ripr is a tool that helps you rip out functionality from binary code and use it from python. It accomplishes this by pairing the Unicorn-Engine with Binary Ninja

  • Dependencies: > Binary Ninja

    • To install the binary ninja api, use:

    Install the Binary Ninja Python API

    • Clone ripr from:

    pbiernat/ripr

  • Seek to function - s offset/function

  • Run #!pipe python ./r2pipe_run.pys``
  • Follow prompts
  • Example from original pull request

    ``python ripr $ r2 /tmp/example3 -- Remember that word: C H A I R [0x004007f0]> s sym.algo [0x00400908]> aaaa [x] Analyze all flags starting with sym. and entry0 (aa) [x] Analyze len bytes of instructions for references (aar) [x] Analyze function calls (aac) [x] Emulate code to find computed references (aae) [x] Analyze consecutive function (aat) [x] Type matching analysis for all functions (afta))unc.* functions (aan) [x] Type matching analysis for all functions (afta) [0x00400908]> #!pipe python ./r2pipe_run.pys` [!!] Not running in Binary Ninja [!] Not running in IDA [+] Not running in BinaryNinja [ripr] Packaging function 0x400908 (4196616,) Enter Class Name? asdf Resolving Dependencies for 400908 [ripr] Inside branchScan [ripr] JUMP TARGET: 4196668 [ripr] Found LLIL CALL instruction [ripr] IL_INST Dest: [ripr] JUMP TARGET: 4196641 [ripr] Inside dataScan Target code may depend on outside code, attempt to map automatically? (Y/N)Y [ripr] Performing analysis on code dependencies... Found CodeRef: 4196582::call Resolving Dependencies for 4008e6 [ripr] Inside branchScan [ripr] Found imported Call target... [ripr] Inside dataScan Found Potential Pointer: 4196977 [ripr] Selection includes calls to imported Functions! Code contains calls to imported functions. How should this be handled? (nop, hook, cancel)?hook [ripr] Found these potential Data References Data Referenced: 0x400a71 Use Section-Marking Mode for data dependencies (default; yes) (Y/N)yes Mapping Sections [(4196960, 4196981, u'.rodata')] [{4196616: }, {4196582: }] from unicorn import * from unicorn.x86_const import *

    import struct class asdf(object): def init(self): self.mu = Uc(UC_ARCH_X86, UC_MODE_64) self.code_0 = '554889e54883ec10897dfcbf710a4000e885feffff8b45fc0faf45fc0faf45fcc9c3'.decode('hex') self.code_1 = '554889e54883ec20897decc745fc00000000c745f8000000008b45f83b45ec7d138b45f889c7e8b3ffffff0145fc8345f801ebe58b45fcc9c3'.decode('hex')

                self.data_0 = '010002000000000000000000000000000068692100'.decode('hex')
    
                self.mu.mem_map(0x400000,0x200000)
                self.mu.mem_map(0x7ffff000,0x200000)
    
                self.mu.mem_write(0x400a60, self.data_0)
                self.mu.mem_write(0x4008e6, self.code_0)
                self.mu.mem_write(0x400908, self.code_1)
    
                self.hookdict = {4196603: 'hook_puts'}
        def hook_puts(self):
                pass
        def _start_unicorn(self, startaddr):
                try:
                        self.mu.emu_start(startaddr, 0)
                except Exception as e:
                        if self.mu.reg_read(UC_X86_REG_RIP) == 1:
                                return
                        retAddr = struct.unpack("<q", self.mu.mem_read(self.mu.reg_read(UC_X86_REG_RSP), 8))[0]
                        if retAddr in self.hookdict.keys():
                                getattr(self, self.hookdict[retAddr])()
                                self.mu.reg_write(UC_X86_REG_RSP, self.mu.reg_read(UC_X86_REG_RSP) + 8)
                                self._start_unicorn(retAddr)
                        else:
                                raise e
        def run(self):
                self.mu.reg_write(UC_X86_REG_RSP, 0x7fffffff)
                self.mu.mem_write(0x7fffffff, '\x01\x00\x00\x00')
                self._start_unicorn(0x400908)
                return self.mu.reg_read(UC_X86_REG_RAX)
    

    ```