied. Next, you can press s any time you see an access at an offset and a field would be created. With 2.4, this process is even easier. Simply create an empty structure (via types view or a single s as described above) and apply it as appropriate. Next, right-click on the structure and select Create Members at Accessed Offsets:

Once that’s done, all accesses with the appropriate size will be found and individual members will be created:

Note that this analysis is cross-function. Any reference to that structure throughout the binary will inform the creation of the members so any place you apply that structure will help complete the list even more accurately.

Function Properties Dialog

While everything is available via the api, it’s always helpful to have convenient dialogs to change even advanced attributes of objects and analysis when working in the UI. And with 2.4, there’s now a UI for editing several features of functions:

The function properties dialog offers a number of new UI capabilities. Check out the user documentation for more information.

Security Advisories

Before we get to the remainder of our 2.4 features, we wanted to thank Mat Powell of Trend Micro Zero Day Initiative (ZDI) for several notices:

• ZDI-21-677 / ZDI-CAN-13670 / CVE-2021-31516: This notice covered an OOB read (though it was originally triggered via two different paths).
• ZDI-21-678 / ZDI-CAN-13668 / CVE-2021-31515: This is a UAF that we consider very unlikely to be exploitable (if not impossible) given the state of processing in BNDB loading at this point in execution.

We received these notices from ZDI on April 27th and had fixes on our development branch available later the same day. We’re coordinating with ZDI on the disclosure now as these fixes have landed on the stable branch and therefore all users should be protected whether they are on the latest stable or latest dev branch.

Note that because these vulnerabilities exist in the parsing of existing BNDB databases and not raw file formats we held off releasing an immediate stable release with those fixes as we deemed the risk to our users running only the stable build as relatively small. That said, we always encourage any users analyzing potentially malicious files to do so only in a protected environment such as sandbox or detonation VM. Likewise, our dev branch will always have the most up-to-date fixes whether they be for bugs or security issues.

One note about the ZDI notices (though this may have changed from earlier drafts) – though they do mention malicious websites causing exploitation, we do not consider the risk of browsing to a malicious website to be high with these vulnerabilities. Though Binary Ninja does install a URL handler that allows files to be opened directly into BN, it always prompts the user before opening any files via the URL handler. This prevents automated drive-by exploitation of any file formats that BN supports and requires specific user action to approve opening any files or URLs.

Thanks again to ZDI for their work in helping us make Binary Ninja even more secure and for their quick communication throughout the process.

Architectures

Thanks to our open sourced architectures, you can check out any of the improvements to each architecture during the last release in their respective repositories:

• arm64
• armv7
• mips
• x86/x64

Note that other architectures are included with Binary Ninja that had no changes during this release and are not listed above.

UI Updates

• Feature: Themes can now specify colors in hex strings (2477)
• Feature: New theme, “Reflection” (thanks Jon!) (2466)
• Feature: Go to File Offset (available via command-palette) (2157)
• Feature: UI Font now configurable via settings (ui.font.app) (2424)
• Feature: Additional graph padding can be added via the ui.view.graph.padding setting for extra space around Flow Graphs (196)
• Feature: f hotkey sets/toggles float types (2069)
• Feature: Save/Load window layouts (using the command-palette) (1592)
• Feature: Hovering variables now show storage and type information (2148)
• Feature: Double clicking types (including __offset(N) references) navigates to appropriate type in type view (2412)
• Feature: Navigation history now saved in the BNDB (2410)
• Improved: The symbol auto-completion UI has an improved experience (2448)
• Improved: Up arrow in the scripting console behaves more naturally between history and current entry (2467)
• Improved: More consistent font use throughout the UI and updates when fonts are changed (2424)
• Improved: Tags are now displayed before bookmarks (2351)
• Improved: Transform dialog is now non-modal (2108)
• Fix: Show/Hide tag types correctly handles locations with multiple tags (1992)
• Fix: Addresses that were sometimes shown as signed values are now always shown as unsigned
• Fix: Switching between graph and linear properly maintains selection (2343)
• Fix: Navigation history maintains preferred IL view and history is correctly maintained (2349)
• Fix: Missing analysis updates caused some types to not refresh when changed
• Fix: Multiple references to the same variable in the same instruction no longer create duplicate cross-references

Binary Views

• Feature: Support for Mach-O local relocations (1610)
• Improved: Open With Options allows overriding platforms for built-in Binary Views (ELF, Mach-O, PE, etc.) (2291)
• Fix: ARM ELF imports with mapping symbols now load correctly (2300)
• Fix: More robust PE parsing for size 0 importTableEntries (2142)

Analysis

• Feature: Allows support for calling conventions (Apple ARM64) which force all variadic arguments onto the stack (2121)
• Improved: Duplicate symbols with the same name are possible as well as multiple symbols at the same address (611)
• Improved: HLIL translation of conditional NORETURN calls (2320)
• Improved: analysis.experimental.alternateTypePropagation now enabled by default which improves type propagation (1456)
• Improved: Performance of applying PDBs with many types (834)
• Fix: Data references to members were not correctly created (2313)
• Fix: Function type information is properly propagated when typedefs are involved (2404)

API

• Feature: user_directory() added to API (2358)
• Feature: Function.parameter_vars now have setters in Python (1873)
• Improved: Many additional MLIL and LLIL instructions are now documented (2441)
• Improved: Metadata APIs now taint a BNDB so the save prompt will come up when changed (1174)
• Improved: Documentation for request_debug_report() now lists possible report types (2447)
• Improved: create_user_function() now returns the function created instead of None (1318)
• Improved: Attempting to modify a console variable will trigger a log_error instead of log_warn (2206)
• Fix: register_for_*il_instruction APIs now work in linear view in addition to graph view (2386)

Types

• Feature: Type view now shows function calling conventions (903)
• Feature: Accesses in code to invalid offsets now shown for structs in type view (2279)
• Feature: Type parser now supports many features related to arrays such as multidimensional arrays, arrays of structs, pointers to arrays (756)
• Improved: Creating a new type with the same name as an existing type now warns (2465)
• Improved: Width of enums shown in the type view (2326)
• Fix: Structure of width 0 no longer triggers a crash (2356)
• Fix: Resolved a crash in variadic arg functions (2469)

Plugins/Plugin Manager

• Feature: Native virtualenv support (settings python.virtualenv)
• Feature: Plugin Manager search box hints show filters along with the search tool-tip (2417)
• Improved: Official and Community plugins visibility different (1763)
• Improved: Date of last update shown in plugin header (2314)
• Improved: Better logging for failed plugin installation

Misc

• Improved: BNDB save and load times improved
• Improved: When opening a file with an existing BNDB, user is now prompted to open the database instead (101)
• Improved: QT DownloadProvider removed in favor of default Rust provider and optional Python provider (2138
• Fix: -p on the command-line now correctly disables all plugins (previously Plugin Manager installed architectures were not disabled) (2452)

And of course you can view all the other issues, fixes, and features at: https://github.com/Vector35/binaryninja-api/milestone/12?closed=1.