ripr is a tool that helps you rip out functionality from binary code and use it from python. It accomplishes this by pairing the Unicorn-Engine with Binary Ninja. Currently, x86, x64, and arm are supported and work to a reasonable degree.
Reimplementing functionality is a common, often time-consuming, and sometimes arduous process that comes up frequently during reverse engineering. A few examples:
- A CTF challenge has a custom encoding/decoding scheme you need to use in your solution script
- A piece of malware uses a custom hashing or encryption function you need to implement
- You need to make sure your reimplementation behaves exactly as it would on the original architecture
ripr attempts to automatically generate a python class that is functionally identical to a selected piece of code by statically gathering sufficient information and wrapping it all into a “harness” for the unicorn emulator.
For some concrete examples (that are much easier to grok), check out the sample folder!
packager.py— High-Level Functionality. Code here drives the process of gathering necessary data
codegen.py— Contains code for actually generating the python output from the gathered data
analysis_engine.py— Wraps static analysis engine functionality into a common interface
dependency.py— Contains code for finding code and data that the target code needs in order to function correctly
conScan.py— Contains “convenience” analyses that help ripr output easier-to-use code
gui.py— A collection of hacks that resembles a user interface
- Reuses lots of code from the Binjadock project to display results
The basic process is simple and looks like this:
- Clone the repo to your local machine: git clone https://github.com/pbiernat/ripr.git
- Place the repo into your Binary Ninja plugins directory, or create a symlink pointing to it.
- (Optional) Install PyQt5 – The latest version of ripr does not require this.
Installation on Windows typically requires installing PyQt5.
- Follow the steps above
- (Optional) pip2.7.exe install python-qt5
Note ripr assumes your python installation is located at C:\Python27. If this is not the case, change the location as appropriate inside gui.py.
Packaging a Function
Packaging Specific Basic Blocks
You can also choose to only package specific basic blocks rather than the entire function.
Select any instruction inside the basic block of interest, and from the right-click menu, choose [ripr] Package Basic Block. Repeat this for any other basic blocks you want to gather.
Finally, select Generate Selected BBs from the context menu to have ripr generate output for them.
ripr will contextualize code you’ve selected for packaging within the GUI.
- Basic Blocks that have been included or identified have their background color darkened
- Instructions that have caused a data dependency to be identified are highlighted Yellow
- Call instructions to imported functions are highlighted Red
- Call instructions to functions inside the target binary are highlighted Blue
- Instructions that access uninitialized variables are highlighted Orange (Basic Block Mode).
This is meant to give the user visual cues about what ripr has seen and automatically identified, making it easier to see “right off the bat” whether manual modification of the package is necessary.
Options while packaging
There are a few different prompts which may appear while packaging a function.
The code contains calls to Imported Functions. How should this be handled?
Choosing “Hook” will allow you to write-in your own functionality that runs in lieu of imported functions. Selecting “Nop out Calls” will replace the call instruction with a series of NOPs.
Target code may depend on outside code. Attempt to map automatically?
Your selected code contains calls to other functions within the binary. Answering yes will automatically map those functions.
Use Section Marking Mode for data dependencies?
Answering yes will map all sections of the binary that are touched by the target code. Answering No will use Page-Marking mode, where every page used by the target code is mapped into emulator memory.