// Patch binary code in Binary Ninja using natural language — read, assemble, write, verify
Systematic binary deobfuscation — string decryption, control flow flattening (CFF) removal, opaque predicate elimination, mixed boolean-arithmetic (MBA) simplification, bogus control flow, instruction substitution reversal, dead code removal, and anti-disassembly fixes. Trigger: deobfuscate, unobfuscate, deobfuscation, CFF, flatten, opaque predicate, MBA, obfuscated, OLLVM, Tigress, VMProtect, string decryption, junk code, bogus control flow, instruction substitution, anti-disassembly
Write and execute Binary Ninja Python scripts — full API reference included
Write and execute IDAPython scripts — full API reference included
Expert ELF malware analysis — packing, toolchain ID, kill chain, persistence, C2, rootkits, cryptominers, Go/Rust/Mirai patterns, MITRE ATT&CK mapping
Modify binary behavior using natural language — explore, plan, patch, save
Patch binary code in IDA Pro using natural language — read, assemble, write, verify
| name | Smart Patch (Binary Ninja) |
| description | Patch binary code in Binary Ninja using natural language — read, assemble, write, verify |
| tags | ["patching","assembly","binary","binja"] |
| author | Rikugan |
| version | 2 |
| allowed_tools | ["read_disassembly","read_function_disassembly","get_instruction_info","decompile_function","get_pseudocode","get_il","read_bytes","execute_python","redecompile_function","nop_instructions","set_comment","exploration_report"] |
Task: Apply targeted binary patches in Binary Ninja based on the user's natural language description. Analyze the function, identify the minimal set of instructions to change, assemble new instructions, write them, and verify the result.
Read the target function's disassembly (read_function_disassembly) and decompiled pseudocode / get_il at HLIL level to understand its current behavior.
Identify which specific instructions implement the behavior the user wants to change. Use get_instruction_info to get exact byte sizes and encodings for the target instructions.
Back up the original bytes before patching. Use read_bytes at the target address for the instruction length, and print them so the user has a record:
Original bytes at 0x{addr:x}: {hex_bytes}
Plan the minimal patch:
Patch using execute_python with Binary Ninja's assembler and writer:
# Assemble new instruction at the correct address
new_bytes = bv.arch.assemble("jg 0x401300", 0x401248)
original_size = 6 # from get_instruction_info
# NOP padding if shorter
if len(new_bytes) < original_size:
nop = bv.arch.assemble("nop", 0)
new_bytes += nop * (original_size - len(new_bytes))
bv.write(0x401248, new_bytes)
bv.update_analysis_and_wait()
print(f"Patched {len(new_bytes)} bytes at 0x401248")
Verify with redecompile_function — confirm the HLIL output reflects the desired behavior change. If it doesn't match, revert by writing back the original bytes and try a different approach.
Report — If called from /modify, you MUST call:
exploration_report(category="patch_result", address=..., summary="Patched X: old → new", original_hex="...", new_hex="...", evidence="redecompile confirms...")
Annotate each patched address with set_comment explaining what was changed and why.
bv.write() modifies the in-memory BinaryView immediately. The .bndb file is only updated when the user does: File → Save or File → Save As.bv.save() — the Phase 4 save gate handles this.bv.write(addr, original_bytes) then bv.update_analysis_and_wait().For single-instruction NOPs, prefer nop_instructions — it patches at the IL layer and triggers re-analysis. This is safer than execute_python for simple NOP operations because it handles alignment automatically.
Replace jl with jg, je with jne, etc. Same instruction size, just a different opcode byte.
Change test eax, eax + je to test eax, eax + jne, or patch the comparison operand.
Replace conditional jump with jmp (always) or NOP out the jump (never).
Reassemble the instruction with a new immediate value, e.g., cmp eax, 0xa → cmp eax, 0x14.
NOP out the comparison and conditional jump instructions using nop_instructions.