architecture module¶

`binaryninja.architecture.Architecture`()	`class Architecture` is the parent class for all CPU architectures. Subclasses of Architecture implement assembly,
`binaryninja.architecture.ArchitectureHook`(...)
`binaryninja.architecture.CoreArchitecture`(handle)
`binaryninja.architecture.ReferenceSource`(...)
`binaryninja.architecture.range`(*args)	A Python2 and Python3 Compatible Range Generator
`binaryninja.architecture.with_metaclass`(...)	Create a base class with a metaclass.

class binaryninja.architecture.Architecture[source]¶

Bases: object

class Architecture is the parent class for all CPU architectures. Subclasses of Architecture implement assembly, disassembly, IL lifting, and patching.

class Architecture has a metaclass with the additional methods register, and supports iteration:

>>> #List the architectures
>>> list(Architecture)
[<arch: aarch64>, <arch: armv7>, <arch: armv7eb>, <arch: mipsel32>, <arch: mips32>, <arch: powerpc>,
<arch: x86>, <arch: x86_64>]
>>> #Register a new Architecture
>>> class MyArch(Architecture):
...  name = "MyArch"
...
>>> MyArch.register()
>>> list(Architecture)
[<arch: aarch64>, <arch: armv7>, <arch: armv7eb>, <arch: mipsel32>, <arch: mips32>, <arch: powerpc>,
<arch: x86>, <arch: x86_64>, <arch: MyArch>]
>>>

For the purposes of this documentation the variable arch will be used in the following context

>>> from binaryninja import *
>>> arch = Architecture['x86']

address_size = 8¶

always_branch(data, addr)[source]¶

always_branch reads the instruction(s) in data at virtual address addr and returns a string of bytes of the same length which always branches.

Note

Architecture subclasses should implement this method.

Parameters:	data (str) – bytes for the instruction to be converted addr (int) – the virtual address of the instruction to be patched
Returns:	string containing len(data) which always branches to the same location as the provided instruction
Return type:	str
Example:	>>> bytes = arch.always_branch(arch.assemble("je 10")[0], 0) >>> arch.get_instruction_text(bytes, 0) (['nop '], 1L) >>> arch.get_instruction_text(bytes[1:], 0) (['jmp ', '0x9'], 5L) >>>

assemble(code, addr=0)[source]¶

assemble converts the string of assembly instructions code loaded at virtual address addr to the byte representation of those instructions.

Note

Architecture subclasses should implement this method.

Architecture plugins can override this method to provide assembler functionality. This can be done by simply shelling out to an assembler like yasm or llvm-mc, since this method isn’t performance sensitive.

Note

It is important that the assembler used accepts a syntax identical to the one emitted by the disassembler. This will prevent confusing the user.

Parameters:	code (str) – string representation of the instructions to be assembled addr (int) – virtual address that the instructions will be loaded at
Returns:	the bytes for the assembled instructions or error string
Return type:	(a tuple of instructions and empty string) or (or None and error string)
Example:	>>> arch.assemble("je 10") ('\x0f\x84\x04\x00\x00\x00', '') >>>

calling_conventions¶: Dict of CallingConvention objects (read-only)

convert_to_nop(data, addr)[source]¶

convert_to_nop reads the instruction(s) in data at virtual address addr and returns a string of nop instructions of the same length as data.

Note

Architecture subclasses should implement this method.

Parameters:	data (str) – bytes for the instruction to be converted addr (int) – the virtual address of the instruction to be patched
Returns:	string containing len(data) worth of no-operation instructions
Return type:	str
Example:	>>> arch.convert_to_nop("\x00\x00", 0) '\x90\x90' >>>

default_int_size = 4¶

endianness = <Endianness.LittleEndian: 0>¶

flag_conditions_for_semantic_flag_group = {}¶

flag_roles = {}¶

flag_write_types = []¶

flags = []¶

flags_required_for_flag_condition = {}¶

flags_required_for_semantic_flag_group = {}¶

flags_written_by_flag_write_type = {}¶

full_width_regs¶: List of full width register strings (read-only)

get_associated_arch_by_address(addr)[source]¶

get_default_flag_condition_low_level_il(cond, sem_class, il)[source]¶

Parameters:	cond (LowLevelILFlagCondition) – il (LowLevelILFunction) – sem_class (str) –
Return type:	LowLevelILExpr

get_default_flag_write_low_level_il(op, size, role, operands, il)[source]¶

Parameters:	op (LowLevelILOperation) – size (int) – role (FlagRole) – or int) operands (list(str) – a list of either items that are either string register names or constant integer values il (LowLevelILFunction) –
Return type:	LowLevelILExpr index

get_flag_by_name(flag)[source]¶

get_flag_by_name get flag name for flag index.

Parameters:	flag (int) – flag index
Returns:	flag name for flag index
Return type:	str

get_flag_condition_low_level_il(cond, sem_class, il)[source]¶

Parameters:	cond (LowLevelILFlagCondition) – Flag condition to be computed sem_class (str) – Semantic class to be used (None for default semantics) il (LowLevelILFunction) – LowLevelILFunction object to append LowLevelILExpr objects to
Return type:	LowLevelILExpr

get_flag_index(flag)[source]¶

get_flag_name(flag)[source]¶

get_flag_name gets a flag name from a flag number.

Parameters:	reg (int) – register number
Returns:	the corresponding register string
Return type:	str

get_flag_role(flag, sem_class=None)[source]¶

get_flag_role gets the role of a given flag.

Parameters:	flag (int) – flag sem_class (int) – optional semantic flag class
Returns:	flag role
Return type:	FlagRole

get_flag_write_low_level_il(op, size, write_type, flag, operands, il)[source]¶

Parameters:	op (LowLevelILOperation) – size (int) – write_type (str) – or int) operands (list(str) – a list of either items that are either string register names or constant integer values il (LowLevelILFunction) –
Return type:	LowLevelILExpr

get_flag_write_type_by_name(write_type)[source]¶

get_flag_write_type_by_name gets the flag write type name for the flage write type.

Parameters:	write_type (int) – flag write type
Returns:	flag write type
Return type:	str

get_flag_write_type_name(write_type)[source]¶

get_flag_write_type_name gets the flag write type name for the given flag.

Parameters:	write_type (int) – flag
Returns:	flag write type name
Return type:	str

get_flags_required_for_flag_condition(cond, sem_class=None)[source]¶

get_instruction_info(data, addr)[source]¶

get_instruction_info returns an InstructionInfo object for the instruction at the given virtual address addr with data data.

Note

Architecture subclasses should implement this method.

Note

The instruction info object should always set the InstructionInfo.length to the instruction length, and the branches of the proper types shoulde be added if the instruction is a branch.

If the instruction is a branch instruction architecture plugins should add a branch of the proper type:

BranchType Description

UnconditionalBranch Branch will always be taken

FalseBranch False branch condition

TrueBranch True branch condition

CallDestination Branch is a call instruction (Branch with Link)

FunctionReturn Branch returns from a function

SystemCall System call instruction

IndirectBranch Branch destination is a memory address or register

UnresolvedBranch Branch destination is an unknown address

Parameters:	data (str) – max_instruction_length bytes from the binary at virtual address `addr` addr (int) – virtual address of bytes in `data`
Returns:	the InstructionInfo for the current instruction
Return type:	InstructionInfo

get_instruction_low_level_il(data, addr, il)[source]¶

get_instruction_low_level_il appends LowLevelILExpr objects to il for the instruction at the given virtual address addr with data data.

This is used to analyze arbitrary data at an address, if you are working with an existing binary, you likely want to be using Function.get_low_level_il_at.

Note

Architecture subclasses should implement this method.

Parameters:	data (str) – max_instruction_length bytes from the binary at virtual address `addr` addr (int) – virtual address of bytes in `data` il (LowLevelILFunction) – The function the current instruction belongs to
Returns:	the length of the current instruction
Return type:	int

get_instruction_low_level_il_instruction(bv, addr)[source]¶

get_instruction_text(data, addr)[source]¶

get_instruction_text returns a list of InstructionTextToken objects for the instruction at the given virtual address addr with data data.

Note

Architecture subclasses should implement this method.

Parameters:	data (str) – max_instruction_length bytes from the binary at virtual address `addr` addr (int) – virtual address of bytes in `data`
Returns:	an InstructionTextToken list for the current instruction
Return type:	list(InstructionTextToken)

get_intrinsic_index(intrinsic)[source]¶

get_intrinsic_name(intrinsic)[source]¶

get_intrinsic_name gets an intrinsic name from an intrinsic number.

Parameters:	intrinsic (int) – intrinsic number
Returns:	the corresponding intrinsic string
Return type:	str

get_low_level_il_from_bytes(data, addr)[source]¶

get_low_level_il_from_bytes converts the instruction in bytes to il at the given virtual address

Parameters:	data (str) – the bytes of the instruction addr (int) – virtual address of bytes in `data`
Returns:	the instruction
Return type:	LowLevelILInstruction
Example:	>>> arch.get_low_level_il_from_bytes('ëþ', 0x40DEAD) <il: jump(0x40dead)> >>>

get_modified_regs_on_write(reg)[source]¶

get_modified_regs_on_write returns a list of register names that are modified when reg is written.

Parameters:	reg (str) – string register name
Returns:	list of register names
Return type:	list(str)

get_reg_index(reg)[source]¶

get_reg_name(reg)[source]¶

get_reg_name gets a register name from a register number.

Parameters:	reg (int) – register number
Returns:	the corresponding register string
Return type:	str

get_reg_stack_for_reg(reg)[source]¶

get_reg_stack_index(reg_stack)[source]¶

get_reg_stack_name(reg_stack)[source]¶

get_reg_stack_name gets a register stack name from a register stack number.

Parameters:	reg_stack (int) – register stack number
Returns:	the corresponding register string
Return type:	str

get_semantic_flag_class_by_name(sem_class)[source]¶

get_semantic_flag_class_by_name gets the semantic flag class index by name.

Parameters:	sem_class (int) – semantic flag class
Returns:	semantic flag class index
Return type:	str

get_semantic_flag_class_index(sem_class)[source]¶

get_semantic_flag_class_name(class_index)[source]¶

get_semantic_flag_class_name gets the name of a semantic flag class from the index.

Parameters:	_index (int) – class_index
Returns:	the name of the semantic flag class
Return type:	str

get_semantic_flag_group_by_name(sem_group)[source]¶

get_semantic_flag_group_by_name gets the semantic flag group index by name.

Parameters:	sem_group (int) – semantic flag group
Returns:	semantic flag group index
Return type:	str

get_semantic_flag_group_index(sem_group)[source]¶

get_semantic_flag_group_low_level_il(sem_group, il)[source]¶

Parameters:	sem_group (str) – il (LowLevelILFunction) –
Return type:	LowLevelILExpr

get_semantic_flag_group_name(group_index)[source]¶

get_semantic_flag_group_name gets the name of a semantic flag group from the index.

Parameters:	group_index (int) – group_index
Returns:	the name of the semantic flag group
Return type:	str

get_view_type_constant(type_name, const_name, default_value=0)[source]¶

get_view_type_constant retrieves the view type constant for the given type_name and const_name.

Parameters:	type_name (str) – the BinaryView type name of the constant to be retrieved const_name (str) – the constant name to retrieved value (int) – optional default value if the type_name is not present. default value is zero.
Returns:	The BinaryView type constant or the default_value if not found
Return type:	int
Example:	>>> ELF_RELOC_COPY = 5 >>> arch.set_view_type_constant("ELF", "R_COPY", ELF_RELOC_COPY) >>> arch.get_view_type_constant("ELF", "R_COPY") 5L >>> arch.get_view_type_constant("ELF", "NOT_HERE", 100) 100L

global_regs = []¶

instr_alignment = 1¶

intrinsics = {}¶

invert_branch(data, addr)[source]¶

invert_branch reads the instruction(s) in data at virtual address addr and returns a string of bytes of the same length which inverts the branch of provided instruction.

Note

Architecture subclasses should implement this method.

Parameters:	data (str) – bytes for the instruction to be converted addr (int) – the virtual address of the instruction to be patched
Returns:	string containing len(data) which always branches to the same location as the provided instruction
Return type:	str
Example:	>>> arch.get_instruction_text(arch.invert_branch(arch.assemble("je 10")[0], 0), 0) (['jne ', '0xa'], 6L) >>> arch.get_instruction_text(arch.invert_branch(arch.assemble("jo 10")[0], 0), 0) (['jno ', '0xa'], 6L) >>> arch.get_instruction_text(arch.invert_branch(arch.assemble("jge 10")[0], 0), 0) (['jl ', '0xa'], 6L) >>>

is_always_branch_patch_available(data, addr)[source]¶

is_always_branch_patch_available determines if the instruction data at addr can be made to always branch.

Note

Architecture subclasses should implement this method.

Parameters:	data (str) – bytes for the instruction to be checked addr (int) – the virtual address of the instruction to be patched
Returns:	True if the instruction can be patched, False otherwise
Return type:	bool
Example:	>>> arch.is_always_branch_patch_available(arch.assemble("je 10")[0], 0) True >>> arch.is_always_branch_patch_available(arch.assemble("nop")[0], 0) False >>>

is_invert_branch_patch_available(data, addr)[source]¶

is_always_branch_patch_available determines if the instruction data at addr can be inverted.

Note

Architecture subclasses should implement this method.

Parameters:	data (str) – bytes for the instruction to be checked addr (int) – the virtual address of the instruction to be patched
Returns:	True if the instruction can be patched, False otherwise
Return type:	bool
Example:	>>> arch.is_invert_branch_patch_available(arch.assemble("je 10")[0], 0) True >>> arch.is_invert_branch_patch_available(arch.assemble("nop")[0], 0) False >>>

is_never_branch_patch_available(data, addr)[source]¶

is_never_branch_patch_available determines if the instruction data at addr can be made to never branch.

Note

Architecture subclasses should implement this method.

Parameters:	data (str) – bytes for the instruction to be checked addr (int) – the virtual address of the instruction to be patched
Returns:	True if the instruction can be patched, False otherwise
Return type:	bool
Example:	>>> arch.is_never_branch_patch_available(arch.assemble("je 10")[0], 0) True >>> arch.is_never_branch_patch_available(arch.assemble("nop")[0], 0) False >>>

is_skip_and_return_value_patch_available(data, addr)[source]¶

is_skip_and_return_value_patch_available determines if the instruction data at addr is a call-like instruction that can be made into an instruction returns a value.

Note

Architecture subclasses should implement this method.

Parameters:	data (str) – bytes for the instruction to be checked addr (int) – the virtual address of the instruction to be patched
Returns:	True if the instruction can be patched, False otherwise
Return type:	bool
Example:	>>> arch.is_skip_and_return_value_patch_available(arch.assemble("call 0")[0], 0) True >>> arch.is_skip_and_return_value_patch_available(arch.assemble("jmp eax")[0], 0) False >>>

is_skip_and_return_zero_patch_available(data, addr)[source]¶

is_skip_and_return_zero_patch_available determines if the instruction data at addr is a call-like instruction that can be made into an instruction returns zero.

Note

Architecture subclasses should implement this method.

Parameters:	data (str) – bytes for the instruction to be checked addr (int) – the virtual address of the instruction to be patched
Returns:	True if the instruction can be patched, False otherwise
Return type:	bool
Example:	>>> arch.is_skip_and_return_zero_patch_available(arch.assemble("call 0")[0], 0) True >>> arch.is_skip_and_return_zero_patch_available(arch.assemble("call eax")[0], 0) True >>> arch.is_skip_and_return_zero_patch_available(arch.assemble("jmp eax")[0], 0) False >>>

is_view_type_constant_defined(type_name, const_name)[source]¶

Parameters:	type_name (str) – the BinaryView type name of the constant to query const_name (str) – the constant name to query
Return type:	None
Example:	>>> arch.set_view_type_constant("ELF", "R_COPY", ELF_RELOC_COPY) >>> arch.is_view_type_constant_defined("ELF", "R_COPY") True >>> arch.is_view_type_constant_defined("ELF", "NOT_THERE") False >>>

link_reg = None¶

list = [<arch: aarch64>, <arch: armv7>, <arch: thumb2>, <arch: armv7eb>, <arch: thumb2eb>, <arch: mipsel32>, <arch: mips32>, <arch: ppc>, <arch: ppc_le>, <arch: x86>, <arch: x86_64>]¶

max_instr_length = 16¶

name = None¶

next_address = 0¶

opcode_display_length = 8¶

perform_always_branch(data, addr)[source]¶

Deprecated method provided for compatibility. Architecture plugins should override always_branch.

Parameters:	data (str) – bytes to be checked addr (int) – the virtual address of the instruction to be patched
Returns:	The bytes of the replacement unconditional branch instruction
Return type:	str

perform_assemble(code, addr)[source]¶

Deprecated method provided for compatibility. Architecture plugins should override assemble.

Parameters:	code (str) – string representation of the instructions to be assembled addr (int) – virtual address that the instructions will be loaded at
Returns:	the bytes for the assembled instructions or error string
Return type:	(a tuple of instructions and empty string) or (or None and error string)

perform_convert_to_nop(data, addr)[source]¶

Deprecated method provided for compatibility. Architecture plugins should override convert_to_nop.

Parameters:	data (str) – bytes at virtual address `addr` addr (int) – the virtual address of the instruction to be patched
Returns:	nop sequence of same length as `data` or None
Return type:	str or None

perform_get_associated_arch_by_address(addr)[source]¶: Deprecated method provided for compatibility. Architecture plugins should override get_associated_arch_by_address.

perform_get_flag_condition_low_level_il(cond, sem_class, il)[source]¶

Deprecated method provided for compatibility. Architecture plugins should override get_flag_condition_low_level_il.

Parameters:	cond (LowLevelILFlagCondition) – Flag condition to be computed sem_class (str) – Semantic class to be used (None for default semantics) il (LowLevelILFunction) – LowLevelILFunction object to append LowLevelILExpr objects to
Return type:	LowLevelILExpr

perform_get_flag_role(flag, sem_class)[source]¶: Deprecated method provided for compatibility. Architecture plugins should override get_flag_role.

perform_get_flag_write_low_level_il(op, size, write_type, flag, operands, il)[source]¶

Deprecated method provided for compatibility. Architecture plugins should override get_flag_write_low_level_il.

Parameters:	op (LowLevelILOperation) – size (int) – write_type (int) – flag (int) – list(int_or_str) – il (LowLevelILFunction) –
Return type:	LowLevelILExpr

perform_get_flags_required_for_flag_condition(cond, sem_class)[source]¶: Deprecated method provided for compatibility. Architecture plugins should override get_flags_required_for_flag_condition.

perform_get_instruction_info(data, addr)[source]¶

Deprecated method provided for compatibility. Architecture plugins should override get_instruction_info.

Parameters:	data (str) – bytes to decode addr (int) – virtual address of the byte to be decoded
Returns:	a `InstructionInfo` object containing the length and branche types for the given instruction
Return type:	InstructionInfo

perform_get_instruction_low_level_il(data, addr, il)[source]¶

Deprecated method provided for compatibility. Architecture plugins should override get_instruction_low_level_il.

Parameters:	data (str) – bytes to be interpreted as low-level IL instructions addr (int) – virtual address of start of `data` il (LowLevelILFunction) – LowLevelILFunction object to append LowLevelILExpr objects to
Return type:	length of bytes read on success, None on failure

perform_get_instruction_text(data, addr)[source]¶

Deprecated method provided for compatibility. Architecture plugins should override get_instruction_text.

Parameters:	data (str) – bytes to decode addr (int) – virtual address of the byte to be decoded
Returns:	a tuple of list(InstructionTextToken) and length of instruction decoded
Return type:	tuple(list(InstructionTextToken), int)

perform_get_semantic_flag_group_low_level_il(sem_group, il)[source]¶

Deprecated method provided for compatibility. Architecture plugins should override get_semantic_flag_group_low_level_il.

Parameters:	sem_group (str) – Semantic group to be computed il (LowLevelILFunction) – LowLevelILFunction object to append LowLevelILExpr objects to
Return type:	LowLevelILExpr

perform_invert_branch(data, addr)[source]¶

Deprecated method provided for compatibility. Architecture plugins should override invert_branch.

Parameters:	data (str) – bytes to be checked addr (int) – the virtual address of the instruction to be patched
Returns:	The bytes of the replacement unconditional branch instruction
Return type:	str

perform_is_always_branch_patch_available(data, addr)[source]¶

Deprecated method provided for compatibility. Architecture plugins should override is_always_branch_patch_available.

Parameters:	data (str) – bytes to be checked addr (int) – the virtual address of the instruction to be patched
Returns:	True if the instruction can be patched, False otherwise
Return type:	bool

perform_is_invert_branch_patch_available(data, addr)[source]¶

Deprecated method provided for compatibility. Architecture plugins should override is_invert_branch_patch_available.

Parameters:	addr (int) – the virtual address of the instruction to be patched
Returns:	True if the instruction can be patched, False otherwise
Return type:	bool

perform_is_never_branch_patch_available(data, addr)[source]¶

Deprecated method provided for compatibility. Architecture plugins should override is_never_branch_patch_available.

Note

Architecture subclasses should implement this method.

Warning

This method should never be called directly.

Parameters:	data (str) – bytes to be checked addr (int) – the virtual address of the instruction to be patched
Returns:	True if the instruction can be patched, False otherwise
Return type:	bool

perform_is_skip_and_return_value_patch_available(data, addr)[source]¶

Deprecated method provided for compatibility. Architecture plugins should override is_skip_and_return_value_patch_available.

Parameters:	data (str) – bytes to be checked addr (int) – the virtual address of the instruction to be patched
Returns:	True if the instruction can be patched, False otherwise
Return type:	bool

perform_is_skip_and_return_zero_patch_available(data, addr)[source]¶

Deprecated method provided for compatibility. Architecture plugins should override is_skip_and_return_zero_patch_available.

Parameters:	data (str) – bytes to be checked addr (int) – the virtual address of the instruction to be patched
Returns:	True if the instruction can be patched, False otherwise
Return type:	bool

perform_skip_and_return_value(data, addr, value)[source]¶

Deprecated method provided for compatibility. Architecture plugins should override skip_and_return_value.

Parameters:	data (str) – bytes to be checked addr (int) – the virtual address of the instruction to be patched value (int) – value to be returned
Returns:	The bytes of the replacement unconditional branch instruction
Return type:	str

reg_stacks = {}¶

register_calling_convention(cc)[source]¶

register_calling_convention registers a new calling convention for the Architecture.

Parameters:	cc (CallingConvention) – CallingConvention object to be registered
Return type:	None

regs = {}¶

semantic_class_for_flag_write_type = {}¶

semantic_flag_classes = []¶

semantic_flag_groups = []¶

set_view_type_constant(type_name, const_name, value)[source]¶

set_view_type_constant creates a new binaryview type constant.

Parameters:	type_name (str) – the BinaryView type name of the constant to be registered const_name (str) – the constant name to register value (int) – the value of the constant
Return type:	None
Example:	>>> ELF_RELOC_COPY = 5 >>> arch.set_view_type_constant("ELF", "R_COPY", ELF_RELOC_COPY) >>>

skip_and_return_value(data, addr, value)[source]¶

skip_and_return_value reads the instruction(s) in data at virtual address addr and returns a string of bytes of the same length which doesn’t call and instead return a value.

Note

Architecture subclasses should implement this method.

Parameters:	data (str) – bytes for the instruction to be converted addr (int) – the virtual address of the instruction to be patched
Returns:	string containing len(data) which always branches to the same location as the provided instruction
Return type:	str
Example:	>>> arch.get_instruction_text(arch.skip_and_return_value(arch.assemble("call 10")[0], 0, 0), 0) (['mov ', 'eax', ', ', '0x0'], 5L) >>>

stack_pointer = None¶

standalone_platform¶: Architecture standalone platform (read-only)

class binaryninja.architecture.ArchitectureHook(base_arch)[source]¶

Bases: binaryninja.architecture.CoreArchitecture

register()[source]¶

class binaryninja.architecture.CoreArchitecture(handle)[source]¶

Bases: binaryninja.architecture.Architecture

always_branch(data, addr)[source]¶

always_branch reads the instruction(s) in data at virtual address addr and returns a string of bytes of the same length which always branches.

Parameters:	data (str) – bytes for the instruction to be converted addr (int) – the virtual address of the instruction to be patched
Returns:	string containing len(data) which always branches to the same location as the provided instruction
Return type:	str
Example:	>>> bytes = arch.always_branch(arch.assemble("je 10")[0], 0) >>> arch.get_instruction_text(bytes, 0) (['nop '], 1L) >>> arch.get_instruction_text(bytes[1:], 0) (['jmp ', '0x9'], 5L) >>>

assemble(code, addr=0)[source]¶

assemble converts the string of assembly instructions code loaded at virtual address addr to the byte representation of those instructions.

Parameters:	code (str) – string representation of the instructions to be assembled addr (int) – virtual address that the instructions will be loaded at
Returns:	the bytes for the assembled instructions
Return type:	Python3 - a ‘bytes’ object; Python2 - a ‘str’
Example:	>>> arch.assemble("je 10") ('\x0f\x84\x04\x00\x00\x00', '') >>>

convert_to_nop(data, addr)[source]¶

convert_to_nop reads the instruction(s) in data at virtual address addr and returns a string of nop instructions of the same length as data.

Parameters:	data (str) – bytes for the instruction to be converted addr (int) – the virtual address of the instruction to be patched
Returns:	string containing len(data) worth of no-operation instructions
Return type:	str
Example:	>>> arch.convert_to_nop("\x00\x00", 0) '\x90\x90' >>>

get_associated_arch_by_address(addr)[source]¶

get_flag_condition_low_level_il(cond, sem_class, il)[source]¶

Parameters:	cond (LowLevelILFlagCondition) – Flag condition to be computed sem_class (str) – Semantic class to be used (None for default semantics) il (LowLevelILFunction) – LowLevelILFunction object to append LowLevelILExpr objects to
Return type:	LowLevelILExpr

get_flag_role(flag, sem_class=None)[source]¶

get_flag_role gets the role of a given flag.

Parameters:	flag (int) – flag sem_class (int) – optional semantic flag class
Returns:	flag role
Return type:	FlagRole

get_flag_write_low_level_il(op, size, write_type, flag, operands, il)[source]¶

Parameters:	op (LowLevelILOperation) – size (int) – write_type (str) – or int) operands (list(str) – a list of either items that are either string register names or constant integer values il (LowLevelILFunction) –
Return type:	LowLevelILExpr

get_flags_required_for_flag_condition(cond, sem_class=None)[source]¶

get_instruction_info(data, addr)[source]¶

get_instruction_info returns an InstructionInfo object for the instruction at the given virtual address addr with data data.

Note

The instruction info object should always set the InstructionInfo.length to the instruction length, and the branches of the proper types shoulde be added if the instruction is a branch.

Parameters:	data (str) – max_instruction_length bytes from the binary at virtual address `addr` addr (int) – virtual address of bytes in `data`
Returns:	the InstructionInfo for the current instruction
Return type:	InstructionInfo

get_instruction_low_level_il(data, addr, il)[source]¶

get_instruction_low_level_il appends LowLevelILExpr objects to il for the instruction at the given virtual address addr with data data.

This is used to analyze arbitrary data at an address, if you are working with an existing binary, you likely want to be using Function.get_low_level_il_at.

Parameters:	data (str) – max_instruction_length bytes from the binary at virtual address `addr` addr (int) – virtual address of bytes in `data` il (LowLevelILFunction) – The function the current instruction belongs to
Returns:	the length of the current instruction
Return type:	int

get_instruction_text(data, addr)[source]¶

get_instruction_text returns a list of InstructionTextToken objects for the instruction at the given virtual address addr with data data.

Parameters:	data (str) – max_instruction_length bytes from the binary at virtual address `addr` addr (int) – virtual address of bytes in `data`
Returns:	an InstructionTextToken list for the current instruction
Return type:	list(InstructionTextToken)

get_semantic_flag_group_low_level_il(sem_group, il)[source]¶

Parameters:	sem_group (str) – il (LowLevelILFunction) –
Return type:	LowLevelILExpr

invert_branch(data, addr)[source]¶

invert_branch reads the instruction(s) in data at virtual address addr and returns a string of bytes of the same length which inverts the branch of provided instruction.

Parameters:	data (str) – bytes for the instruction to be converted addr (int) – the virtual address of the instruction to be patched
Returns:	string containing len(data) which always branches to the same location as the provided instruction
Return type:	str
Example:	>>> arch.get_instruction_text(arch.invert_branch(arch.assemble("je 10")[0], 0), 0) (['jne ', '0xa'], 6L) >>> arch.get_instruction_text(arch.invert_branch(arch.assemble("jo 10")[0], 0), 0) (['jno ', '0xa'], 6L) >>> arch.get_instruction_text(arch.invert_branch(arch.assemble("jge 10")[0], 0), 0) (['jl ', '0xa'], 6L) >>>

is_always_branch_patch_available(data, addr)[source]¶

is_always_branch_patch_available determines if the instruction data at addr can be made to always branch.

Parameters:	data (str) – bytes for the instruction to be checked addr (int) – the virtual address of the instruction to be patched
Returns:	True if the instruction can be patched, False otherwise
Return type:	bool
Example:	>>> arch.is_always_branch_patch_available(arch.assemble("je 10")[0], 0) True >>> arch.is_always_branch_patch_available(arch.assemble("nop")[0], 0) False >>>

is_invert_branch_patch_available(data, addr)[source]¶

is_always_branch_patch_available determines if the instruction data at addr can be inverted.

Parameters:	data (str) – bytes for the instruction to be checked addr (int) – the virtual address of the instruction to be patched
Returns:	True if the instruction can be patched, False otherwise
Return type:	bool
Example:	>>> arch.is_invert_branch_patch_available(arch.assemble("je 10")[0], 0) True >>> arch.is_invert_branch_patch_available(arch.assemble("nop")[0], 0) False >>>

is_never_branch_patch_available(data, addr)[source]¶

is_never_branch_patch_available determines if the instruction data at addr can be made to never branch.

Parameters:	data (str) – bytes for the instruction to be checked addr (int) – the virtual address of the instruction to be patched
Returns:	True if the instruction can be patched, False otherwise
Return type:	bool
Example:	>>> arch.is_never_branch_patch_available(arch.assemble("je 10")[0], 0) True >>> arch.is_never_branch_patch_available(arch.assemble("nop")[0], 0) False >>>

is_skip_and_return_value_patch_available(data, addr)[source]¶

is_skip_and_return_value_patch_available determines if the instruction data at addr is a call-like instruction that can be made into an instruction returns a value.

Parameters:	data (str) – bytes for the instruction to be checked addr (int) – the virtual address of the instruction to be patched
Returns:	True if the instruction can be patched, False otherwise
Return type:	bool
Example:	>>> arch.is_skip_and_return_value_patch_available(arch.assemble("call 0")[0], 0) True >>> arch.is_skip_and_return_value_patch_available(arch.assemble("jmp eax")[0], 0) False >>>

is_skip_and_return_zero_patch_available(data, addr)[source]¶

is_skip_and_return_zero_patch_available determines if the instruction data at addr is a call-like instruction that can be made into an instruction returns zero.

Parameters:	data (str) – bytes for the instruction to be checked addr (int) – the virtual address of the instruction to be patched
Returns:	True if the instruction can be patched, False otherwise
Return type:	bool
Example:	>>> arch.is_skip_and_return_zero_patch_available(arch.assemble("call 0")[0], 0) True >>> arch.is_skip_and_return_zero_patch_available(arch.assemble("call eax")[0], 0) True >>> arch.is_skip_and_return_zero_patch_available(arch.assemble("jmp eax")[0], 0) False >>>

skip_and_return_value(data, addr, value)[source]¶

skip_and_return_value reads the instruction(s) in data at virtual address addr and returns a string of bytes of the same length which doesn’t call and instead return a value.

Parameters:	data (str) – bytes for the instruction to be converted addr (int) – the virtual address of the instruction to be patched
Returns:	string containing len(data) which always branches to the same location as the provided instruction
Return type:	str
Example:	>>> arch.get_instruction_text(arch.skip_and_return_value(arch.assemble("call 10")[0], 0, 0), 0) (['mov ', 'eax', ', ', '0x0'], 5L) >>>

class binaryninja.architecture.ReferenceSource(func, arch, addr)[source]¶: Bases: object