New loader backed with LLVM BAP now have another loader (image reader), that supports MACH-O, ELF, COFF, PE. This loader is backed with LLVM library.

Online plugin system New extension point is added - "bap.project". Plugins marked with this plugin system will not be loaded automatically when Plugins.load is called, instead, they can be loaded dynamically (or online, hence the title), by using -l option to the bap utility. After being loaded the plugin is applied to a project data structure that contains all information about disassembled binary. Plugin can functionally update this data structure, to push information to other plugins or back to the bap utility.

In addition to a common way of creating plugins with oasis, we extended bapbuild utility with a new rule the will product a plugin file. This is just a shared library underneath the hood, and you can load a plugin, created with this method directly, without installing it anywhere. bap utility will try to find the plugin, specified with -l option in a current folder, then in all folders specified in BAP_PLUGIN_PATH environment variable, and, finally in the system, using ocamlfind.

In order to provide a typesafe way of interacting between plugins, we added extensible variants to BAP. But instead of using one from the 4.02, we're using universal types, based on that one, that Core library provides. First of all this is more portable, second it is more explicit and a little bit more safe.

New ABI and CPU interfaces Modules that implements CPU interface are used to describe particular CPU in BIL terminology, e.g., it tells which variable corresponds to which register, flag, etc. To obtain such module, one should use target_of_cpu function.

ABI is used to capture the procedure abstraction, starting from calling convetions and stack frame structure and ending with special function handling and support for different data-types.

See d5cab1a5e122719b4a3b1ece2b1bc44f3f93095a for more information and examples.

Bap-objdump renamed to bap bap-objdump has outgrown its name. Actually it was never really a bap-objdump at all. From now, it is just an entry point to the bap as platform. We will later unite bap with other utilities, to make them subcommands, e.g. bap byteweight.

Cleanup of BIL modules Now there is a separation between BIL fur uns, and BIL fur OCaml. For writing BIL programs (as EDSL in OCaml) one should use Bil module, e.g. Bil.(x = y) will evaluate to a BIL expression. For using BIL entities as OCaml values, one should use corresponding module, e.g. Exp.(x = y) will compare to expressions and evaluate to a value of type bool.

Enhanced IDA integration IDA intergation is now more robust. We switched to IDA-32 by default, since 64-bit version doesn't support decompiler. Also bap utility can now output IDA python scripts. And bap plugins can annotate project with python commands, that later will be dumped into the script.

In ARM switched to ARMv7 by default

Introduce LNF algorithm and Sema library A new layer of BAP is started in this release. This would be a third pass of decompilation, where the semantic model of program will be built. Currently, there is nothing really interesting here, e.g., an implementation of the Loop nesting forest, that is not very usable right now. But the next release, will be dedicated to this layer. So, stay tuned.

Add support for OCamlGraph Now we provide a helper utilities for those who would like to use ocamlgraph library for analysis.

Extended bap-mc utility bap-mc utility now prints results in plethora of formats, including protocol buffers, from the piqi library, that was revived by Kenneth Miller.

Interval trees, aka memory maps For working with arbitrary overlapping memory regions we now have a memory map data structure, aka interval trees, segment trees, etc. It is based on AVL trees, and performs logarithmic searches.

Simplified CI We put Travis on a diet. Now only 4 machines with 20 ETA for all test suites to pass. (Instead of 8 * 40).