Content-type: text/html; charset=UTF-8 Man page of BAP-DISASSEMBLE

BAP-DISASSEMBLE

Section: Bap Manual (1)
Updated:
Index Return to Main Contents

NAME

bap-disassemble - disassembles and analyzes the input file

SYNOPSIS

bap disassemble [OPTION]… [FILE]

DESCRIPTION

Disassembles and analyzes the input file. This is the default command of the bap frontend which is assumed when no other command was specified.

The input file is automatically parsed (unless the --raw or --loader options were specified), then the extracted code, if any, is disassembled, and the `Bap.Std.project` data structure is built, on which the specified passes are run.

PASSES

The passes are specified by the --pass option and are run in the order in which they specified. In addition, all passes that are flagged with `autorun' are run before the explicitly specified passes. Finally, if a pass specifies other passes as its dependencies, then they are run before it, in the order in which they were specified (modulo their own dependencies).

It's also possible to specify the passes using the old style syntax, e.g., `--<PASS>`, which is discouraged and later could be disabled. Additionaly, it is not allowed to mix passes the old and the new style.

OUTPUT

After all passes are run on the input, the resulting project data structure could be dumped using the --dump (or -d for short) option, whichaccepts the desired format and, optionally, the output file name.

It is possible to specify the --dump option multiple times, in which case the project will be dumped in several formats.

WRITING A NEW PASS

To implement your own analysis as a pass on the project data structure, you need to write a program in OCaml.

Start in a fresh new folder and create the `my_analysis.ml` file with the following contents:


  open Core_kernel[@@warning "-D"]
  open Bap_main
  open Bap.Std

  let main proj =
    print_endline "My analysis is running!";
    proj

  let () = Extension.declare @@ fun _ctxt ->
     Project.register_pass main

Then run


  bapbuild my_analysis.plugin
  bapbundle install my_analysis.plugin

The analysis is ready and could be run using the `--passes option, e.g.,


  bap dis /bin/echo --pass=my-analysis

Please note, that the name of the pass is automatically derived from the plugin name. If the latter contains underscores then they are substituted with dashes. If a plugin registers a pass with a different name it will be still prefixed with the plugin name.

ARGUMENTS

FILE (absent=a.out): The input file

OPTIONS

--abi: Enables the pass abi in the old style (DEPRECATED)
--analyze: Enables the pass analyze in the old style (DEPRECATED)
--api: Enables the pass api in the old style (DEPRECATED)
--arm: Enables the pass arm in the old style (DEPRECATED)
--beagle: Enables the pass beagle in the old style (DEPRECATED)
--bil: Enables the pass bil in the old style (DEPRECATED)
--byteweight: Enables the pass byteweight in the old style (DEPRECATED)
--cache: Enables the pass cache in the old style (DEPRECATED)
--callgraph-collator: Enables the pass callgraph-collator in the old style (DEPRECATED)
--callsites: Enables the pass callsites in the old style (DEPRECATED)
--constant-tracker: Enables the pass constant-tracker in the old style (DEPRECATED)
--core-theory: Enables the pass core-theory in the old style (DEPRECATED)
--cxxfilt: Enables the pass cxxfilt in the old style (DEPRECATED)
-d [[<FMT>[:<FILE>]]], --dump[=[<FMT>[:<FILE>]]] (default=bir): Dumps the program to <FILE> (defaults to stdout) in the <FMT> format (defaults to bir).
--demangle: Enables the pass demangle in the old style (DEPRECATED)
--dependencies: Enables the pass dependencies in the old style (DEPRECATED)
--disassemble: Enables the pass disassemble in the old style (DEPRECATED)
--dump-symbols: Enables the pass dump-symbols in the old style (DEPRECATED)
--elf-loader: Enables the pass elf-loader in the old style (DEPRECATED)
--emit-ida-script: Enables the pass emit-ida-script in the old style (DEPRECATED)
--flatten: Enables the pass flatten in the old style (DEPRECATED)
--frontc-parser: Enables the pass frontc-parser in the old style (DEPRECATED)
--ghidra: Enables the pass ghidra in the old style (DEPRECATED)
--glibc-runtime: Enables the pass glibc-runtime in the old style (DEPRECATED)
--help[=FMT] (default=auto): Show this help in format FMT. The value FMT must be one of auto, pager, groff or plain. With auto, the format is pager or plain whenever the TERM env var is dumb or undefined.
--ida: Enables the pass ida in the old style (DEPRECATED)
-k VAL, --project=VAL, --knowledge-base=VAL: Import the knowledge to the provided knowledge base. If the --update flag is set the the knowledge base will be also updated with the new information. If --update is set, the the knowledge base might not exist and it will be created
-l FILES, --libraries=FILES: The input libraries to link with
-L VAL, --plugin-path=VAL, --load-path=VAL: Adds folder to the list of plugins search paths
--llvm: Enables the pass llvm in the old style (DEPRECATED)
--loader=VAL (absent=llvm): Use the specified loader. The loader could be either an identifier or a filename. The filename has to be explicit, i.e., to start with an explicit reference to the root directory or to the current directory (e.g., ./, or ../, or / in Unix). The contents of the file should be a well-formed OGRE document that contains the necessary meta-information about the binary. The default loader is named llvm and uses LLVM loaders to parse the input binary and supports ELF, MachO, and COFF (including Windows PE), formats. To load unstructured files use the raw loader and specify the loader parameters via the raw plugin.
--logdir=VAL, --log-dir=VAL (absent BAP_LOG_DIR env): A folder for log files.
--map-terms: Enables the pass map-terms in the old style (DEPRECATED)
--mc: Enables the pass mc in the old style (DEPRECATED)
--mips: Enables the pass mips in the old style (DEPRECATED)
--objdump: Enables the pass objdump in the old style (DEPRECATED)
--optimization: Enables the pass optimization in the old style (DEPRECATED)
-p PASSES, --passes=PASSES: Run the selected passes (in the specified order)
--patterns: Enables the pass patterns in the old style (DEPRECATED)
--phoenix: Enables the pass phoenix in the old style (DEPRECATED)
--powerpc: Enables the pass powerpc in the old style (DEPRECATED)
--primus-dictionary: Enables the pass primus-dictionary in the old style (DEPRECATED)
--primus-exploring: Enables the pass primus-exploring in the old style (DEPRECATED)
--primus-greedy: Enables the pass primus-greedy in the old style (DEPRECATED)
--primus-limit: Enables the pass primus-limit in the old style (DEPRECATED)
--primus-lisp: Enables the pass primus-lisp in the old style (DEPRECATED)
--primus-loader: Enables the pass primus-loader in the old style (DEPRECATED)
--primus-mark-visited: Enables the pass primus-mark-visited in the old style (DEPRECATED)
--primus-powerpc: Enables the pass primus-powerpc in the old style (DEPRECATED)
--primus-print: Enables the pass primus-print in the old style (DEPRECATED)
--primus-promiscuous: Enables the pass primus-promiscuous in the old style (DEPRECATED)
--primus-propagate-taint: Enables the pass primus-propagate-taint in the old style (DEPRECATED)
--primus-random: Enables the pass primus-random in the old style (DEPRECATED)
--primus-region: Enables the pass primus-region in the old style (DEPRECATED)
--primus-round-robin: Enables the pass primus-round-robin in the old style (DEPRECATED)
--primus-symbolic-executor: Enables the pass primus-symbolic-executor in the old style (DEPRECATED)
--primus-systems: Enables the pass primus-systems in the old style (DEPRECATED)
--primus-taint: Enables the pass primus-taint in the old style (DEPRECATED)
--primus-test: Enables the pass primus-test in the old style (DEPRECATED)
--primus-wandering: Enables the pass primus-wandering in the old style (DEPRECATED)
--primus-x86: Enables the pass primus-x86 in the old style (DEPRECATED)
--print: Enables the pass print in the old style (DEPRECATED)
--print-missing: Print missing instructions. This option disables cache and redisassembles the binary from scratch. It then prints the list of all instructions that do not have a representable semantics, followed by the histogram of all missed opcodes, and finally prints the number of lifted opcodes, the number of addresses that wasn't disassembled at all, and the number of opcodes that do not have semantics.
--propagate-taint: Enables the pass propagate-taint in the old style (DEPRECATED)
--radare2: Enables the pass radare2 in the old style (DEPRECATED)
--raw: Enables the pass raw in the old style (DEPRECATED)
--read-symbols: Enables the pass read-symbols in the old style (DEPRECATED)
--recipe=VAL: Load the specified recipe
--recipe-command: Enables the pass recipe-command in the old style (DEPRECATED)
--relocatable: Enables the pass relocatable in the old style (DEPRECATED)
--report: Enables the pass report in the old style (DEPRECATED)
--riscv: Enables the pass riscv in the old style (DEPRECATED)
--run: Enables the pass run in the old style (DEPRECATED)
--specification: Enables the pass specification in the old style (DEPRECATED)
--ssa: Enables the pass ssa in the old style (DEPRECATED)
--strings: Enables the pass strings in the old style (DEPRECATED)
--stub-resolver: Enables the pass stub-resolver in the old style (DEPRECATED)
--systemz: Enables the pass systemz in the old style (DEPRECATED)
--taint: Enables the pass taint in the old style (DEPRECATED)
--target=NAME (absent=:unknown): Sets the target architecture of the binary. See `bap list targets` for the full hierarchy of targets.
--thumb: Enables the pass thumb in the old style (DEPRECATED)
--trace: Enables the pass trace in the old style (DEPRECATED)
--trivial-condition-form: Enables the pass trivial-condition-form in the old style (DEPRECATED)
-u, --update: Preserve the knowledge base, i.e., do not change it.
--version: Show version information.
--warn-unused: Enables the pass warn-unused in the old style (DEPRECATED)
--x86: Enables the pass x86 in the old style (DEPRECATED)

COMMON OPTIONS

--abi-help[=VAL] (default=auto): prints more information about the abi plugin
--analyze-help[=VAL] (default=auto): prints more information about the analyze plugin
--api-add=VAL: will be removed in 2.0.0 Add specified api module(s) and exit. Each module should be of the form <lang>:<file>, where <lang> is the language in which API is written, and <file> is a path to the specification. Multiple modules can be added by specifying this option several times.
--api-help[=VAL] (default=auto): prints more information about the api plugin
--api-list-paths: List of all registered paths
--api-path=VAL: Add a list of a paths where to store/search apis
--api-remove=VAL, --api-rem=VAL: will be removed in 2.0.0 Removed specified api module and exit. Each module should be of the form <lang>:<file>, where <lang> is the language in which API is written, and <file> is a filename of api module in the api-list-paths option. Multiple modules can be added by specifying this option several times.
--api-show: Show all registered api
--arm-backend=VAL: Specify the backend that is used for disassembly and lifting.
--arm-features=VAL: Additional target features/attributes. The syntax and the feature names are backend-specific. For the LLVM backend the features are passed to the target attributes, see llvm-mc -mattr=help -triple <target> for the list of features supported by your version of LLVM. To enable a feature just pass its name (you can optionally prepend + to its name), to disable a feature prepend - to its name.
--arm-help[=VAL] (default=auto): prints more information about the arm plugin
--arm-interworking=VAL: Enable ARM/Thumb interworking. Defaults to (auto), i.e., to the automatic detection of interworking
--beagle-alpha=VAL (absent=0.05): desired probability of a false positive
--beagle-alphabet=VAL (absent=printable): Build words from the specified alphabet
--beagle-beta=VAL (absent=0.001): desired probability of a false negative
--beagle-dictionary=VAL: Add dictionary file(s).
--beagle-help[=VAL] (default=auto): prints more information about the beagle plugin
--beagle-ignore-strings: don't put static strings into the initial dictionary
--beagle-no-words: Don't try to build words from a dictionary
--beagle-noise=VAL (absent=0.05): expected amount of noise characters
--beagle-print-chars: Print all observed letters.
--beagle-print-strings: Print static strings
--beagle-print-words: Print all buildable words.
--beagle-text-probability=VAL (absent=0.1): a prior probability of the search data
--beagle-words=VAL: Add specified words to the dictionary.
--bil-enable-intrinsics=VAL: Translate the specified instructions into calls to intrinsic functions. The option accepts a list of instruction specifications and can be specified multiple times. Each element of the list is either a keyword or a parametrized predicate. If an instruction matches any of the specifications than it will be translated into a call to an intrinsic function. The following keywords are recognized, :any - matches with any instruction, :unknown - matches with instructions that have unknown (to our lifters) semantics, :special - matches with instructions that have special semantics (expressed with the special statement by our lifters). The following predicates are recognized, asm:<str> matches with instructions which assembly strings start with <str>, tag:<str> - matches with instructions that have a tag (kind) that starts with <str>, <s1>:<s2> - matches with instructions that have opcodes starting with <s2> in the encoding that starts with <s1>. For predicates, all string comparisons are made case-insensitive. Example, :unknown,:special,asm:addsd,llvm:trap.
--bil-floating-point-emulation[=VAL], --bil-enable-fp-emulation[=VAL] (default=true) (absent=true): Enable/disable floating-point emulation (on by default). When enabled the floating-point operations will be reified into BIL expressions using bitvector arithmetic. Only IEEE754 binary formats are supported. operations into Bil expressions that denote those operations in terms of bitvector arithmetic. This may lead to very large denotations.
--bil-help[=VAL] (default=auto): prints more information about the bil plugin
--bil-list-passes: List all available passes and exit
--bil-normalization=VAL (absent=0): Selects a BIL normalization level. The normalization process doesn't change the semantics of a BIL program, but applies some transformations to simplify it. Consult BAP Annotated Reference (BAR) for the detailed description of the BIL normalized forms.
--bil-optimization=VAL (absent=1): Specifies an optimization level. Level 0 disables all optimizations, and level 1 performs regular program simplifications, e.g., applies constant folding, propagation, and elimination of dead temporary (aka virtual) variables.
--bil-passes=VAL: Selects the list and the order of analyses to be applied during the lifing to BIL code.
--byteweight-compiler=VAL: Assume the input file is compiled by VAL
--byteweight-enabled[=VAL] (default=true) (absent=false): Enable/disable byteweight (off by default)
--byteweight-help[=VAL] (default=auto): prints more information about the byteweight plugin
--byteweight-max-length=VAL, --byteweight-length=VAL (absent=16): The maximum length of a word, that could identify a function start. Any signatures that are greater than that length, will not be considered, affect prior probabilities, etc.
--byteweight-min-length=VAL (absent=8): The minimum length of a word, that could identify a function start. Any signatures that are below that length, will not be considered, affect prior probabilities, etc.
--byteweight-sigs=VAL, --byteweight-signatures=VAL: Path to the signature file
--byteweight-threshold=VAL (absent=10.): If greater than 1.0 then it is the Bayes factor, otherwise it is a probability.
--cache-clean: Cleanup all caches. Deprecated, use bap cache --clean instead
--cache-dir=DIR: Use provided folder as a cache directory
--cache-help[=VAL] (default=auto): prints more information about the cache plugin
--callgraph-collator-help[=VAL] (default=auto): prints more information about the callgraph-collator plugin
--callgraph-collator-ignore-matching=VAL: Ignore functions that partially match the speciefied PCRE regular expression.
--callgraph-collator-ignore-reserved: Ignore functions that have reserved names, i.e., starting with _ (underscore) or . (dot).
--callgraph-collator-ignore-unresolved: Ignore functions with dummy names, i.e., starting with sub_.
--callgraph-collator-output=VAL: Outputs all information into the specified file.
--callsites-help[=VAL] (default=auto): prints more information about the callsites plugin
--constant-tracker-enable: Undocumented.
--constant-tracker-help[=VAL] (default=auto): prints more information about the constant-tracker plugin
--core-theory-help[=VAL] (default=auto): prints more information about the core-theory plugin
--core-theory-syntax[=VAL], --core-theory-herbrand[=VAL], --core-theory-debug[=VAL] (default=true) (absent=false): Undocumented
--cxxfilt-help[=VAL] (default=auto): prints more information about the cxxfilt plugin
--demangle-help[=VAL] (default=auto): prints more information about the demangle plugin
--demangle-with=VAL, --demangle-override=VAL: Overrides the default name demangler with the specified one
--dependencies-help[=VAL] (default=auto): prints more information about the dependencies plugin
--disassemble-help[=VAL] (default=auto): prints more information about the disassemble plugin
--dump-symbols-file=FILE: Dump symbols to the specified FILE
--dump-symbols-help[=VAL] (default=auto): prints more information about the dump-symbols plugin
--elf-loader-help[=VAL] (default=auto): prints more information about the elf-loader plugin
--emit-ida-script-attr=VAL: Emit specified BIR attribute. Can be specified multiple times.
--emit-ida-script-file=NAME: Dump annotations to the specified file NAME. If not specified, then the script will dumped into the standard output
--emit-ida-script-help[=VAL] (default=auto): prints more information about the emit-ida-script plugin
--flatten-help[=VAL] (default=auto): prints more information about the flatten plugin
--frontc-parser-help[=VAL] (default=auto): prints more information about the frontc-parser plugin
--frontc-parser-preprocess[=VAL], --frontc-parser-pp[=VAL] (default=cpp): Preprocess headers with the specified preprocessor.
--ghidra-help[=VAL] (default=auto): prints more information about the ghidra plugin
--ghidra-path=VAL: Undocumented
--ghidra-targets, --ghidra-list-targets: Undocumented
--glibc-runtime-enable: Override the glib detection heuristic and enable the runtime fixup.
--glibc-runtime-help[=VAL] (default=auto): prints more information about the glibc-runtime plugin
--ida-headless=VAL (absent=auto): Use headless curses based IDA.
--ida-help[=VAL] (default=auto): prints more information about the ida plugin
--ida-mode=VAL (absent=auto): Specify IDA mode.
--ida-path=VAL: Path to IDA directory.
--llvm-base=VAL: Replace image base address. If not set, a reasonable default corresponded to a file type will be used. For example, for any executable file a default image base is equal to lowest image virtual address. For relocatable files a default image base is equal to 0xC0000000.
--llvm-help[=VAL] (default=auto): prints more information about the llvm plugin
--llvm-pdb-path=VAL: A path to a directory with pdb file OR a path to a PDB file. In the first case the file with the matching name of the target executable will be selected if present. The default is the path to a current working directory.
--llvm-version: Prints LLVM version and exits
--llvm-x86-syntax=VAL (absent=att): Choose style of code for x86 syntax between att and intel
--map-terms-help[=VAL] (default=auto): prints more information about the map-terms plugin
--map-terms-using=FILE: Read patterns from the FILE
--map-terms-with=VAL: Map terms according the VAL
--mc-help[=VAL] (default=auto): prints more information about the mc plugin
--mips-backend=VAL: Specify which backend to use
--mips-help[=VAL] (default=auto): prints more information about the mips plugin
--no-abi: Disable the abi plugin
--no-analyze: Disable the analyze plugin
--no-api: Disable the api plugin
--no-arm: Disable the arm plugin
--no-beagle: Disable the beagle plugin
--no-bil: Disable the bil plugin
--no-byteweight: Disable the byteweight plugin
--no-cache: Disable the cache plugin
--no-callgraph-collator: Disable the callgraph-collator plugin
--no-callsites: Disable the callsites plugin
--no-constant-tracker: Disable the constant-tracker plugin
--no-core-theory: Disable the core-theory plugin
--no-cxxfilt: Disable the cxxfilt plugin
--no-demangle: Disable the demangle plugin
--no-dependencies: Disable the dependencies plugin
--no-disassemble: Disable the disassemble plugin
--no-dump-symbols: Disable the dump-symbols plugin
--no-elf-loader: Disable the elf-loader plugin
--no-emit-ida-script: Disable the emit-ida-script plugin
--no-flatten: Disable the flatten plugin
--no-frontc-parser: Disable the frontc-parser plugin
--no-ghidra: Disable the ghidra plugin
--no-glibc-runtime: Disable the glibc-runtime plugin
--no-ida: Disable the ida plugin
--no-llvm: Disable the llvm plugin
--no-map-terms: Disable the map-terms plugin
--no-mc: Disable the mc plugin
--no-mips: Disable the mips plugin
--no-objdump: Disable the objdump plugin
--no-optimization: Disable the optimization plugin
--no-patterns: Disable the patterns plugin
--no-phoenix: Disable the phoenix plugin
--no-powerpc: Disable the powerpc plugin
--no-primus-dictionary: Disable the primus-dictionary plugin
--no-primus-exploring: Disable the primus-exploring plugin
--no-primus-greedy: Disable the primus-greedy plugin
--no-primus-limit: Disable the primus-limit plugin
--no-primus-lisp: Disable the primus-lisp plugin
--no-primus-loader: Disable the primus-loader plugin
--no-primus-mark-visited: Disable the primus-mark-visited plugin
--no-primus-powerpc: Disable the primus-powerpc plugin
--no-primus-print: Disable the primus-print plugin
--no-primus-promiscuous: Disable the primus-promiscuous plugin
--no-primus-propagate-taint: Disable the primus-propagate-taint plugin
--no-primus-random: Disable the primus-random plugin
--no-primus-region: Disable the primus-region plugin
--no-primus-round-robin: Disable the primus-round-robin plugin
--no-primus-symbolic-executor: Disable the primus-symbolic-executor plugin
--no-primus-systems: Disable the primus-systems plugin
--no-primus-taint: Disable the primus-taint plugin
--no-primus-test: Disable the primus-test plugin
--no-primus-wandering: Disable the primus-wandering plugin
--no-primus-x86: Disable the primus-x86 plugin
--no-print: Disable the print plugin
--no-propagate-taint: Disable the propagate-taint plugin
--no-radare2: Disable the radare2 plugin
--no-raw: Disable the raw plugin
--no-read-symbols: Disable the read-symbols plugin
--no-recipe-command: Disable the recipe-command plugin
--no-relocatable: Disable the relocatable plugin
--no-report: Disable the report plugin
--no-riscv: Disable the riscv plugin
--no-run: Disable the run plugin
--no-specification: Disable the specification plugin
--no-ssa: Disable the ssa plugin
--no-strings: Disable the strings plugin
--no-stub-resolver: Disable the stub-resolver plugin
--no-systemz: Disable the systemz plugin
--no-taint: Disable the taint plugin
--no-thumb: Disable the thumb plugin
--no-trace: Disable the trace plugin
--no-trivial-condition-form: Disable the trivial-condition-form plugin
--no-warn-unused: Disable the warn-unused plugin
--no-x86: Disable the x86 plugin
--objdump-demangler=VAL: Specify the demangler name. Set to disabled to disable demangling.
--objdump-help[=VAL] (default=auto): prints more information about the objdump plugin
--optimization-help[=VAL] (default=auto): prints more information about the optimization plugin
--optimization-level=VAL (absent=0): Specifies the optimization level. The higher the value the more aggressive (and less safe) optimizations are applied. On level 0 we touch nothing, only some constant folding may occur. On level 1 we optimize only the synthetic code that was generated by the lifter. Since such code can't leave a scope of instruction it is not affected by the imprecision of a control flow graph. On level 2, we also move and optimize processor flags. This removes a significant amount of code and simplifies the program and is a fair compromise between safety and performance. (Since flags are rarely used non-locally). Finally, on level 3 we extend our analysis to all variables.
--patterns-help[=VAL] (default=auto): prints more information about the patterns plugin
--patterns-path=VAL: Add the specified path to the list of patterns directories.
--phoenix-help[=VAL] (default=auto): prints more information about the phoenix plugin
--phoenix-keep-alive: Keep alive unused temporary variables
--phoenix-keep-const: Disable constant folding
--phoenix-labels-with=VAL (absent=name): Put block name, assembler instructions, or bil instructions on graph labels using `name', `asm', or `bil' respectively. Can be specified as a list of multiple elements separated by commas.
--phoenix-labels-with-asm: Use --label-with=.. instead. Put assembler instructions on graph labels
--phoenix-labels-with-bil: Use --label-with=.. instead. Put bil instructions on graph labels
--phoenix-labels-with-name: Use --label-with=.. instead. Put block name on graph labels
--phoenix-no-inline: Disable inlining temporary variables
--phoenix-no-optimizations: Disable all kinds of optimizations
--phoenix-no-resolve: Do not resolve addresses to symbolic names
--phoenix-output-folder=VAL (absent=phoenix): Output data into the specified folder
--powerpc-backend=VAL: Undocumented.
--powerpc-help[=VAL] (default=auto): prints more information about the powerpc plugin
--primus-dictionary-help[=VAL] (default=auto): prints more information about the primus-dictionary plugin
--primus-exploring-help[=VAL] (default=auto): prints more information about the primus-exploring plugin
--primus-exploring-scheduler: Enable the scheduler.
--primus-greedy-help[=VAL] (default=auto): prints more information about the primus-greedy plugin
--primus-greedy-scheduler: Enable the scheduler.
--primus-limit-help[=VAL] (default=auto): prints more information about the primus-limit plugin
--primus-limit-max-length=VAL: Limits the maximum number of basic blocks a single machinine can execute.
--primus-limit-max-visited=VAL: Limits the maximum number of executions of the same block in a given machine.
--primus-lisp-add=VAL: paths to lisp libraries
--primus-lisp-channel-redirect=VAL: establishes a redirection between an emulated file path and a file path on a host system. Each redirection should be of form <emu-name>:<real-name>, where <emu-name> could be a path or a a name of one of the standard channels, i.e., <stdin> or <stdout> or <stderr>.
--primus-lisp-documentation: outputs Primus Lisp documentation
--primus-lisp-dump: dumps generated AST
--primus-lisp-help[=VAL] (default=auto): prints more information about the primus-lisp plugin
--primus-lisp-load=VAL: load specified module
--primus-lisp-semantics=VAL: prepend the specified folders to the list of folders where semantics files are searched. Every file that has the .lisp extension in these folders will be loaded and linked to the Primus Lisp program that is used to define program semantics. The initial list of folders contains /home/runner/.local/share/bap/primus/semantics and /home/runner/.opam/4.09.1/share/bap/primus/semantics. When features are loaded, the first found file that has the matching name is loaded, so it is possible to override features stored in the system or local data directories. When set to disable this option disables the Primus Lisp lifter.
--primus-lisp-semantics-stdout=VAL: redirects messages in the semantic definitions to the specified file.
--primus-lisp-typecheck, --primus-lisp-type-check: typechecks the program and prints erros if they exist
--primus-loader-help[=VAL] (default=auto): prints more information about the primus-loader plugin
--primus-loader-stack-base=VAL (absent=1073741824): default address of the stack base
--primus-loader-stack-size=VAL (absent=8388608): generic program loader for Primus
--primus-mark-visited-help[=VAL] (default=auto): prints more information about the primus-mark-visited plugin
--primus-powerpc-help[=VAL] (default=auto): prints more information about the primus-powerpc plugin
--primus-print-help[=VAL] (default=auto): prints more information about the primus-print plugin
--primus-print-observations=VAL: A list of observations to print. A keyword `all` can be use to select all events. To ignore a particular event, add `-' before the name. An optional + is allowed for the consistency.
--primus-print-output=VAL: A name of a file in which to store the monitor output. If not specified, then outputs result into stdout
--primus-print-rules=VAL: Undocumented.
--primus-print-traceback[=VAL] (default=16): Stores and outputs a trace of execution. Takes an optional argument that limits the traceback length to the specified number of terms.
--primus-promiscuous-help[=VAL] (default=auto): prints more information about the primus-promiscuous plugin
--primus-promiscuous-mode: (DEPRECATED) Enable the mode.
--primus-propagate-taint-from-attributes: Introduces taint in terms that are marked with the tainted-ptr and tainted-reg attribute.
--primus-propagate-taint-help[=VAL] (default=auto): prints more information about the primus-propagate-taint plugin
--primus-propagate-taint-no-marks: Disables the projection of the taint engine state to term attributes. The option is only valid when the run option is specified. This option is left for compatibility with the old interface and is not compatible with the from-attributes or to-attrbutes options. It is an error to mix options from the new and old interfaces.
--primus-propagate-taint-run: Enables propagating taint from term attributes and back to attributes, unless the latter is disabled with the no-marks option. This option is left for compatibility with the old interface and is not compatible with the from-attributes or to-attrbutes options. It is an error to mix options from the new and old interfaces.
--primus-propagate-taint-to-attributes: Reflects the state of the taint propagation engine to the tainted-ptrs and tainted-regs term attributes.
--primus-random-generators=VAL: A list of generator specifications. The generators are processed in order, with the first matching operator having the precedence. This option also has precedence over the generators specified via the initialization files.
--primus-random-help[=VAL] (default=auto): prints more information about the primus-random plugin
--primus-random-init=VAL: A list of generator initialization scripts. Files are processed in order, with the first matching operator having the precedence.
--primus-random-preserve-protection: Preserves page protection flags when a new page is swapped in. When this flag is not set the bap:mem-randomizer will map missing memory pages as writable.
--primus-random-seed=VAL (absent=0): The seed that will be used to initialize all generators.
--primus-region-help[=VAL] (default=auto): prints more information about the primus-region plugin
--primus-round-robin-help[=VAL] (default=auto): prints more information about the primus-round-robin plugin
--primus-round-robin-scheduler: Enable the scheduler.
--primus-symbolic-executor-cutoff-level=VAL (absent=1): The number of times the same branch is retried.
--primus-symbolic-executor-help[=VAL] (default=auto): prints more information about the primus-symbolic-executor plugin
--primus-symbolic-executor-timeout=VAL (absent=16): The number of milliseconds alloted to the SMT solver to find a model
--primus-systems-add-path=VAL: adds the path to the list of paths where Primus systems are searched
--primus-systems-help[=VAL] (default=auto): prints more information about the primus-systems plugin
--primus-taint-default-policy=VAL (absent=propagate-by-computation): Set the default taint propagation policy
--primus-taint-gc=VAL (absent=none): Picks a taint garbage collector
--primus-taint-help[=VAL] (default=auto): prints more information about the primus-taint plugin
--primus-test-help[=VAL] (default=auto): prints more information about the primus-test plugin
--primus-wandering-help[=VAL] (default=auto): prints more information about the primus-wandering plugin
--primus-wandering-scheduler: Enable the scheduler.
--primus-wandering-seed=VAL (absent=0): random generator seed
--primus-x86-help[=VAL] (default=auto): prints more information about the primus-x86 plugin
--print-bir-attr=VAL: When printing IR emit an attribute VAL
--print-demangled-with=VAL: Demangle symbols, using the specified demangler
--print-help[=VAL] (default=auto): prints more information about the print plugin
--print-matching=VAL: Only print elements that matches with the provided patterns. A pattern consists of the name of a property and a regular expression, which denotes a set of values of this property. The property name and the regular expression are separated wit the : symbol, e.g., symbol:main will print all elements that belong to the symbol entry main. The syntax of the regular expressions is PCRE with partial matching. The following properties are supported: symbol - name of the enclosing symbol, where the symbol is looked up in the file symbol table or debuging information, if any ; section - name of the enclosing section of the file ; segment - name of the enclosing segment of the file ; subroutine - name of the enclosing subroutine .
--print-section=VAL: same as --print-matching=section:VAL
--print-semantics[=SEMANTICS-LIST] (default=): Display the SEMANTICS-LIST semantics of the program. If used without an argument then all semantic values associated with terms will be printed. Otherwise only the selected (if present) will be printed.
--print-symbol=VAL: same as --print-matching=symbol:VAL
--print-symbol-format=VAL: Print found symbols. Optional value defines output format, and can be one of name, addr or size. You can specify this parameter several times, if you want both, for example.
--print-with-colors=VAL (absent=false): Allow coloring output with ansi color escape sequences
--propagate-taint-deterministic: Run in a deterministic mode. In this mode we will follow only one execution path, without backtracking, giving a more feasible result, but much less coverage
--propagate-taint-help[=VAL] (default=auto): prints more information about the propagate-taint plugin
--propagate-taint-interesting=VAL: Look only at specified functions
--propagate-taint-max-iterations=N (absent=10): Limit loop to N iterations
--propagate-taint-max-trace=BLOCKS (absent=1000000): Limit maximum trace length to BLOCKS
--propagate-taint-mem-value=VAL (absent=random): Input generation policy. If set to a fixed value, e.g. `0', then all undefined memory locations will be concretized to this value. If set to an interval, e.g., `(0 5)', then values will be randomly picked from this interval (boundaries including). If set to `random', then values will be picked randomly from a domain, defined by a type of value.
--propagate-taint-print-coverage: print coverage [debug]
--propagate-taint-random-seed=VAL: Initialize random number generator with the given seed
--propagate-taint-reg-value=VAL (absent=random): Input generation policy. If set to a fixed value, e.g. `0', then all undefined registers will be concretized to this value. If set to an interval, e.g., `(0 5)', then values will be randomly picked from this interval (boundaries including). If set to `random', then values will be picked randomly from a domain, defined by a type of value.
--radare2-help[=VAL] (default=auto): prints more information about the radare2 plugin
--raw-arch=VAL (absent=x86-64): Specifies the ISA of raw bytes
--raw-base=VAL (absent=0x0): The address of the first byte
--raw-bits=VAL (absent=32): The number of bits in the machine word. If not specified then it will be derived from the architecture or default to 32 if the architecture is not known.
--raw-entry-point=VAL: Address (or addresses) of entry points
--raw-help[=VAL] (default=auto): prints more information about the raw plugin
--raw-length=VAL: The length of the code section
--raw-offset=VAL (absent=0): The offset of the first byte
--read-symbols-from=VAL: Undocumented
--read-symbols-help[=VAL] (default=auto): prints more information about the read-symbols plugin
--read-symbols-when-matches[=VAL] (default=): Undocumented
--recipe-command-help[=VAL] (default=auto): prints more information about the recipe-command plugin
--relocatable-help[=VAL] (default=auto): prints more information about the relocatable plugin
--report-events: Output progress events
--report-help[=VAL] (default=auto): prints more information about the report plugin
--report-progress: Show progress bars
--riscv-backend=VAL: Undocumented
--riscv-help[=VAL] (default=auto): prints more information about the riscv plugin
--run-argv=VAL: Process argument vector
--run-entry-points=VAL: Can be a list of entry points or one of the following keywords: all-subroutines, marked-subroutines, only-queue. An entry point is either a string denoting a function name, a tid starting with the % (percent) symbol, or an address in a hexadecimal format prefixed with 0x. When the option is specified, the Primus Machine will start the execution from the specified entry point(s). Otherwise the execution will be started from all program terms that are marked with the [entry_point] attribute. If there are several entry points, then they will be executed each in a separate machine or, if --run-in-separation is specified, in a separate system. In case when each entry point is run in a separate machine it is necessary to add a scheduler component to the system that is used to run the entry point. If neither the argument nor there any entry points in the program, then a function called _start is called. If all-subroutines are specified then Primus will execute all subroutines in the topological order. If marked-subroutines is specified, then Primus will execute the specified systems on all subroutines that has the mark attribute. If the only-queue is specified, then only jobs already queued in the Primus Job Queue will be run and no entry points will be searched in the project.
--run-env=VAL: Program environemt as a comma separated list of VAR=VAL pairs
--run-help[=VAL] (default=auto): prints more information about the run plugin
--run-in-isolation: Run each entry point as new system. Each entry point is enqueued as a job and run in a separate systems. The project and knowledge is passed between each system, the rest of the state is discarded.
--run-systems=VAL: Runs the specified Primus systems. If several systems are specified then runs all entry points for each specified system.
--run-until-visited-all: Runs Primus until all subroutines and blocks are visited. When this mode is enabled and run plugin finishes it finds the first unvisited subroutine (or if no such found the first unvisited block) and spawns a new system with it as an entry point. This continues until there are no more unvisited blocks.
--run-with-repetitions: The pass runs subroutines in the topological order meaning the farther a subroutine is in a callgraph from the roots the later it will be run as an entry point and higher chances it will be called before that from some other subroutine. And being a callee is more interesting case for analysis then being an entry point due to the wider context of the former. Given that, we skip by default such of entry points that were visited during the run of other ones. And this option disables this behavior and runs all the subroutines in a row.
--specification-help[=VAL] (default=auto): prints more information about the specification plugin
--ssa-help[=VAL] (default=auto): prints more information about the ssa plugin
--strings-help[=VAL] (default=auto): prints more information about the strings plugin
--strings-min-len=VAL, --strings-bytes=VAL (absent=4): ignore strings that has length less then VAL
--strings-print-address: prints an address of each found string
--stub-resolver-help[=VAL] (default=auto): prints more information about the stub-resolver plugin
--stub-resolver-link-only=VAL: A list of subroutine names that are to be exclusively considered for redirecting calls to stubs to calls to the implementations. An empty list means that no stubs will be exclusively considered.
--stub-resolver-names=VAL: The list of known sections that contain function stubs. The names specified with this parameter are appended to the existing list that includes: .plt, .plt.sec, __stubs, .MIPS.stubs
--stub-resolver-no-link=VAL: A list of stub names that will not be linked to their implementations.
--stub-resolver-signatures=VAL: A list of folders and files that contain signatures for stubs identification. Each file shall have a name of the form <target>.stubs and contain a list of words each denoting a possible starting sequence of a bytes for a stub. The <target> is the name of the target, e.g., arm.stubs, armv7-linux-gnueabi.stubs, etc. Each word denoting a signature must be encoded as an ASCII number and be binary (start with 0b), octal (start with 0o, or hexadecimal (start with 0x, e.g., 0xDEADBEEF. If the prefix is omitted then the hexadecimal notation is assumed, e.g., DEADBEEF is also acceptable. The signature length is automatically inferred from the word, i.e., the leading zeros are not discarded. By default we search in the current working folder, /home/runner/.local/share/bap/signatures, and in /home/runner/.opam/4.09.1/share/bap/signatures
--systemz-help[=VAL] (default=auto): prints more information about the systemz plugin
--taint-help[=VAL] (default=auto): prints more information about the taint plugin
--taint-ptr=VAL: Taint ptr value of definition matching with the specification
--taint-reg=VAL: Taint reg value of definition matching with the specification
--thumb-help[=VAL] (default=auto): prints more information about the thumb plugin
--trace-dump=URI: Dump a trace specified by URI
--trace-help[=VAL] (default=auto): prints more information about the trace plugin
--trace-load=VAL: Load trace from the specified VAL. The option maybe used many times to load several traces
--trivial-condition-form-help[=VAL] (default=auto): prints more information about the trivial-condition-form plugin
--warn-unused-help[=VAL] (default=auto): prints more information about the warn-unused plugin
--warn-unused-mark: run bap-mark pass
--warn-unused-print: run bap-print pass
--warn-unused-taint: run bap-taint pass
--x86-abi=VAL, --x86-64-abi=VAL: Override the ABI detection and use the selected ABI.
--x86-backend=VAL, --x86-64-backend=VAL: Undocumented.
--x86-disable-floating-point-intrinsics: Disables translation of floating-point instructions into calls to intrinsic functions.
--x86-endbr-enabled, --x86-cet-enabled: When enabled, translate all endbr instruction into intrinsic calls. Otherwise treat them as nops
--x86-help[=VAL] (default=auto): prints more information about the x86 plugin
--x86-lifter=VAL (absent=merge): Debug purpose only. The VAL must be one of legacy, modern or merge. Default: VAL = merge.
--x86-with-floating-points: DEPRECATED
--x86-with-legacy-floating-points: Enables the legacy floating-point lifter and disables the intrinsic semantics of floating-point operations

ENVIRONMENT

These environment variables affect the execution of disassemble:

BAP_LOG_DIR: A folder for log files.

EXAMPLES


  bap dis /bin/echo --passes=run,check -dbir:out.bir -dasm:out.asm

This document was created by man2html, using the manual pages.
Time: 01:55:30 GMT, January 07, 2023