{"componentChunkName":"component---src-templates-post-template-js","path":"/binja-python-api-en","result":{"data":{"markdownRemark":{"id":"8267348e-e548-5761-a193-1fd74821151f","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/binja-python-api\">original page</a>.</p>\n</blockquote>\n<p>In my previous article on <a href=\"/unicorn-binary-deobfuscation-en\">self-restoring binary deobfuscation with Unicorn and Capstone</a>, I wondered whether the same operations could be performed with static analysis alone — without emulating execution with Unicorn and Capstone.</p>\n<p>For this kind of implementation I had previously used <a href=\"/ghidra-ghidrascript-tutorial-en\">Ghidra Script</a>, but since I wasn’t making much use of the paid (Personal) version of Binary Ninja I own, I decided to use this as a learning opportunity and try implementing it with the Binary Ninja Python API.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li>\n<p><a href=\"#getting-started-with-the-binary-ninja-python-api\">Getting Started with the Binary Ninja Python API</a></p>\n<ul>\n<li><a href=\"#installation\">Installation</a></li>\n<li><a href=\"#using-the-python-api-from-the-binary-ninja-gui\">Using the Python API from the Binary Ninja GUI</a></li>\n</ul>\n</li>\n<li>\n<p><a href=\"#various-operations-with-the-binary-ninja-api\">Various Operations with the Binary Ninja API</a></p>\n<ul>\n<li><a href=\"#sample-1\">Sample 1</a></li>\n<li><a href=\"#loading-binaryview-and-listing-functions\">Loading BinaryView and Listing Functions</a></li>\n<li><a href=\"#accessing-disassembly-results\">Accessing Disassembly Results</a></li>\n<li><a href=\"#replacing-all-instances-of-a-specific-instruction-with-nop\">Replacing All Instances of a Specific Instruction with NOP</a></li>\n<li><a href=\"#replacing-specific-instructions\">Replacing Specific Instructions</a></li>\n</ul>\n</li>\n<li>\n<p><a href=\"#deobfuscating-a-self-restoring-binary-with-binary-ninja\">Deobfuscating a Self-Restoring Binary with Binary Ninja</a></p>\n<ul>\n<li><a href=\"#how-to-retrieve-disassembly-results\">How to Retrieve Disassembly Results</a></li>\n<li><a href=\"#considering-the-timing-of-reanalyze-and-update_analysis_and_wait\">Considering the Timing of reanalyze and update<em>analysis</em>and_wait</a></li>\n</ul>\n</li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"getting-started-with-the-binary-ninja-python-api\" style=\"position:relative;\"><a href=\"#getting-started-with-the-binary-ninja-python-api\" aria-label=\"getting started with the binary ninja python api permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Getting Started with the Binary Ninja Python API</h2>\n<h3 id=\"installation\" style=\"position:relative;\"><a href=\"#installation\" aria-label=\"installation permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Installation</h3>\n<p>When installing Binary Ninja for the first time, run <code class=\"language-text\">binaryninja/scripts/linux-setup.sh</code> in the installation directory.</p>\n<p>This creates a desktop shortcut for Binary Ninja and registers its PATH.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 636px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/332efb6fe922ae1ad54bb928d44719cd/9be90/image-20250331224802348.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 17.916666666666668%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA4klEQVQY0z2OW26DMBBFWQWCgk0hMbVNsMc2hNCA0pdUqfvfz+0kH/k4unc00szJ/G3G9LuBPhfMfzvGbYK2IwYfoLQFpRkuRNB8Bk3cY4S/ZwigQNBGoyzLJ5njg+M1wu0TZ0JPFjoF7hsfvzIbhvUdxzEwhM6c0PuEoxnQdS2KokCe50+yu1n4WUFfnN8X6IntFjbYdn7C5h832PMC5SITcGD7nhKUPUFKCWMNlFIwxjxsMxc9fCK8WY1pZdvgeGExUsBLLVE3LQQjuwNk2/H8+uiiaVBVFYQUqOsaQohH/wdAM3gPgECz+wAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/332efb6fe922ae1ad54bb928d44719cd/8ac56/image-20250331224802348.webp 240w,\n/static/332efb6fe922ae1ad54bb928d44719cd/d3be9/image-20250331224802348.webp 480w,\n/static/332efb6fe922ae1ad54bb928d44719cd/6d494/image-20250331224802348.webp 636w\"\n              sizes=\"(max-width: 636px) 100vw, 636px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/332efb6fe922ae1ad54bb928d44719cd/8ff5a/image-20250331224802348.png 240w,\n/static/332efb6fe922ae1ad54bb928d44719cd/e85cb/image-20250331224802348.png 480w,\n/static/332efb6fe922ae1ad54bb928d44719cd/9be90/image-20250331224802348.png 636w\"\n            sizes=\"(max-width: 636px) 100vw, 636px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/332efb6fe922ae1ad54bb928d44719cd/9be90/image-20250331224802348.png\"\n            alt=\"image-20250331224802348\"\n            title=\"image-20250331224802348\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"using-the-python-api-from-the-binary-ninja-gui\" style=\"position:relative;\"><a href=\"#using-the-python-api-from-the-binary-ninja-gui\" aria-label=\"using the python api from the binary ninja gui permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Using the Python API from the Binary Ninja GUI</h3>\n<p>The Binary Ninja Python API requires no complex setup and can be used immediately.</p>\n<p>However, the Personal license I use does not currently support “headless processing,” so whenever I use the Python API I must do so through the Binary Ninja GUI.</p>\n<blockquote>\n<p>The “headless processing” in the Commercial and Ultimate editions refers to the ability to run plugins without the GUI (for example “import binaryninja” from within a console or stand-alone python plugin), but both versions support the same full API. The Non-Commercial edition supports accessing the API only through plugins load</p>\n</blockquote>\n<p>Reference: <a href=\"https://binary.ninja/purchase/#detailed\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Binary Ninja - Purchase</a></p>\n<p>You can run scripts in Binary Ninja’s Python interpreter within the GUI to see results.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 609px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/e3997d803ab09711a897eb437ca4ddc5/d0d8c/image-20250331230111609.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 22.916666666666668%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA2ElEQVQY03WOzW7CMBCEfYeEkJAgwL+xgQieANQGuPQQlZa+/8NMd20kOMBhNN/s2rsrrrc/DNcffA0Dvn9v+DhfcPjsX+iEQ3/CsU/+UvRObLoOfr0Ge7fbw7QtlLXQzkFbF9m4VJOGZSIrk/KjbuN7IZWEdfTJGmijo5TWkErFmtLJm/kc06pC3TQoyjJyOZthSlyRM2eTCUSg69rg6coQPWbv00C6knm5WsG2Do6u32y3WFBm9iFA0kJ2zlVdQ+RFgVGWYZTnGJOY2Xnb+F57Zu6/6/GsfxmTit301V//AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/e3997d803ab09711a897eb437ca4ddc5/8ac56/image-20250331230111609.webp 240w,\n/static/e3997d803ab09711a897eb437ca4ddc5/d3be9/image-20250331230111609.webp 480w,\n/static/e3997d803ab09711a897eb437ca4ddc5/117a4/image-20250331230111609.webp 609w\"\n              sizes=\"(max-width: 609px) 100vw, 609px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/e3997d803ab09711a897eb437ca4ddc5/8ff5a/image-20250331230111609.png 240w,\n/static/e3997d803ab09711a897eb437ca4ddc5/e85cb/image-20250331230111609.png 480w,\n/static/e3997d803ab09711a897eb437ca4ddc5/d0d8c/image-20250331230111609.png 609w\"\n            sizes=\"(max-width: 609px) 100vw, 609px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/e3997d803ab09711a897eb437ca4ddc5/d0d8c/image-20250331230111609.png\"\n            alt=\"image-20250331230111609\"\n            title=\"image-20250331230111609\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>You are not limited to just the interpreter — you can also write a Python script file and run it from the GUI to automate analysis.</p>\n<h2 id=\"various-operations-with-the-binary-ninja-api\" style=\"position:relative;\"><a href=\"#various-operations-with-the-binary-ninja-api\" aria-label=\"various operations with the binary ninja api permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Various Operations with the Binary Ninja API</h2>\n<h3 id=\"sample-1\" style=\"position:relative;\"><a href=\"#sample-1\" aria-label=\"sample 1 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Sample 1</h3>\n<p>I created the following sample script.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">def</span> <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n\n    <span class=\"token comment\"># Load current view</span>\n    bv <span class=\"token operator\">=</span> current_view\n\n    <span class=\"token comment\"># Get functions</span>\n    <span class=\"token keyword\">for</span> func <span class=\"token keyword\">in</span> bv<span class=\"token punctuation\">.</span>functions<span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">if</span> func<span class=\"token punctuation\">.</span>name <span class=\"token operator\">==</span> <span class=\"token string\">\"main\"</span><span class=\"token punctuation\">:</span>\n            main_func_startaddr <span class=\"token operator\">=</span> func<span class=\"token punctuation\">.</span>start\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"FUNC_NAME: </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>func<span class=\"token punctuation\">.</span>name<span class=\"token punctuation\">}</span></span><span class=\"token string\">,\\t OFFSET: </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>func<span class=\"token punctuation\">.</span>start<span class=\"token punctuation\">)</span><span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span><span class=\"token punctuation\">)</span>\n\n\n    <span class=\"token comment\"># Get disassemble code</span>\n    func_addr <span class=\"token operator\">=</span> <span class=\"token number\">0x43e0</span>\n    instruction <span class=\"token operator\">=</span> bv<span class=\"token punctuation\">.</span>get_disassembly<span class=\"token punctuation\">(</span>func_addr<span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"ADDRESS: </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>func_addr<span class=\"token punctuation\">)</span><span class=\"token punctuation\">}</span></span><span class=\"token string\">,\\t CODE: </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>instruction<span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span><span class=\"token punctuation\">)</span>\n\n\n    <span class=\"token comment\"># Get disassemble function code(until return)</span>\n    start_addr <span class=\"token operator\">=</span> main_func_startaddr\n    end_addr <span class=\"token operator\">=</span> start_addr <span class=\"token operator\">+</span> <span class=\"token number\">0x4000</span>\n    current_addr <span class=\"token operator\">=</span> start_addr\n    instruction <span class=\"token operator\">=</span> <span class=\"token string\">\"\"</span>\n\n    <span class=\"token keyword\">while</span> <span class=\"token punctuation\">(</span>current_addr <span class=\"token operator\">&lt;</span> end_addr<span class=\"token punctuation\">)</span> <span class=\"token keyword\">and</span> <span class=\"token punctuation\">(</span>instruction <span class=\"token operator\">!=</span> <span class=\"token string\">\"retn\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        instruction <span class=\"token operator\">=</span> bv<span class=\"token punctuation\">.</span>get_disassembly<span class=\"token punctuation\">(</span>current_addr<span class=\"token punctuation\">)</span>\n        instruction_length <span class=\"token operator\">=</span> bv<span class=\"token punctuation\">.</span>get_instruction_length<span class=\"token punctuation\">(</span>current_addr<span class=\"token punctuation\">)</span>\n        current_addr <span class=\"token operator\">+=</span> bv<span class=\"token punctuation\">.</span>get_instruction_length<span class=\"token punctuation\">(</span>current_addr<span class=\"token punctuation\">)</span>\n        <span class=\"token keyword\">if</span> instruction_length <span class=\"token operator\">></span> <span class=\"token number\">0</span><span class=\"token punctuation\">:</span>\n            <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"0x</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>current_addr<span class=\"token punctuation\">:</span><span class=\"token format-spec\">x</span><span class=\"token punctuation\">}</span></span><span class=\"token string\">: </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>instruction<span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span><span class=\"token punctuation\">)</span>   \n        <span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n            <span class=\"token keyword\">break</span>\n\n\n    <span class=\"token comment\"># Convert to NOP</span>\n\n    <span class=\"token comment\">## Stat undo actions</span>\n    undo_actions_state <span class=\"token operator\">=</span> bv<span class=\"token punctuation\">.</span>begin_undo_actions<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n    target_address <span class=\"token operator\">=</span> <span class=\"token number\">0x43e0</span>\n    <span class=\"token keyword\">if</span> bv<span class=\"token punctuation\">.</span>convert_to_nop<span class=\"token punctuation\">(</span>target_address<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"Converted 0x</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>target_address<span class=\"token punctuation\">:</span><span class=\"token format-spec\">x</span><span class=\"token punctuation\">}</span></span><span class=\"token string\"> to NOP.\"</span></span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"Failed converted 0x</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>target_address<span class=\"token punctuation\">:</span><span class=\"token format-spec\">x</span><span class=\"token punctuation\">}</span></span><span class=\"token string\"> to NOP.\"</span></span><span class=\"token punctuation\">)</span>\n\n    <span class=\"token comment\">## Commit actions</span>\n    bv<span class=\"token punctuation\">.</span>commit_undo_actions<span class=\"token punctuation\">(</span>undo_actions_state<span class=\"token punctuation\">)</span>\n\n\n    <span class=\"token comment\"># Save file</span>\n    bv<span class=\"token punctuation\">.</span><span class=\"token builtin\">file</span><span class=\"token punctuation\">.</span>save<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n\n    <span class=\"token keyword\">return</span>\n\n<span class=\"token keyword\">if</span> __name__ <span class=\"token operator\">==</span> <span class=\"token string\">\"__main__\"</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">import</span> os\n    <span class=\"token keyword\">import</span> sys\n    sys<span class=\"token punctuation\">.</span>stdout <span class=\"token operator\">=</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>os<span class=\"token punctuation\">.</span>path<span class=\"token punctuation\">.</span>dirname<span class=\"token punctuation\">(</span>os<span class=\"token punctuation\">.</span>path<span class=\"token punctuation\">.</span>realpath<span class=\"token punctuation\">(</span>__file__<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">}</span></span><span class=\"token string\">/stdout.log\"</span></span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"w\"</span><span class=\"token punctuation\">)</span>\n    main<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n    sys<span class=\"token punctuation\">.</span>stdout <span class=\"token operator\">=</span> sys<span class=\"token punctuation\">.</span>__stdout__</code></pre></div>\n<p>Running the above script lets you access information such as functions and disassembly results as shown below.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 442px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/38427d94f9a8a8c7d9463b33f90f3a8e/e03bf/image-20250330225703803.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 75%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAACW0lEQVQ4y32U6ZKiQBCEfQ4HUQ7pi4bmEhEnHEfn/R8pt6rU1Zk9fnTQHQRfZWdlsVDaIElTGGOw3+8RQsA8z1BKoa5rdF2Hvu+x2WwQx7Gcp2mCtRapqaC6I1JdIl5FWK/XWFhXIs1yOOdwOp0Eerlc5Mz73W6HcRyRUtEsy2R/OMxwvsK2GqCHD2S2fgKNdQJkhfPxKGrO5zOcZcUjKTGIokgKMKhrW2SkaNvMKJoD1qScQY+1sKWX6qWz+LpeMB8OOBI4Uxa+6VHVAdHbG7z3uF6vArRVgzCdocMoNvBiGD9FYaYcCusxvn+iGSZo8jWMRzTTBwrjsFwukec5mqbBdrtFRXBPArI0+QaLRaEhc0sy3TRQ/Qmpa1GS6vkwwZcOqijoXGK1WgmYP2QLIjoL7K7wAV6wdwnBEhNghhNyMroOjXQzilaiiJujqet8bf5oI77dvXvx8HZlfQdaBlLHyo7iEtCSV6yqIIUcJV/VmOajNK+uKC62RObIgnqEKgMBWSUp1Fq/AOnK9HwA+Wr8vg01lKtg270oSViVrOS57tdecLXc9wRsYHdnyRR7NgyDVM0LjbrbUWdbScLDq9uKv0VGPAw0DQX5xh7a8Yy8bMUrziNX5S670KEIeySUhp+AP4BKaepwIGBNwE8Jq6UQi0IC5srAd3soAqaF+aHwL0CZSYrKK9DTWHGXY2qKoljV7UBj1t9G7HdM1i/757rnsBOVbvpCTl3jnwLPbHTv8jBQTpMEmzQT1f9VyFORUkM2ykP376RkB7aBFfLPgKtK7kTB6jkV/wD/AsStuP3i2ljXAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/38427d94f9a8a8c7d9463b33f90f3a8e/8ac56/image-20250330225703803.webp 240w,\n/static/38427d94f9a8a8c7d9463b33f90f3a8e/3fa5c/image-20250330225703803.webp 442w\"\n              sizes=\"(max-width: 442px) 100vw, 442px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/38427d94f9a8a8c7d9463b33f90f3a8e/8ff5a/image-20250330225703803.png 240w,\n/static/38427d94f9a8a8c7d9463b33f90f3a8e/e03bf/image-20250330225703803.png 442w\"\n            sizes=\"(max-width: 442px) 100vw, 442px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/38427d94f9a8a8c7d9463b33f90f3a8e/e03bf/image-20250330225703803.png\"\n            alt=\"image-20250330225703803\"\n            title=\"image-20250330225703803\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"loading-binaryview-and-listing-functions\" style=\"position:relative;\"><a href=\"#loading-binaryview-and-listing-functions\" aria-label=\"loading binaryview and listing functions permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Loading BinaryView and Listing Functions</h3>\n<p>In Binary Ninja, the <code class=\"language-text\">BinaryView</code> class serves as the interface for querying binary data.</p>\n<p>Therefore, operations such as reading, writing, or modifying data after analyzing a file are generally performed through this BinaryView.</p>\n<p>The items that can be retrieved and manipulated through BinaryView are documented here:</p>\n<p>Reference: <a href=\"https://api.binary.ninja/binaryninja.binaryview-module.html#binaryninja.binaryview.BinaryView\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">binaryview module — Binary Ninja API Documentation v4.2</a></p>\n<p>When using the Python API from the GUI, you can access the currently viewed BinaryView using the magic variable <code class=\"language-text\">current_view</code>.</p>\n<p>Reference: <a href=\"https://docs.binary.ninja/guide/index.html#script-python-console\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">User Guide - Binary Ninja User Documentation</a></p>\n<p>The following code iterates over <code class=\"language-text\">functions</code> from the retrieved BinaryView to enumerate all functions in the binary.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\"># Load current view</span>\nbv <span class=\"token operator\">=</span> current_view\n\n<span class=\"token comment\"># Get functions</span>\n<span class=\"token keyword\">for</span> func <span class=\"token keyword\">in</span> bv<span class=\"token punctuation\">.</span>functions<span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">if</span> func<span class=\"token punctuation\">.</span>name <span class=\"token operator\">==</span> <span class=\"token string\">\"main\"</span><span class=\"token punctuation\">:</span>\n        main_func_startaddr <span class=\"token operator\">=</span> func<span class=\"token punctuation\">.</span>start\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"FUNC_NAME: </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>func<span class=\"token punctuation\">.</span>name<span class=\"token punctuation\">}</span></span><span class=\"token string\">,\\t OFFSET: </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>func<span class=\"token punctuation\">.</span>start<span class=\"token punctuation\">)</span><span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span><span class=\"token punctuation\">)</span></code></pre></div>\n<h3 id=\"accessing-disassembly-results\" style=\"position:relative;\"><a href=\"#accessing-disassembly-results\" aria-label=\"accessing disassembly results permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Accessing Disassembly Results</h3>\n<p>The following code retrieves the disassembly result for a specific address.</p>\n<p>In this example, only one instruction starting from <code class=\"language-text\">0x43e0</code> is retrieved.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\"># Get disassemble code</span>\nfunc_addr <span class=\"token operator\">=</span> <span class=\"token number\">0x43e0</span>\ninstruction <span class=\"token operator\">=</span> bv<span class=\"token punctuation\">.</span>get_disassembly<span class=\"token punctuation\">(</span>func_addr<span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"ADDRESS: </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>func_addr<span class=\"token punctuation\">)</span><span class=\"token punctuation\">}</span></span><span class=\"token string\">,\\t CODE: </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>instruction<span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>To retrieve the disassembly of an entire function starting at <code class=\"language-text\">0x43e0</code>, you can use a script like the following:</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\"># Get disassemble function code(until return)</span>\nstart_addr <span class=\"token operator\">=</span> main_func_startaddr\nend_addr <span class=\"token operator\">=</span> start_addr <span class=\"token operator\">+</span> <span class=\"token number\">0x4000</span>\ncurrent_addr <span class=\"token operator\">=</span> start_addr\ninstruction <span class=\"token operator\">=</span> <span class=\"token string\">\"\"</span>\n\n<span class=\"token keyword\">while</span> <span class=\"token punctuation\">(</span>current_addr <span class=\"token operator\">&lt;</span> end_addr<span class=\"token punctuation\">)</span> <span class=\"token keyword\">and</span> <span class=\"token punctuation\">(</span>instruction <span class=\"token operator\">!=</span> <span class=\"token string\">\"retn\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    instruction <span class=\"token operator\">=</span> bv<span class=\"token punctuation\">.</span>get_disassembly<span class=\"token punctuation\">(</span>current_addr<span class=\"token punctuation\">)</span>\n    instruction_length <span class=\"token operator\">=</span> bv<span class=\"token punctuation\">.</span>get_instruction_length<span class=\"token punctuation\">(</span>current_addr<span class=\"token punctuation\">)</span>\n    current_addr <span class=\"token operator\">+=</span> bv<span class=\"token punctuation\">.</span>get_instruction_length<span class=\"token punctuation\">(</span>current_addr<span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">if</span> instruction_length <span class=\"token operator\">></span> <span class=\"token number\">0</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"0x</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>current_addr<span class=\"token punctuation\">:</span><span class=\"token format-spec\">x</span><span class=\"token punctuation\">}</span></span><span class=\"token string\">: </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>instruction<span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span><span class=\"token punctuation\">)</span>   \n    <span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">break</span></code></pre></div>\n<h3 id=\"replacing-all-instances-of-a-specific-instruction-with-nop\" style=\"position:relative;\"><a href=\"#replacing-all-instances-of-a-specific-instruction-with-nop\" aria-label=\"replacing all instances of a specific instruction with nop permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Replacing All Instances of a Specific Instruction with NOP</h3>\n<p>The following code performs Convert To NOP (also available from the GUI) via the Python API.</p>\n<p>When modifying data through the API, first call <code class=\"language-text\">begin_undo_actions</code> to declare the start of an undoable operation on the target BinaryView.</p>\n<p>Next, use <code class=\"language-text\">bv.convert_to_nop(addr)</code> to replace all instructions at the specified address with NOPs, then commit the operation with <code class=\"language-text\">bv.commit_undo_actions(undo_actions_state)</code>.</p>\n<p><code class=\"language-text\">bv.file.save()</code> saves the modified BinaryView as a file.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\"># Convert to NOP</span>\n\n<span class=\"token comment\">## Stat undo actions</span>\nundo_actions_state <span class=\"token operator\">=</span> bv<span class=\"token punctuation\">.</span>begin_undo_actions<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\ntarget_address <span class=\"token operator\">=</span> <span class=\"token number\">0x43e0</span>\n<span class=\"token keyword\">if</span> bv<span class=\"token punctuation\">.</span>convert_to_nop<span class=\"token punctuation\">(</span>target_address<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"Converted 0x</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>target_address<span class=\"token punctuation\">:</span><span class=\"token format-spec\">x</span><span class=\"token punctuation\">}</span></span><span class=\"token string\"> to NOP.\"</span></span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"Failed converted 0x</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>target_address<span class=\"token punctuation\">:</span><span class=\"token format-spec\">x</span><span class=\"token punctuation\">}</span></span><span class=\"token string\"> to NOP.\"</span></span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\">## Commit actions</span>\nbv<span class=\"token punctuation\">.</span>commit_undo_actions<span class=\"token punctuation\">(</span>undo_actions_state<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Save file</span>\nbv<span class=\"token punctuation\">.</span><span class=\"token builtin\">file</span><span class=\"token punctuation\">.</span>save<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span></code></pre></div>\n<h3 id=\"replacing-specific-instructions\" style=\"position:relative;\"><a href=\"#replacing-specific-instructions\" aria-label=\"replacing specific instructions permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Replacing Specific Instructions</h3>\n<p>Converting to NOP is straightforward, but replacing instructions with an arbitrary byte value is also relatively easy.</p>\n<p>For example, the following code reads the byte value at a specific address and replaces it with a different value using write.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\"># Replace the bytes at a specific execution address with an XOR'd version</span>\ndata <span class=\"token operator\">=</span> bv<span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span>target_addr<span class=\"token punctuation\">,</span> size<span class=\"token punctuation\">)</span>\nbv<span class=\"token punctuation\">.</span>write<span class=\"token punctuation\">(</span>\n    target_addr<span class=\"token punctuation\">,</span>\n    <span class=\"token punctuation\">(</span><span class=\"token builtin\">int</span><span class=\"token punctuation\">.</span>from_bytes<span class=\"token punctuation\">(</span>data<span class=\"token punctuation\">,</span> byteorder<span class=\"token operator\">=</span><span class=\"token string\">\"little\"</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">^</span> key_value<span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>to_bytes<span class=\"token punctuation\">(</span>size<span class=\"token punctuation\">,</span> byteorder<span class=\"token operator\">=</span><span class=\"token string\">\"little\"</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">)</span></code></pre></div>\n<h2 id=\"deobfuscating-a-self-restoring-binary-with-binary-ninja\" style=\"position:relative;\"><a href=\"#deobfuscating-a-self-restoring-binary-with-binary-ninja\" aria-label=\"deobfuscating a self restoring binary with binary ninja permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Deobfuscating a Self-Restoring Binary with Binary Ninja</h2>\n<p>Using the Binary Ninja Python API, I attempted to deobfuscate the self-restoring binary covered in <a href=\"/unicorn-binary-deobfuscation-en\">Self-Restoring Binary Deobfuscation with Unicorn and Capstone</a>.</p>\n<p>The binary’s implementation and the deobfuscation strategy are described in that article, so I omit them here.</p>\n<p>The final script I created is as follows.</p>\n<p>Loading this script in the Binary Ninja GUI was able to deobfuscate the execution code.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\"># Load current view</span>\nbv <span class=\"token operator\">=</span> current_view\n\ncall_addrs <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token number\">0x43e0</span><span class=\"token punctuation\">]</span>\ndeobfuscated_addrs <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span>\npushfq_flag <span class=\"token operator\">=</span> <span class=\"token boolean\">False</span>\ncurrent_call_addr <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\nprevious_call_addr <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">deobfuscate</span><span class=\"token punctuation\">(</span>current_call_addr<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">global</span> bv\n    <span class=\"token keyword\">global</span> call_addrs\n    <span class=\"token keyword\">global</span> pushfq_flag\n    <span class=\"token keyword\">global</span> deobfuscated_addrs\n    hex_pattern <span class=\"token operator\">=</span> <span class=\"token string\">r\"0x[0-9a-fA-F]+\"</span>\n    word_pattern <span class=\"token operator\">=</span> <span class=\"token string\">r\".word|byte\"</span>\n\n    undo_actions_state <span class=\"token operator\">=</span> bv<span class=\"token punctuation\">.</span>begin_undo_actions<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n    <span class=\"token comment\"># Get disassemble function code(until return)</span>\n    start_addr <span class=\"token operator\">=</span> current_call_addr\n    end_addr <span class=\"token operator\">=</span> start_addr <span class=\"token operator\">+</span> <span class=\"token number\">0x4000</span>\n    current_addr <span class=\"token operator\">=</span> start_addr\n    instruction <span class=\"token operator\">=</span> <span class=\"token string\">\"\"</span>\n\n    <span class=\"token keyword\">while</span> <span class=\"token punctuation\">(</span>current_addr <span class=\"token operator\">&lt;</span> end_addr<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        instruction <span class=\"token operator\">=</span> bv<span class=\"token punctuation\">.</span>get_disassembly<span class=\"token punctuation\">(</span>current_addr<span class=\"token punctuation\">)</span>\n        instruction_length <span class=\"token operator\">=</span> bv<span class=\"token punctuation\">.</span>get_instruction_length<span class=\"token punctuation\">(</span>current_addr<span class=\"token punctuation\">)</span>\n\n        <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token string\">\"xor\"</span> <span class=\"token keyword\">in</span> instruction<span class=\"token punctuation\">)</span> <span class=\"token keyword\">and</span> <span class=\"token punctuation\">(</span>pushfq_flag <span class=\"token operator\">==</span> <span class=\"token boolean\">True</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n            <span class=\"token comment\"># \"xor     dword [rel 0x43ec], 0xaeee8e1\"</span>\n            hex_numbers <span class=\"token operator\">=</span> re<span class=\"token punctuation\">.</span>findall<span class=\"token punctuation\">(</span>hex_pattern<span class=\"token punctuation\">,</span> instruction<span class=\"token punctuation\">)</span>\n            word_type <span class=\"token operator\">=</span> re<span class=\"token punctuation\">.</span>findall<span class=\"token punctuation\">(</span>word_pattern<span class=\"token punctuation\">,</span> instruction<span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span>replace<span class=\"token punctuation\">(</span><span class=\"token string\">\" \"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"\"</span><span class=\"token punctuation\">)</span>\n            target_addr <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>hex_numbers<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16</span><span class=\"token punctuation\">)</span>\n            key_value <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>hex_numbers<span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16</span><span class=\"token punctuation\">)</span>\n\n            <span class=\"token keyword\">if</span> target_addr <span class=\"token operator\">></span> current_addr<span class=\"token punctuation\">:</span>     \n                size <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n                <span class=\"token keyword\">if</span> word_type <span class=\"token operator\">==</span> <span class=\"token string\">\"byte\"</span><span class=\"token punctuation\">:</span>\n                    size <span class=\"token operator\">=</span> <span class=\"token number\">1</span>\n                <span class=\"token keyword\">elif</span> word_type <span class=\"token operator\">==</span> <span class=\"token string\">\"word\"</span><span class=\"token punctuation\">:</span>\n                    size <span class=\"token operator\">=</span> <span class=\"token number\">2</span>\n                <span class=\"token keyword\">elif</span> word_type <span class=\"token operator\">==</span> <span class=\"token string\">\"dword\"</span><span class=\"token punctuation\">:</span>\n                    size <span class=\"token operator\">=</span> <span class=\"token number\">4</span>      \n                <span class=\"token keyword\">elif</span> word_type <span class=\"token operator\">==</span> <span class=\"token string\">\"qword\"</span><span class=\"token punctuation\">:</span>\n                    size <span class=\"token operator\">=</span> <span class=\"token number\">8</span>\n                \n                bv<span class=\"token punctuation\">.</span>convert_to_nop<span class=\"token punctuation\">(</span>current_addr<span class=\"token punctuation\">)</span>\n                data <span class=\"token operator\">=</span> bv<span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span>target_addr<span class=\"token punctuation\">,</span> size<span class=\"token punctuation\">)</span>\n                bv<span class=\"token punctuation\">.</span>write<span class=\"token punctuation\">(</span>\n                    target_addr<span class=\"token punctuation\">,</span>\n                    <span class=\"token punctuation\">(</span><span class=\"token builtin\">int</span><span class=\"token punctuation\">.</span>from_bytes<span class=\"token punctuation\">(</span>data<span class=\"token punctuation\">,</span> byteorder<span class=\"token operator\">=</span><span class=\"token string\">\"little\"</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">^</span> key_value<span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>to_bytes<span class=\"token punctuation\">(</span>size<span class=\"token punctuation\">,</span> byteorder<span class=\"token operator\">=</span><span class=\"token string\">\"little\"</span><span class=\"token punctuation\">)</span>\n                <span class=\"token punctuation\">)</span>\n\n            <span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n                bv<span class=\"token punctuation\">.</span>convert_to_nop<span class=\"token punctuation\">(</span>current_addr<span class=\"token punctuation\">)</span>\n\n            \n        <span class=\"token keyword\">elif</span> <span class=\"token string\">\"pushfq\"</span> <span class=\"token keyword\">in</span> instruction<span class=\"token punctuation\">:</span>\n            bv<span class=\"token punctuation\">.</span>convert_to_nop<span class=\"token punctuation\">(</span>current_addr<span class=\"token punctuation\">)</span>\n            pushfq_flag <span class=\"token operator\">=</span> <span class=\"token boolean\">True</span>\n\n        <span class=\"token keyword\">elif</span> <span class=\"token string\">\"popfq\"</span> <span class=\"token keyword\">in</span> instruction<span class=\"token punctuation\">:</span>\n            bv<span class=\"token punctuation\">.</span>convert_to_nop<span class=\"token punctuation\">(</span>current_addr<span class=\"token punctuation\">)</span>\n            pushfq_flag <span class=\"token operator\">=</span> <span class=\"token boolean\">False</span>\n\n        <span class=\"token keyword\">elif</span> <span class=\"token string\">\"retn\"</span> <span class=\"token keyword\">in</span> instruction<span class=\"token punctuation\">:</span>\n            bv<span class=\"token punctuation\">.</span>commit_undo_actions<span class=\"token punctuation\">(</span>undo_actions_state<span class=\"token punctuation\">)</span>\n            <span class=\"token keyword\">break</span>\n        \n        <span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n            <span class=\"token keyword\">if</span> pushfq_flag<span class=\"token punctuation\">:</span>\n                bv<span class=\"token punctuation\">.</span>convert_to_nop<span class=\"token punctuation\">(</span>current_addr<span class=\"token punctuation\">)</span>\n            <span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n                <span class=\"token keyword\">if</span> <span class=\"token string\">\"call\"</span> <span class=\"token keyword\">in</span> instruction<span class=\"token punctuation\">:</span>\n                    call_addr <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>re<span class=\"token punctuation\">.</span>findall<span class=\"token punctuation\">(</span>hex_pattern<span class=\"token punctuation\">,</span> instruction<span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16</span><span class=\"token punctuation\">)</span>\n                    <span class=\"token keyword\">if</span> call_addr <span class=\"token operator\">>=</span> <span class=\"token number\">0x1260</span><span class=\"token punctuation\">:</span>\n                        call_addrs<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span>call_addr<span class=\"token punctuation\">)</span>\n        \n        bv<span class=\"token punctuation\">.</span>commit_undo_actions<span class=\"token punctuation\">(</span>undo_actions_state<span class=\"token punctuation\">)</span>\n        current_addr <span class=\"token operator\">+=</span> bv<span class=\"token punctuation\">.</span>get_instruction_length<span class=\"token punctuation\">(</span>current_addr<span class=\"token punctuation\">)</span>\n    \n    <span class=\"token keyword\">return</span>\n\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">global</span> bv\n    <span class=\"token keyword\">global</span> call_addrs\n    <span class=\"token keyword\">global</span> deobfuscated_addrs\n\n    <span class=\"token keyword\">while</span> <span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>call_addrs<span class=\"token punctuation\">)</span> <span class=\"token operator\">></span> <span class=\"token number\">0</span><span class=\"token punctuation\">:</span>\n        current_call_addr <span class=\"token operator\">=</span> call_addrs<span class=\"token punctuation\">.</span>pop<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n        <span class=\"token keyword\">if</span> current_call_addr <span class=\"token keyword\">not</span> <span class=\"token keyword\">in</span> deobfuscated_addrs<span class=\"token punctuation\">:</span>\n            deobfuscate<span class=\"token punctuation\">(</span>current_call_addr<span class=\"token punctuation\">)</span>\n            deobfuscated_addrs<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span>current_call_addr<span class=\"token punctuation\">)</span>\n\n    current_func <span class=\"token operator\">=</span> bv<span class=\"token punctuation\">.</span>get_function_at<span class=\"token punctuation\">(</span>current_call_addr<span class=\"token punctuation\">)</span>\n    current_func<span class=\"token punctuation\">.</span>reanalyze<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n    bv<span class=\"token punctuation\">.</span>update_analysis_and_wait<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n    <span class=\"token keyword\">return</span>\n\n\n<span class=\"token keyword\">if</span> __name__ <span class=\"token operator\">==</span> <span class=\"token string\">\"__main__\"</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">import</span> os\n    <span class=\"token keyword\">import</span> sys\n    sys<span class=\"token punctuation\">.</span>stdout <span class=\"token operator\">=</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>os<span class=\"token punctuation\">.</span>path<span class=\"token punctuation\">.</span>dirname<span class=\"token punctuation\">(</span>os<span class=\"token punctuation\">.</span>path<span class=\"token punctuation\">.</span>realpath<span class=\"token punctuation\">(</span>__file__<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">}</span></span><span class=\"token string\">/stdout.log\"</span></span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"w\"</span><span class=\"token punctuation\">)</span>\n    main<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n    sys<span class=\"token punctuation\">.</span>stdout <span class=\"token operator\">=</span> sys<span class=\"token punctuation\">.</span>__stdout__</code></pre></div>\n<p>The code restored with this script correctly restored the execution code needed to obtain the flag, as shown below.</p>\n<p>The program’s behavior at runtime was also equivalent to the pre-deobfuscation version.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/660dac46be0d7557de655407391073c0/33d1d/image-20250331224024089.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 66.66666666666666%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAACN0lEQVQ4y21S23KbMBTkS9rYmJuEBELijhMnxrGbmU4n7f9/y3alNI7T9uGMAR+t9hb1Twu6+z2adkRtLbphgOt7yKqGcS0q06BQJYSuUJQVciEgSoVclkjynO+S3xXSosAuyxE1lwnV5BDHCe62MZdFGP+ccalqLMy+RzU4lFpDGQttHFS40MENI8l04V0ohcieZ9RTizTNsU1SHirDbHiBv91Yh27dw91Pga3regL04bmhosoY1Hz26ipOZL8RcG6RJBm2u+QNUHnAHWVRjihRrz3KwfDSDE1TwznLHQVZSlpBO7gfJBeUbC8zzPzBUGlFUIUNwQv6JEsNcxyghgZ5IdGPM+Z5Dsxyepd4IHoZ71LEPB+Z5xGay1tK/LqJCVKE+XK3QcpFIRXMSsCpQZZLerbHMC2QvDRlQO9A7xPtX0+YTg/0o6XZDRkMPDAyjBaWfnlGh18XLJcnTMsB68tPvHz/geP5md+OmI+PaPsBLcPxEy2vK6bVAzroukE39gHUJ2k7MtM17ImBjJZsK/TLEcvDI/8jgZFpuwY7epvkBRJfm3fJ8R/JQoobycWH5JGeFQrtRFb3B1bGQnYGkiH5MK+SfSg1e/hPbW5DCYAsuNAEpPT9G2DZG5RkGHPXs/RzBUzSm9roj9pcARlKHgBXLGRoO8odyNLUfwH6Yo83gOpzD29rI9jJbjrQx4dQ5KJSyFh+L9WDvUk+T58B9f8BS4aiREG5M/R8oHctq7YjSHYF87+/Afdjk+SuGGl0AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/660dac46be0d7557de655407391073c0/8ac56/image-20250331224024089.webp 240w,\n/static/660dac46be0d7557de655407391073c0/d3be9/image-20250331224024089.webp 480w,\n/static/660dac46be0d7557de655407391073c0/e46b2/image-20250331224024089.webp 960w,\n/static/660dac46be0d7557de655407391073c0/7ed5b/image-20250331224024089.webp 1150w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/660dac46be0d7557de655407391073c0/8ff5a/image-20250331224024089.png 240w,\n/static/660dac46be0d7557de655407391073c0/e85cb/image-20250331224024089.png 480w,\n/static/660dac46be0d7557de655407391073c0/d9199/image-20250331224024089.png 960w,\n/static/660dac46be0d7557de655407391073c0/33d1d/image-20250331224024089.png 1150w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/660dac46be0d7557de655407391073c0/d9199/image-20250331224024089.png\"\n            alt=\"image-20250331224024089\"\n            title=\"image-20250331224024089\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Below I summarize a few key points from writing this script.</p>\n<h3 id=\"how-to-retrieve-disassembly-results\" style=\"position:relative;\"><a href=\"#how-to-retrieve-disassembly-results\" aria-label=\"how to retrieve disassembly results permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>How to Retrieve Disassembly Results</h3>\n<p>When creating this script, I used <code class=\"language-text\">bv.get_disassembly(current_addr)</code>, which returns the disassembly result as a string.</p>\n<p>Therefore, regular expressions were used to extract instructions and addresses.</p>\n<p>Other methods are also available when retrieving disassembly results with the Binary Ninja API, such as <code class=\"language-text\">disassembly_text</code>, which returns a Generator containing the disassembly result.</p>\n<p>Reference: <a href=\"https://api.binary.ninja/binaryninja.binaryview-module.html#binaryninja.binaryview.BinaryView.disassembly_text\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">binaryview module — Binary Ninja API Documentation v4.2</a></p>\n<h3 id=\"considering-the-timing-of-reanalyze-and-updateanalysisand_wait\" style=\"position:relative;\"><a href=\"#considering-the-timing-of-reanalyze-and-updateanalysisand_wait\" aria-label=\"considering the timing of reanalyze and updateanalysisand_wait permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Considering the Timing of reanalyze and update<em>analysis</em>and_wait</h3>\n<p><code class=\"language-text\">current_func.reanalyze()</code> triggers re-analysis of a specific function.</p>\n<p><code class=\"language-text\">bv.update_analysis_and_wait()</code> waits until the analysis results are fully reflected.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">current_func <span class=\"token operator\">=</span> bv<span class=\"token punctuation\">.</span>get_function_at<span class=\"token punctuation\">(</span>current_call_addr<span class=\"token punctuation\">)</span>\ncurrent_func<span class=\"token punctuation\">.</span>reanalyze<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\nbv<span class=\"token punctuation\">.</span>update_analysis_and_wait<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>Initially I was triggering <code class=\"language-text\">bv.update_analysis_and_wait()</code> each time a specific instruction was changed, but that caused the script to run indefinitely. I moved it to a location that is called only a few times across the whole operation.</p>\n<p>In contrast, <code class=\"language-text\">bv.commit_undo_actions(undo_actions_state)</code> is called quite frequently, but that does not seem to have a significant impact on execution time.</p>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>I finally got to use the Binary Ninja Python API that I had been meaning to try for a while.</p>\n<p>It feels somewhat easier to use than Ghidra Script did when I first tried it. (This may be payment bias, though…)</p>","fields":{"slug":"/binja-python-api-en","tagSlugs":["/tag/reversing-en/","/tag/binary-ninja-en/","/tag/english/"]},"frontmatter":{"date":"2025-03-31","description":"Automating binary analysis and manipulation with the Binary Ninja Python API.","tags":["Reversing (en)","Binary Ninja (en)","English"],"title":"Automating Binary Analysis and Manipulation with the Binary Ninja Python API","socialImage":{"publicURL":"/static/94e664185535306f599972be80137494/binja-python-api.png"}}}},"pageContext":{"slug":"/binja-python-api-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}