Don’t panic! Binary Ninja version 4.2 Frogstar is here. It is, after all, the answer to everything. Much like a trusty towel, you’ll find that the improvements in 4.2 are applicable to many situations. This major release (despite the number increment being minor since we couldn’t skip version 4.2) includes an industry-first multiple-language decompilation, DYLD Shared Cache analysis, MSVC RTTI support, a new signature system fittingly called WARP, and so many more features.

• Language Representations
• MSVC RTTI
• WARP Signature Matching
• DLYD Shared Cache Alpha
• Workflows Feature Update
• Ultimate Edition
• New Architecture
• Smaller But Notable
  • Code Folding
  • Forward Type Propagation
  • Smart Undefine
  • Plugin Status
• Open Source Contributions
• Other Updates

Language Representations

One of Vector 35’s long-standing goals has been to break people away from the assumption that “C” is the ultimate output of a decompiler. That is one reason why HLIL is our default view, even though we offer Pseudo-C output. Now, in Binary Ninja 4.2, we are taking this one step further. We are adding a brand new, unique capability to Binary Ninja: the ability to decompile to other target languages.

This new Language Representation system is designed to allow custom renderings of HLIL that are language-specific. Using this system, we are adding Pseudo-Rust, which displays decompiled code in a style similar to the popular language Rust. The best part of this feature is that it is fully pluggable and user-customizable, with both a comprehensive API available and fully-featured example plugins for you to explore. In addition to both the Pseudo-C and Pseudo-Rust representations being released as open source C++ plugins, we are also releasing a Pseudo-Python example, written in Python, to demonstrate how to use this new system in Python plugins.

Not only does this add to the groundwork for new language-specific decompilation, but it also is a dramatic improvement in the quality of our Pseudo-C output. Instead of a one-off implementation, it’s now much more robust so users who prefer Pseudo-C as their default should see a noticeable increase in quality.

Most C++ binaries contain a significant amount of information about their types, as it is necessary when using the object-oriented features of the language. Now, in C++ binaries compiled using MSVC, Binary Ninja will automatically extract this type information and apply it for you. It will discover Virtual Function Tables, creating structures for them in your analysis, and making data variables with those structures where they are found. For classes with multiple inheritance, multiple Virtual Function Tables are supported and will be created accordingly. This update specifically adds support for extracting RTTI from x86 and x64 PE files compiled with MSVC. In future updates, we plan to expand this functionality to include Itanium RTTI support.

WARP: Advanced Function Matching Algorithm Alpha

This release features a new way to transfer function information between binaries. Unlike our existing SigKit tool, WARP is meant for whole function matching. This means fewer false positives and more opportunities to match on smaller functions, thanks to WARP’s function constraints. WARP integration is currently in alpha, and is disabled by default. If you would like to try it, you can enable analysis.warp in your settings. For more information about WARP, visit the documentation here!

For those iOS researchers who have been waiting for our new dyld shared cache (DSC) support, thanks for your patience! We’re extremely happy to announce that Binary Ninja 4.2 contains an alpha preview of our DSC support. The current release contains full support for iOS 11-17 shared cache bundles and partial support for iOS 18 and all macOS caches. Like many of our custom views, the implementation is open source and feedback is welcome.

Our DSC loader lets you select images from the shared cache to load into the analysis space and will automatically link loaded images. You can search either by image in the Images tab or you can search by a symbol to cause the image that contains it to be loaded.

Workflows Feature Update

We’re excited to announce major updates to the Workflows Feature in version 4.2. These enhancements bring powerful new capabilities to streamline and customize your binary analysis process. Here’s what’s new:

• Module-Level Workflows: Module-level workflows enable seamless integration with our core analysis techniques, such as recursive descent, linear sweep, and other module-wide analysis processes. This feature provides the ability to interpose the core-provided analyses at the BinaryView level, giving you fine control over how global and per-function analysis is orchestrated.
• Per-Function Analysis Settings: Settings—and even workflow selection—can now be tailored on a per-function basis, giving you fine-grained control over analysis. The updated workflow system allows for quick integration of your custom analyses into the UI, making them accessible directly from the Function Analysis context menu. From here, you can selectively enable or disable specific activities, ensuring that the most relevant analyses are applied exactly where needed. This streamlined approach makes it simple to provide tailored analyses and selectively apply them to specific functions without needing to adjust global settings.

• Default Workflow Integration: With 4.2, workflows are no longer an optional feature—they’re enabled by default. Every analysis now leverages a default workflow, which can serve as a customizable starting point to meet your specific needs.
• Composable Workflows: Workflows can now be composed allowing for multiple workflows to apply to a single file. As we expand out additional workflows for specific formats, languages, use-cases, etc, and as users write their own workflows, this capability is important in letting multiple workflows apply to a single file.

The new changes to workflows will be getting their own dedicated blog with a lot more examples and information, so make sure to check out the documentation in the meantime. These changes to workflows enable future improvements, such as combining with the language representation to allow far more granular control of decompilation for specific languages in the future.

Ultimate Edition

Just two months ago, we announced our new Binary Ninja Ultimate edition. While we previously had been making some very niche architectures available as separate paid add-ons, we decided to bundle all of those features into one new higher-end version called Ultimate. With an introductory price of $2999, unlimited access to a growing list of architectures, no subscription pricing, and other new features coming regularly, the uptake from the community has been quite strong!

As of 4.2, Binary Ninja Ultimate adds support for C-Sky, TriCore, and nanoMIPS architectures, VxWorks images, and has several other new features on the way. There’s never been a better time to upgrade – current customers even get a discount on upgrades; contact us to get a custom quote.

New Architecture

While Ultimate includes new niche architectures at a higher price point, we are continuing to add new architectures for all of our other customers as well! In Binary Ninja 4.2 we added support for MSP430, partnering with Joe Rozner to integrate his plugin as a first-class architecture plugin. It is open source and, as a Rust plugin, it fits right in with our trend of new plugins being written against our Rust API!

Smaller, But Notable!

A number of new features are small enough that they don’t deserve a whole major section, but we know they’re going to make a huge difference for many of our users. We don’t want to let them get buried in the detailed notes below, so here are a couple special mentions:

Code Folding

One of our oldest and most upvoted issues, “collapsible regions in linear view” was completed in this release. You can now fold code at different indentation levels of HLIL and other high level language representations. Still to come, support for folding data structures in linear view. Note that the folding indicators only show up when you hover over their column.

Forward Type Propagation

A new feature that allows for manual forward type propagation was added and mapped to the Q hotkey. Also available from the command-palette as “Forward Propagate Type”, this further streamlines marking up type annotations while reverse engineering.

We plan to automate this in the future, but in the meantime this work-around can save a lot of time!

Smart Undefine

“Undefine”, or the u hotkey in the UI, previously was only able to undefine a symbol. This would, for example, remove the name of a function or variable but not remove the object itself. This was not the most intuitive behavior, and so we’ve replaced the previous functionality with a new “smart” Undefine that does what most users would expect! Now, when using u, the symbol, variable, or function selected will be removed, in addition to the symbol itself, even if there are technically two distinct objects from an API perspective.

Plugin Status

New to the New Tab page is the plugin status widget. It shows the status of all installed plugins, whether they failed to load, and whether they have available updates. You can also use it to jump straight to the plugin manager.

Open-Source Contributions

Special thanks (in no particular order) to the following open source contributors whose unpaid work is either directly merged into this release or whose PRs prompted changes that landed! riskydissonance, mkrasnitski, Whurbin, alexmullins, Zerotistic, bdash, and SmoothHacker. We appreciate your contributions!

Summary

A recent twitter comment mentioned “crazy how fast binja is progressing” and we agree! Even though this is technically a minor version change, the list of major improvements is even larger than our previous 3.0 stable release. We’ve upped the bar with what changes we can ship and we hope it’s obvious to our current customers.

If you’re not yet a current customer, now’s a great time to evaluate the free version, or purchase a license! Don’t forget our student discount program if you’re a full-time student.

We’re also looking forward to seeing everyone attending RE//verse next February!

Other Updates

And those are just the major features, here’s a more complete list of features, improvements, deprecations and fixes for 4.2:

UI Updates

• Feature: Code collapsing for HLIL, Pseudo C and other High Level Language representations
• Feature: Scripting input area is now resizable
• Feature: Add ability to Copy search results
• Feature: Action to Go to Entry Point
• Feature: Can now set UIDF on Function Parameters
• Feature: Python console fuzzy completion (ui.scripting.fuzzySearch, disabled by default)
• Feature: Actions for creating a “New Mapped Data” file
• Feature: New setting adding support for transientScrollbars
• Improvement: Progress reporting when loading first stage of DWARF info
• Improvement: Better placement of comments around global data variables
• Improvement: Cross-reference pane now shows structure fields when relevant
• Improvement: Double clicking database history entries reverts to that state
• Improvement: Better default size of “find” dialog
• Improvement: Performance improvement in LogView UI
• Improvement: Open-With-Options allows selecting a specific View (useful for views that don’t have useful is_valid_for callbacks without making them available for all files, such as many firmware loaders)
• Improvement: Free edition now includes High Contrast theme for accessibility purposes
• Improvement: Several dialogs are now project aware, allowing loading files from a project bundle
• Improvement: Xrefs (and other sidebar panes) can function in windowed mode, focus the main window, and can be closed with ESC. This makes them function more similarly to certain other tools for users who prefer modal dialogs (additional improvements pending).
• Improvement: Change Type dialog now case-sensitive
• Improvement: “Paste from JSON” context menu added to settings
• Improvement: More accurate status bar states during analysis
• Improvement: “Current Function” limitation in find dialog now correctly searches discontiguous functions
• Improvement: “Show IL Opcodes” display setting also adds instruction size hints
• Fix: Crash in triage view if binary view has no default platform
• Fix: Crash in triage view when platform has no default calling convention
• Fix: Crash and UI lag for the address/find dialogs.
• Fix: Font in triage imports list
• Fix: Font setting change now requires restart
• Fix: Remote Dialog buttons being drawn incorrectly.
• Fix: Hang caused by large number of logging
• Fix: Respect resource settings for network.pdbAutoDownload
• Fix: Hang when ELF binary with excessive sections is loaded.
• Fix: Hang when binary with excessive segments is loaded.
• Fix: linux-setup.sh not making a valid desktop icon on Ubuntu 24.04
• Fix: Issue with plugin manager installing old dependencies on update rather than new dependencies
• Fix: Crash in triage view when no default calling convention exists
• Fix: “Clear Log” action works now
• Fix: Plugin Manager no longer shows update option for plugins without available updates
• Fix: String token selection

Analysis

• Feature: Add the ability for users to set the Global Pointer Value
• Feature: Recognize the that TerminateProcess(GetCurrentProcess()) is a no-return call
• Feature: Import analysis from IDA databases
• Feature: Added Apple Arc calling convention AppleArm64ObjcFastARCCallingConvention
• Feature: Better simplification of disjoint AND operations 0xffff0000 & (b & 0xffff) => b & 0
• Feature: Better simplification of ZeroExtend with binary operands zx.q(var_4 & 1) & 1 => zx.q(var_4) & 1
• Improvement: Short-strings still inlined based on appropriate type information (previously they still had to meet the minimum string length)
• Improvement: Multiple additional HLIL-based simplifications such as C-style if (boolean)
• Improvement: DWARF now recurses through DW_AT_abstract_origin when resolving types
• Improvement: DWARF supports zstd compressed data
• Improvement: Can now multi-select registers in the Function Properties dialog and toggle with SPACE
• Improvement: Debug Info (PDB, DWARF, etc) now correctly loaded if adjacent in a project file
• Improvement: Analysis performance for some large functions improved (due to frequent flag calculations)
• Improvement: Minimum worker thread-count is now 2
• Fix: Panic on DWARF import when an exception frame extends to the end of memory
• Fix: Issue were undefined DataVariables would reappear with re-analysis
• Fix: Analysis issue which could cause OOM when analyzing basic blocks
• Fix: Analysis of strings when memory map is modified
• Fix: analysis.limits.maxGlobalPointerValueUpdates set to 0 no longer causes a hang

Binary View

• Fix: ELF parsing bug where that allowed reading past end of dynamic table
• Fix: Respect ELF view endianness when calculating AArch64 relocations
• Fix: COFF Section name parsing when string table is invalid
• Fix: COFF relocation undefined behavior
• Fix: PE with invalid string table start failing to load

Architecture/Platforms

• Feature: Added NTDLL type libraries (may include other type library updates from upstream as well)
• Improvement: Support un-typed and unlinked TerminateProcess detection
• Improvement: Add mpidr_el1 aarch64 sysreg
• Improvement: MIPS Add IL, intrinsics for TLB-related instructions
• Improvement: Thumb2 lift VPOP, VPUSH, VLDR, VSTR, VMOV, RRX, VABS, VMRS, VCVT, VSTMIA, VLDMIA, VSUB, VDIV, VMUL, VFMA, VMRS, VNEG
• Improvement: Use split registers for VMOV
• Improvement: Upgraded capstone to 5.0.3 (only impacts powerpc architecture, resolved xori lifting error)
• Fix: Invalid lifting, Properly lift push r16 instructions in x86
• Fix: Invalid lifting of ARM64 carry flag
• Fix: MIPS Sign-extend results of 32-bit operations on HI, LO
• Fix: Thumb2 lifting of REV
• Fix: Thumb2 getting incorrect S and D registers in Lifted IL
• Fix: Thumb2 non R register groups referencing PC for 15th register index
• Fix: Thumb2 unconstrained VADD, VDIV, and VABS
• Fix: Thumb2 VPOP not setting registers
• Fix: Crash with 0 width enum in DWARF
• Fix: Implicit addends in MIPS
• Fix: Issue with SBB instruction on Aarch64

API

• New API: BinaryView::GetMemoryRegionFlags/BinaryView::SetMemoryRegionFlags (add ability to modify segments via the MemoryMap API)
• New API: FileContext::newMappedFile allows creation of a new mapped File
• New API: Platform::GetRelatedPlatforms
• New API: BinaryNinja::SetThreadName
• New API: MediumLevelILFunction::IsSSAVarLiveAt
• New API: BinaryView::GetDataOffsetForAddress
• New API: BinaryView::GetFunctionAnalysisUpdateDisabled/ BinaryView::SetFunctionAnalysisUpdateDisabled
• New API: Splitter::setMinimumWidgetSize/ Splitter::minimumWidgetSize
• New API: class RemoteFolder
• New API: getStringForGraphType/ getGraphTypeForString
• New API: class FlowGraphLayout
• New API: FlowGraphWidget::tagAddressAccepted
• New API: TagTypeSelectDialog::selected
• New API: LinearView::goToEntryPoint/ FlowGraphWidget::goToEntryPoint
• New API: StackView::getBaseOffset
• New API: UIContextNotification::OnContextMenuCreated
• New API: Workflow::GetEligibilitySettings
• New API: RepoPlugin::IsViewOnly
• New API: Settings::QueryProperty
• New API: FlowGraphWidget/LinearView::forwardPropagateType/ FlowGraphWidget/LinearView::inferFunctionType / FlowGraphWidget/LinearView::propagateVariableTypeAndName
• New API: OptionsDialog::removeTabAndSettingsView/ OptionsDialog::viewTypeSelectionChanged
• New API: BinaryView::IsForceLoadableCallback
• New API: LinearView::undefine
• New API: Load(Ref<ProjectFile>)
• New API: TypeBuilder::GetNameType()/ TypeBuilder::HasTemplateArguments/ TypeBuilder::SetNameType/ TypeBuilder::SetHasTemplateArguments/ TypeBuilder::VarArgsType/ TypeBuilder::ValueType/ Type::GetNameTypeString/ Type::GetCallingConventionName/ Type::SetCallingConventionName
• New API: Logger::Indent/ Logger::Dedent/ Logger::ResetIndent
• New API: namespace BinaryNinja::Unicode
• New API: class Demangler for custom name demangler support
• New API: class GenericRangeMap/ class GenericRange
• New API: FlowGraphWidget::getEdgeForMouseEvent/ FlowGraphWidget::canCopyAddress
• New API: class LanguageRepresentationFunction/ class LanguageRepresentationFunctionType / class HighLevelILTokenEmitter
• New API: BinaryView::AddAutoSegments
• New API: BinaryView::BeginBulkAddSegments, BinaryView::EndBulkAddSegments, and BinaryView::CancelBulkAddSegments
• New API: Allow modification of the global pointer value BinaryView::GetGlobalPointerValue(), BinaryView::UserGlobalPointerValueSet(), BinaryView::ClearUserGlobalPointerValue()
• Changed API: TypeLibrary::WriteToFile Now returns a bool if it failed
• Changed API: Request::Request/ Request::Post
• Changed API: BinaryView::UndefineDataVariable
• Changed API: Python set_user_var_value now works on function parameters
• APIs Removed: many deprecated functions
• APIs Removed: Segment::SetLength, Segment::SetDataOffset, Segment::SetDataLength, Segment::SetFlags
• APIs Removed: undefineName/ undefineFunc / undefineVariable
• Feature: Added CarryFlagWithInvertedSubtractRole which makes the carry flag value be inverted with subtraction vs addition, this is used in Arm64 and 6502
• Feature: Python’s TypedDataAccessor can now slice into array objects
• Improved: The functionality provided by MemoryMap and Segments APIs have been unified
• Fix: Open with options in rust plugins
• Fix: Issue with BasicBlockList re-iteration
• New Example: BackgroundTaskThread

Debugger

• Feature: Add a new “Debugger Info” sidebar widget to show information of the current instruction
• Improvement: Significant performance improvements during launch and debugging
• Improvement: Show a message box when a TTD recording has finished
• Improvement: Moved the debugger context menu to the top level
• Improvement: Symbolicate the stack trace using the function names from analysis
• Improvement: execute_backend_command now also returns the output from the command execution for the DbgEng adapter
• Improvement: Major documentation update and Python API update
• Fix: Support using the DbgEng-backed adapter on non-PE files
• Fix: Race condition when the user pauses a running target in a headless script
• Fix: Various fixes to stack trace symbolication: 1, 2
• Fix: Escape the register annotation properly
• Fix: Allow LLDB adapter to be selected and used for remote debugging when the file cannot be executed on Linux/macOS
• Fix: Crash after clicking “Install WinDbg/DbgEng” on Windows
• Fix: “Run Script” was previously incompatible with the Debugger causing a crash
• New API: restart_and_wait restarts the target and wait for the operation to complete

Enterprise

As a reminder, all Enterprise stable client builds for 4.2 are now labeled “Ultimate” as we have merged those editions together. This means all Enterprise customers are receiving our new Ultimate-only features for no additional cost. The Enterprise server will continue to be a separate product.

• Feature: Customers using GitLab for their SSO can now limit auth to specific groups, rather than the entire organization
• Feature: Project import now has an option to follow symlinks
• Fix: The license dialog now has the Enter key bound to “Start” instead of “Log Out”
• Fix: Being offline now no longer incorrectly shows “remote id has changed” instead of “cannot connect”
• Fix: Remote project folder description changes can no longer get lost during other metadata updates
• Fix: Potential deadlock in expiry thread
• Fix: Every call to _init_plugins() no longer checks out a license
• Fix: The RemoteProject.create_folder API no longer throws an error even though folder is created successfully
• Fix: We now check out a headless license correctly in the Rust API

Many More

• Updated to Qt 6.7.2
• CPP documentation now included offline as well
• Many separate documentation fixes
• Demanglers have been open sourced, and a new API allows adding new ones. Note that due to performance limitations, we recommend against adding custom demanglers as there is currently a fairly heavy performance hit due to FFI entering the hot-path for initial binary analysis. The current plugins now build as both a plugin and as a core feature as a result.
• New architecture MSP430 was open sourced
• Now support the ability to build plugins without an existing install

…plus all of the usual “additional” changes included in the full list of closed issues.