B2R2 is a fully managed binary analysis framework written in F#. It provides a rich set of algorithms, functions, and tools for reverse engineering, program analysis, and binary-level inspection.
The name B2R2 takes inspiration from R2-D2, the iconic robot from Star Wars. Originally named B2-R2, the project later adopted the dash-free form B2R2 because .NET identifiers and namespaces do not allow hyphens. The name reflects the project's purpose: "B" and "2" suggest binary and two-state computation, while "R" stands for reversing. In short, B2R2 is built for binary reversing.
-
B2R2 is analysis-friendly: it is written in F#, a language well suited for building program analyzers thanks to features such as pattern matching, algebraic data types, and expressive functional abstractions.
-
B2R2 is fast: its core binary analysis engine is designed for efficiency and written in a functional-first style. This makes it a natural fit for pure parallelism across common analysis tasks such as instruction lifting and CFG recovery.
-
B2R2 is easy to use: as a fully managed library, it avoids complicated native dependency setup. Install the .NET SDK, and you are ready to go. Native IntelliSense support also makes the APIs easier to explore.
-
B2R2 is OS-independent: it works on Linux, macOS, and Windows, as well as any other platform supported by .NET.
-
B2R2 is interoperable: it is not tied to a single programming language. In principle, B2R2 APIs can be used from any CLI-supported language.
B2R2 supports instruction parsing, binary disassembly, assembly, control-flow recovery, and other core building blocks for binary analysis. It also includes several user-facing command-line tools comparable to readelf and objdump, while remaining platform-agnostic. B2R2 currently supports four binary file formats: ELF, PE, Mach-O, and WebAssembly.
The table below summarizes the features currently supported by B2R2. Some areas are still in progress, and contributions are welcome. Before opening a pull request, please make sure to read our contribution guideline.
| CPU | Docs | Ins Parsing | Disasm | Lifting | CFG Recovery | Assembly |
|---|---|---|---|---|---|---|
| x86 | π | π | π | π | π | π |
| x86-64 | π | π | π | π | π | π |
| ARMv7 | π | π | π | π | π | π |
| ARMv8 (AArch64) | π | π | π | π | π | π |
| MIPS32 | π | π | π | π | π | π |
| MIPS64 | π | π | π | π | π | π |
| EVM | π | π | π | π | π | π |
| TMS320C6000 | π | π | π | π | π | π |
| AVR | π | π | π | π | π | π |
| PA-RISC | π | π | π | π | π | π |
| PPC32 | π | π | π | π | π | π |
| SPARC | π | π | π | π | π | π |
| SH4 | π | π | π | π | π | π |
| RISC-V | π | π | π | π | π | π |
| S390 | π | π | π | π | π | π |
B2R2 keeps its dependency footprint intentionally small to make builds simple and to keep the core focused on efficient algorithms and data structures for binary analysis. The core library has no external dependencies, and most external libraries are optional and used only by specific components or tools. Below is the list of external libraries used by the project.
Our documentation is generated with fsdocs and available at https://b2r2.org/B2R2/.
Let's try using the B2R2 APIs.
-
First, create an empty directory named
DIRNAME:mkdir DIRNAME cd DIRNAME -
Then, create an empty console project with the
dotnetcommand-line tool:$ dotnet new console -lang F# -
Add the NuGet package B2R2.FrontEnd.API to the project:
$ dotnet add package B2R2.FrontEnd.API -
Modify the
Program.fsfile with your favorite editor as follows:open B2R2 open B2R2.FrontEnd [<EntryPoint>] let main argv = let isa = ISA "amd64" let bytes = [| 0x65uy; 0xffuy; 0x15uy; 0x10uy; 0x00uy; 0x00uy; 0x00uy |] let hdl = BinHandle(bytes, isa) let lifter = hdl.NewLiftingUnit() let ins = lifter.ParseInstruction 0UL // parse the instruction at offset 0 lifter.LiftInstruction ins |> printfn "%A" 0
-
Run it by typing
dotnet run. You should see lifted IR statements in your console. That's it! You just lifted an Intel instruction with only a few lines of F# code.
Building B2R2 is straightforward. Install the .NET 10 SDK or later, and you are ready to build from the source root.
-
To build B2R2 in release mode, run
dotnet build -c Release. -
To build B2R2 in debug mode, run
dotnet build.
For more information about setting up an F# development environment, visit the official F# website: http://fsharp.org/.
B2R2 was developed by members of the SoftSec Lab at KAIST in collaboration with the Cyber Security Research Center (CSRC) at KAIST. See AUTHORS.md for the full list of contributors.
If you use B2R2 in your research, please consider citing our paper:
@INPROCEEDINGS{jung:bar:2019,
author = {Minkyu Jung and Soomin Kim and HyungSeok Han and Jaeseung Choi and Sang Kil Cha},
title = {{B2R2}: Building an Efficient Front-End for Binary Analysis},
booktitle = {Proceedings of the NDSS Workshop on Binary Analysis Research},
year = 2019
}Online tutorial is available for B2R2, which covers the basics of using B2R2 and provides hands-on examples. Check it out at the following link: https://b2r2.org/tutorial-icst2026/.
Below are papers that use or build on B2R2. If your work should be included, please open a pull request.
- EVMpress: Precise Type Inference for Next-Generation EVM Decompilation, CBT 2025 (PDF)
- Towards Sound Reassembly of Modern x86-64 Binaries, ASPLOS 2025 (PDF)
- PoE: A Domain-Specific Language for Exploitation, SVCC 2024 (PDF)
- FunProbe: Probing Functions from Binary Code through Probabilistic Analysis, FSE 2023 (PDF)
- How'd Security Benefit Reverse Engineers? The Implication of Intel CET on Function Identification, DSN 2022 (PDF)
- Smartian: Enhancing Smart Contract Fuzzing with Static and Dynamic Data-Flow Analyses, ASE 2021 (PDF)
- NTFuzz: Enabling Type-Aware Kernel Fuzzing on Windows with Static Binary Analysis, Oakland 2021 (PDF)