r2con 2019

radare2 yearly conference in Barcelona

September 06, 2019

I'm back in Barcelona for this year's edition of r2con. You can read my r2con 2018 report.

radare2 is debugging and reverse engineering toolkit. It's mostly used from the command line or through a programming interface (r2pipe) that is identical to the command line one.


Cutter is the official graphical user interface for radare2. It's cross-platform (written in C++ with Qt), and built on top of radare2.

It has a dynamic graph view, a linear disassembly view, and an hexdump view for data, and other various widgets.

During the last year, plugin support was added as well as a graph overview, a theme editor, and many new translations and bug fixes.

A new entrant in the reversing landscape this year was Ghidra, a new tool with a particularly powerful decompiler. The decompiler part is now integrated directly into radare, with the r2ghidra-dec plugin. This plugin also works with cutter.

It allows exploring the decompiled C-code side-by-side with the disassembly, as well as import headers to decode struct accesses, etc.

Who you gonna' syscall ?

Grant's goal with this talk is to share how he improved with frida and r2 on iOS, to automate analysis of arm64 protected iOS apps that include anti-debug.

down the business with r2dwarf

Dwarf in this talk, is a Frida frontend, and a framework to allow debugging a target process with a GUI. r2dwarf is a pipe between Dwarn and r2. It wraps common Frida operations to make dynamic debugging and reversing easier.

Understanding ESIL emulation

ESIL in an emulator inside radare2. It's built on top of an intermediate language based on reverse polish notation.

The ESIL machine is based on infinite memory and registers. There are then bindings/aliases to map ESIL registers to the architecture-specific ones.

The ESIL machine is based on a set of instructions with a stack machine (using the polish notation). Every native instruction is converted into a "transformation", which is an ESIL string in polish notation.

Overview of the Linux threat landscape

An issue with Linux is the low visiblity of the threat landscape. At Intezer, the team discovered many new threats, from crypto-mining to trojans and botnets, some of them coming from nation-state actors.

As the landscape evolves, threat detection will improve, as well as the malware methods. The goal of the talk is to present a few of the techniques for defender awareness, in particular ELF tricks.

ELF parsing can be complex. Sections in binaries get loaded into memory segments depending on their types. A common obfuscation technique is to remove or scramble some sections. To workaround that is to simply, the best is to ignore or scrub scrambled sections when analyzing.

It's often possible to break a parser with just one byte modification, for example, by modifying the endianness of the file.

Another presented technique is to hide dynamic entries. It has been found is a lot of native objects packed in android malware. The technique uses a mismatch between the section offset, and the address that is used to map the segment in order to have a fake dynamic section, and a real one that will be mapped in memory.

Relocation hijacking uses the relocation features of ELF: there are usually well known and easy to detect, but it's possible to use a few tricks to avoid detection.