BinaryBrew
BinaryBrew is a middle-end container for recovered binary information:
instructions, functions, CFGs, exception information, and recovery builders.
Sources:
B2R2/src/MiddleEnd/API/BinaryBrew.fsB2R2/src/MiddleEnd/ControlFlowAnalysis/FunctionCollection.fsB2R2/src/MiddleEnd/ControlFlowAnalysis/Function.fsB2R2/src/MiddleEnd/ControlFlowGraph/LowUIRCFG.fs
Constructors
Section titled “Constructors”| Constructor | Use |
|---|---|
BinaryBrew(hdl) | Default function identification and CFG recovery. |
BinaryBrew(hdl, allowBBLOverlap) | Default recovery with optional overlapping basic blocks. |
BinaryBrew(hdl, strategies) | Use explicit CFG-building strategies. |
BinaryBrew(hdl, exnInfo, strategies) | Use explicit exception info and strategies. |
BinaryBrew<'FnCtx, 'GlCtx>(hdl, strategies, irBlkOptimizer) | Generic form with explicit strategies and a LowUIR block optimizer. |
BinaryBrew<'FnCtx, 'GlCtx>(...) | Generic form for custom function/global recovery contexts. |
EVMBinaryBrew(hdl, strategies) | EVM-oriented variant using EVM function context. |
The default BinaryBrew(hdl) constructs ExceptionInfo, runs
FunctionIdentification, then runs CFGRecovery.
Properties
Section titled “Properties”| API | Meaning |
|---|---|
BinHandle: BinHandle | Original binary handle. |
Functions | Recovered function collection. |
ExceptionInfo | Exception-handling metadata used during CFG recovery. |
Instructions | Linear-sweep instruction collection. |
Builders | CFG builder table used internally by recovery strategies. |
Functions
Section titled “Functions”brew.Functions is a FunctionCollection. It is the usual entry point for
iterating over recovered functions in tutorial scripts.
| API | Meaning |
|---|---|
Functions.Sequence | Sequence of recovered Function values. |
Functions.Addresses | Sequence of recovered function entry addresses. |
Functions.Count | Number of recovered functions. |
Functions[addr] / Functions.Find(addr) | Find a function by entry address. |
Functions.Find(name) | Find all recovered functions with a matching name. |
Functions.FindByID(id) | Find a function by its address-derived function ID. |
Each Function contains address, name, call, and CFG information.
| API | Meaning |
|---|---|
EntryPoint | Function entry address. |
ID | Address-derived function ID. |
Name | Recovered or synthetic function name. |
CFG | Recovered LowUIR control-flow graph. |
NoRet | Non-returning-function status. |
Callees / Callers | Call relationships recovered during CFG construction. |
JumpTables | Jump tables associated with the function. |
IsExternal | True for external/imported functions. |
The tutorial solutions mostly use EntryPoint and CFG.Size.
| CFG API | Meaning |
|---|---|
CFG.Size | Number of vertices/basic blocks in the graph. |
CFG.IsEmpty() | True when the graph has no vertices. |
CFG.Vertices / CFG.Edges | All vertices or edges. |
CFG.Roots / CFG.SingleRoot | Root vertices, or exactly one root. |
CFG.Exits / CFG.Unreachables | Exit and unreachable vertices. |
CFG.GetPreds v / CFG.GetSuccs v | Predecessor or successor vertices. |
Typical Usage
Section titled “Typical Usage”let hdl = BinHandle("bin/findme")let brew = BinaryBrew hdllet text = hdl.File.GetTextSectionPointer()
let isInText (addr: Addr) = text.IsValid && text.Addr <= addr && addr <= text.MaxAddr
brew.Functions.Sequence|> Seq.filter (fun fn -> isInText fn.EntryPoint)|> Seq.sortBy (fun fn -> fn.EntryPoint)|> Seq.iter (fun fn -> printfn "0x%016x blocks=%d" fn.EntryPoint fn.CFG.Size)When to Use Custom Strategies
Section titled “When to Use Custom Strategies”Use the default constructor first. Reach for explicit strategies when you need to change recovery behavior, disable a default pass, run EVM-specific recovery, or provide a custom function context.
| Need | API |
|---|---|
| Default native recovery | BinaryBrew(hdl) |
| Permit overlapping basic blocks | BinaryBrew(hdl, allowBBLOverlap = true) |
| Custom CFG strategy sequence | BinaryBrew(hdl, strategies) |
| EVM recovery context | EVMBinaryBrew(hdl, strategies) |