ripr is a tool that helps you rip out functionality from binary code and use it from python. It accomplishes this by pairing the Unicorn-Engine with Binary Ninja

  • Dependencies: > Binary Ninja

    • To install the binary ninja api, use:

    Install the Binary Ninja Python API

    • Clone ripr from:


  • Seek to function - s offset/function

  • Run #!pipe python ./r2pipe_run.pys``
  • Follow prompts
  • Example from original pull request

    ``python ripr $ r2 /tmp/example3 -- Remember that word: C H A I R [0x004007f0]> s sym.algo [0x00400908]> aaaa [x] Analyze all flags starting with sym. and entry0 (aa) [x] Analyze len bytes of instructions for references (aar) [x] Analyze function calls (aac) [x] Emulate code to find computed references (aae) [x] Analyze consecutive function (aat) [x] Type matching analysis for all functions (afta))unc.* functions (aan) [x] Type matching analysis for all functions (afta) [0x00400908]> #!pipe python ./r2pipe_run.pys` [!!] Not running in Binary Ninja [!] Not running in IDA [+] Not running in BinaryNinja [ripr] Packaging function 0x400908 (4196616,) Enter Class Name? asdf Resolving Dependencies for 400908 [ripr] Inside branchScan [ripr] JUMP TARGET: 4196668 [ripr] Found LLIL CALL instruction [ripr] IL_INST Dest: [ripr] JUMP TARGET: 4196641 [ripr] Inside dataScan Target code may depend on outside code, attempt to map automatically? (Y/N)Y [ripr] Performing analysis on code dependencies... Found CodeRef: 4196582::call Resolving Dependencies for 4008e6 [ripr] Inside branchScan [ripr] Found imported Call target... [ripr] Inside dataScan Found Potential Pointer: 4196977 [ripr] Selection includes calls to imported Functions! Code contains calls to imported functions. How should this be handled? (nop, hook, cancel)?hook [ripr] Found these potential Data References Data Referenced: 0x400a71 Use Section-Marking Mode for data dependencies (default; yes) (Y/N)yes Mapping Sections [(4196960, 4196981, u'.rodata')] [{4196616: }, {4196582: }] from unicorn import * from unicorn.x86_const import *

    import struct class asdf(object): def init(self): = Uc(UC_ARCH_X86, UC_MODE_64) self.code_0 = '554889e54883ec10897dfcbf710a4000e885feffff8b45fc0faf45fc0faf45fcc9c3'.decode('hex') self.code_1 = '554889e54883ec20897decc745fc00000000c745f8000000008b45f83b45ec7d138b45f889c7e8b3ffffff0145fc8345f801ebe58b45fcc9c3'.decode('hex')

                self.data_0 = '010002000000000000000000000000000068692100'.decode('hex')
      , self.data_0)
      , self.code_0)
      , self.code_1)
                self.hookdict = {4196603: 'hook_puts'}
        def hook_puts(self):
        def _start_unicorn(self, startaddr):
              , 0)
                except Exception as e:
                        if == 1:
                        retAddr = struct.unpack("<q",, 8))[0]
                        if retAddr in self.hookdict.keys():
                                getattr(self, self.hookdict[retAddr])()
                      , + 8)
                                raise e
        def run(self):
      , 0x7fffffff)
      , '\x01\x00\x00\x00')