full screen background image
Search
Sunday 18 February 2018
  • :
  • :

ripr: Package Binary Code

ripr is a tool that helps you rip out functionality from binary code and use it from python. It accomplishes this by pairing the Unicorn-Engine with Binary Ninja. Currently, x86x64, and arm are supported and work to a reasonable degree.

Reimplementing functionality is a common, often time-consuming, and sometimes arduous process that comes up frequently during reverse engineering. A few examples:

  • A CTF challenge has a custom encoding/decoding scheme you need to use in your solution script
  • A piece of malware uses a custom hashing or encryption function you need to implement
  • You need to make sure your reimplementation behaves exactly as it would on the original architecture

ripr attempts to automatically generate a python class that is functionally identical to a selected piece of code by statically gathering sufficient information and wrapping it all into a “harness” for the unicorn emulator.

For some concrete examples (that are much easier to grok), check out the sample folder!

Code Structure

  • packager.py — High-Level Functionality. Code here drives the process of gathering necessary data
  • codegen.py — Contains code for actually generating the python output from the gathered data
  • analysis_engine.py — Wraps static analysis engine functionality into a common interface
  • dependency.py — Contains code for finding code and data that the target code needs in order to function correctly
  • conScan.py — Contains “convenience” analyses that help ripr output easier-to-use code
  • gui.py — A collection of hacks that resembles a user interface
    • Reuses lots of code from the Binjadock project to display results

Install

The basic process is simple and looks like this:

  1. Clone the repo to your local machine: git clone https://github.com/pbiernat/ripr.git
  2. Place the repo into your Binary Ninja plugins directory, or create a symlink pointing to it.
  3. (Optional) Install PyQt5 – The latest version of ripr does not require this.

Windows

Installation on Windows typically requires installing PyQt5.

  1. Follow the steps above
  2. (Optional) pip2.7.exe install python-qt5

Note ripr assumes your python installation is located at C:\Python27. If this is not the case, change the location as appropriate inside gui.py.

Usage

Packaging a Function

From within Binary Ninja, right-click anywhere inside of a function and select [ripr] Package Function.

After packaging, a table will appear listing all of the “packages” you have created with ripr during this session:

Packaging Specific Basic Blocks

You can also choose to only package specific basic blocks rather than the entire function.

Select any instruction inside the basic block of interest, and from the right-click menu, choose [ripr] Package Basic Block. Repeat this for any other basic blocks you want to gather.

Finally, select Generate Selected BBs from the context menu to have ripr generate output for them.

Contextual Highlighting

ripr will contextualize code you’ve selected for packaging within the GUI.

  • Basic Blocks that have been included or identified have their background color darkened
  • Instructions that have caused a data dependency to be identified are highlighted Yellow
  • Call instructions to imported functions are highlighted Red
  • Call instructions to functions inside the target binary are highlighted Blue
  • Instructions that access uninitialized variables are highlighted Orange (Basic Block Mode).

This is meant to give the user visual cues about what ripr has seen and automatically identified, making it easier to see “right off the bat” whether manual modification of the package is necessary.

Options while packaging

There are a few different prompts which may appear while packaging a function.

The code contains calls to Imported Functions. How should this be handled?

Choosing “Hook” will allow you to write-in your own functionality that runs in lieu of imported functions. Selecting “Nop out Calls” will replace the call instruction with a series of NOPs.

Target code may depend on outside code. Attempt to map automatically?

Your selected code contains calls to other functions within the binary. Answering yes will automatically map those functions.

Use Section Marking Mode for data dependencies?

Answering yes will map all sections of the binary that are touched by the target code. Answering No will use Page-Marking mode, where every page used by the target code is mapped into emulator memory.

Source: https://github.com/pbiernat/

 

 

Read more…



Anastasis Vasileiadis

PC Technical || Penetration Tester || Ethical Hacker || Cyber Security Expert || Cyber Security Analyst || Information Security Researcher || Part-Time Hacker || Child Pornography & Sexual Abuse Combat


Leave a Reply

Your email address will not be published. Required fields are marked *