Getting Started

Welcome to Binary Ninja. This introduction document is meant to quickly guide you over some of the most common uses of Binary Ninja.

Directories

Binary Ninja uses two main locations. The first is the install path of the binary itself and the second is the user folders for user-installed content.

Binary Path

Binaries are installed in the following locations by default:

  • OS X: /Applications/Binary Ninja.app
  • Windows: C:\Program Files\Vector35\BinaryNinja
  • Linux: Wherever you extract it! (No standard location)

Warning

Do not put any user content in the install-path of Binary Ninja. The auto-update process of Binary Ninja may replace any files included in these folders.

User Folder

The base locations of user folders are:

  • OS X: ~/Library/Application Support/Binary Ninja
  • Linux: ~/.binaryninja
  • Windows: %APPDATA%\Binary Ninja

Contents of the user folder includes:

  • lastrun: A text file containing the directory of the last BinaryNinja binary path -- very useful for plugins to resolve the install locations in non-default settings or on linux.
  • license.dat: License file
  • plugins/: Folder containing all manually installed user plugins
  • repositories/: Folder containing files and plugins managed by the Plugin Manager API
  • settings.json: Advanced settings (see settings)
  • keybindings.json: Custom keybindings (see keybindings)

license popup >

License

When you first run Binary Ninja, it will prompt you for your license key. You should have received your license key via email after your purchase. If not, please contact support.

Once the license key is installed, you can change it, back it up, or otherwise inspect it simply by looking inside the base of the user folder for license.dat.

Linux Setup

Because linux install locations can vary widely, we do not assume a Binary Ninja has been installed in any particular folder on linux. Rather, you can simply run binaryninja/scripts/linux-setup.sh after extracting the zip and various file associations, icons, and other settings will be set up. Run it with -h to see the customization options.

Loading Files

You can load files in many ways:

  1. Drag-and-drop a file onto the Binary Ninja window
  2. Use the File/Open menu or Open button on the start screen
  3. Clicking an item in the recent files list
  4. Running Binary Ninja with an optional command-line parameter
  5. Opening a file from a URL via the ⌘-l or ⌃-l hotkey
  6. Opening a file using the binaryninja: url handler. For security reasons, the url handler requires you to confirm a warning before opening a file via the url handler. The url handler can open remote URLs like: binaryninja:https://captf2.captf.com/2015/plaidctf/pwnable/datastore_7e64104f876f0aa3f8330a409d9b9924.elf, or even local files like binarynina://bin/ls in cases where you wish to script up Binary Ninja from a local webapp.

recent files

Analysis

auto analysis ><

As soon as you open a file, Binary Ninja begins its auto-analysis.

Even while Binary Ninja is analyzing a binary, the UI should be responsive. Not only that, but because the analysis prioritizes user-requested analysis, you can start navigating a binary immediately and any functions you select will be added to the top of the analysis queue. The current progress through a binary is shown in the status bar, but note that the total number of items left to analyze will go up as well as the binary is processed and more items are discovered that require analysis.

Errors or warnings during the load of the binary are also shown in the status bar, along with an icon (in the case of the image above, a large number of warnings were shown). The most common warnings are from incomplete lifting and can be safely ignored. If the warnings include a message like Data flow for function at 0x41414141 did not terminate, then please report the binary to the bug database.

Interacting

Navigating code in Binary Ninja is usually a case of just double-clicking where you want to go. Addresses, references, functions, jmp edges, etc, can all be double-clicked to navigate. Additionally, The g hotkey can navigate to a specific address in the current view.

graph view

Switching views happens multiple ways. In some instances, it's automatic (clicking a data reference from graph view will navigate to linear view as data is not shown in the graph view), and there are multiple ways to manually change views as well. While navigating, you can use the view hotkeys (see below) to switch to a specific view at the same location as the current selection. Alternatively, the view menu in the bottom-right can be used to change views without navigating to any given location.

Hotkeys

  • h : Switch to hex view
  • p : Create a function
  • [ESC] : Navigate backward
  • [CMD] [ (OS X) : Navigate backward
  • [CMD] ] (OS X) : Navigate forward
  • [CTRL] [ (Windows/Linux) : Navigate backward
  • [CTRL] ] (Windows/Linux) : Navigate forward
  • [SPACE] : Toggle between linear view and graph view
  • g : Go To Address dialog
  • n : Name a symbol
  • u : Undefine an existing symbol (only for removing new user-defined names)
  • e : Edits an instruction (by modifying the original binary -- currently only enabled for x86, and x64)
  • x : Focuses the cross-reference pane
  • ; : Adds a comment
  • i : Cycles between disassembly, low-level il, and medium-level il in graph view
  • t : Switch to type view
  • y : Change type
  • a : Change the data type to an ASCII string
  • [1248] : Change type directly to a data variable of the indicated widths
  • d : Switches between data variables of various widths
  • r : Change the data type to single ASCII character
  • o : Create a pointer data type
  • [CMD-SHIFT] + (OS X) : Graph view zoom in
  • [CMD-SHIFT] - (OS X) : Graph view zoom out
  • [CTRL-SHIFT] + (Windows/Linux) : Graph view zoom in
  • [CTRL-SHIFT] - (Windows/Linux) : Graph view zoom out

Graph View

graph view

The default view in Binary Ninja when opening a binary is a graph view that groups the basic blocks of disassembly into visually distinct blocks with edges showing control flow between them.

graph view context >

Features of the graph view include:

  • Ability to double click edges to quickly jump between locations
  • Zoom (CTRL-mouse wheel)
  • Vertical Scrolling (Side scroll bar as well as mouse wheel)
  • Horizontal Scrolling (Bottom scroll bar as well as SHIFT-mouse wheel)
  • Individual highlighting of arguments, addresses, immediate values
  • Edge colors indicate whether the path is the true or false case of a conditional jump (a color-blind option in the preferences is useful for those with red-green color blindness)
  • Context menu that can trigger some function-wide actions as well as some specific to the highlighted instruction (such as inverting branch logic or replacing a specific function with a NOP)

View Options

options ><

Each of the views (Hex, Graph, Linear) have a variety of options configurable in the bottom-right of the UI.

Current options include:

  • Hex
    • Background highlight
      • None
      • Column
      • Byte value
    • Color highlight
      • None
      • ASCII and printable
      • Modification
    • Contrast
      • Normal
      • Medium
      • Highlight
  • Graph
    • Show address
    • Show opcode bytes
    • Assembly
    • Lifted IL
      • Show IL flag usage (if showing Lifted IL)
    • Low Level IL
      • Show basic block register state (if showing Low Level IL)
  • Linear
    • Show address
    • Show opcode bytes

Hex View

hex >

The hexadecimal view is useful for view raw binary files that may or may not even be executable binaries. The hex view is particularly good for transforming data in various ways via the Copy as, Transform, and Paste from menus. Note that Transform menu options will transform the data in-place, and that these options will only work when the Hex View is in the Raw mode as opposed to any of the binary views (such as "ELF", "Mach-O", or "PE").

Note that any changes made in the Hex view will take effect immediately in any other views open into the same file (new views can be created via the Split to new tab, or Split to new window options under View.). This can, however, cause large amounts of re-analysis so be warned before making large edits or transformations in a large binary file.

Xrefs View

xrefs >

The xrefs view in the lower-left shows all cross-references to a given location or reference. Note that the cross-references pane will change depending on whether an entire line is selected (all cross-references to that address are shown), or whether a specific token within the line is selected.

One fun trick that the xrefs view has up its sleeve: when in Hex View, a large range of memory addresses can be selected and the xrefs pane will show all xrefs to any location within that range of data.

Linear View

linear

Linear view is a hybrid view between a graph-based disassembly window and the raw hex view. It lists the entire binary's memory in a linear fashion and is especially useful when trying to find sections of a binary that were not properly identified as code or even just examining data.

Linear view is most commonly used for identifying and adding type information for unknown data. To this end,

Function List

function list >

The function list in Binary Ninja shows the list of functions currently identified. As large binaries are analyzed, the list may grow during analysis. The function list starts with known functions such as the entry point, exports, or using other features of the binary file format and explores from there to identify other functions.

The function list also highlights imports, and functions identified with symbols in different colors to make them easier to identify.

Tip

To search in the function list, just click to make sure it's focused and start typing!

Script (Python) Console

console >

The integrated script console is useful for small scripts that aren't worth writing as full plugins.

To trigger the console, either use <CTRL>-<BACKTICK>, or use the View/Script console menu.

Once loaded, the script console can be docked in different locations or popped out into a stand-alone window. Note that at this time window locations are not saved on restart.

Multi-line input is possible just by doing what you'd normally do in python. If you leave a trailing : at the end of a line, the box will automatically turn into a multi-line edit box, complete with a command-history. To submit that multi-line input, use <CTRL>-<ENTER>

By default the interactive python prompt has a number of convenient helper functions and variables built in:

  • here / current_address: address of the current selection
  • bv / current_view / : the current BinaryView
  • current_function: the current Function
  • current_basic_block: the current BasicBlock
  • current_llil: the current LowLevelILFunction
  • current_mlil: the current MediumLevelILFunction
  • current_selection: a tuple of the start and end addresses of the current selection
  • write_at_cursor(data): function that writes data to the start of the current selection
  • get_selected_data(): function that returns the data in the current selection

Note

The current script console only supports Python at the moment, but it's fully extensible for other programming languages for advanced users who wish to implement their own bindings.

Using Plugins

Plugins can be installed by one of two methods. First, they can be manually installed by adding the plugin (either a .py file or a folder implementing a python module with a __init__.py file) to the appropriate path:

  • OS X: ~/Library/Application Support/Binary Ninja/plugins/
  • Linux: ~/.binaryninja/plugins/
  • Windows: %APPDATA%\Binary Ninja\plugins

Alternatively, plugins can be installed with the new pluginmanager API.

For more detailed information, see the plugin guide.

PDB Plugin

Binary Ninja supports loading PDB files through the built in PDB plugin. When selected from the plugin menu it attempts to find where the corresponding PDB file is located using the following search order:

  1. Look for in the same directory as the opened file/bndb (e.g. If you ahve c:\foo.exe or c:\foo.bndb open the pdb plugin looks for c:\foo.pdb)
  2. Look in the local symbol store. This is the directory specified by the settings: local-store-relative or local-store-absolute. The format of this directory is foo.pdb\<guid>\foo.pdb.
  3. Attempt to connect and download the PDB from the list of symbol servers specified in setting symbol-server-list.
  4. Prompt the user for the pdb.

Preferences/Updates

preferences >

Binary Ninja automatically updates itself by default. This functionality can be disabled in the preferences by turning off the Update to latest version automatically option. Updates are silently downloaded in the background and when complete an option to restart is displayed in the status bar. Whenever Binary Ninja restarts next, it will replace itself with the new version as it launches.

On windows, this is achieved through a separate launcher that loads first and replaces the installation before launching the new version. On OS X and Linux, the original installation is overwritten after the update occurs as these operating systems allow files to be replaced while running. The update on restart is thus immediate.

Settings

Settings are stored in the user directory in the file settings.json. Each top level object in this file is represents a different plugin. As of build 860 the following settings are available:

Plugin Setting Type Default Description
analysis autorunLinearSweep boolean True Automatically run linear sweep when opening a binary for analysis
analysis enableUTF8 boolean True Whether or not to consider UTF-8 code points when searching for strings
analysis enableUTF16 boolean True Whether or not to consider UTF-16 code points when searching for strings
analysis enableUTF32 boolean True Whether or not to consider UTF-32 code points when searching for strings
analysis enabledUnicodeBlocks list(string) [] Defines which Unicode blocks to consider when searching for strings
analysis max-function-size integer 65536 Any functions over this size will not be automatically analyzed and require manual override
arch x86.disassemblyFlavor string "BN_INTEL" "BN_INTEL", "INTEL", or "AT&T"
arch x86.disassemblyLowercase bool True Lowercase opcodes, operands, and registers (False for uppercase)
arch x86.disassemblySeperator string ", " What to put between operands in disassembly tokens
core linux_ca_bundle string "" Certificate authority (.pem or .crt) file to be used for secure downloads
core linux_ca_dir string "" Certificate authority directory (for distributions without a CA bundle)
download-client https-proxy string "" urllib proxyhandler (probably not what you want--by default urllib follows system proxy settings)
pdb auto-download-pdb boolean True Automatically download pdb files from specified symbol servers
pdb local-store-absolute string "" Absolute path specifying where the pdb symbol store exists on this machine, overrides relative path
pdb local-store-relative string "symbols" Path relative to the binaryninja user directory, sepcifying the pdb symbol store
pdb symbol-server-list list(string) ["http://msdl.microsoft.com/download/symbols"] List of servers to query for pdb symbols.
python interpreter string "{/path/,C:\\Path\\}python27.{dylib,dll,so.1}" Python interpreter to load if one is not already present when plugins are loaded
ui activeContent boolean True Allow Binary Ninja to connect to the web to check for updates
ui colorblind boolean True Choose colors that are visible to those with red/green colorblind
ui debug boolean False Enable developer debugging features (Additional views: Lifted IL, and SSA forms)
ui recent-file-limit integer 10 Specify limit for number of recent files
ui scriptingProvider string "Python" Specify the registered ScriptingProvider that controls the 'Console' in the UI

Below is an example settings.json setting various options:

{
    "ui" :
    {
        "activeContent" : false,
        "colorblind" : false,
        "debug" : true,
        "recent-file-limit" : 10
    }
    "pdb" :
    {
        "local-store-absolute" : "C:\\Symbols",
        "local-store-relative" : "",
        "symbol-server-list" : ["http://mysymbolserver.company.lan"]
    },
    "python":
    {
        "interpreter": "C:\\Users\\Binja\\AppData\\Local\\Programs\\Python\\Python37\\python37.dll"
    }
}

Custom Keybindings

Custom keybindings can be stored in the user directory in the file keybindings.json. Actions can be referenced for keybindings using the name that appears in the menu. If the desired action is in a submenu, use the full path to the item separated by \\ (for example, "New\\Binary Data"). Below is an example keybindings file:

{
    "Reanalyze" : "Ctrl+Shift+R",
    "Log" : "Ctrl+L"
}

Note

On Mac OS X, Ctrl refers to the Command key, while Meta refers to the Control key. This is a remapping performed by Qt to make cross-platform keybindings easier to define.

Unicode Support

Currently, Unicode support for Big Endian strings is very limited. Also, UTF-16 only supports Basic Latin code points.

Getting Support

Vector 35 offers a number of ways to get Binary Ninja support.