MastodonTech.de

cryptaxDecai decompiling a malicious shellcode. The instructions are not so readable, if you're not used to syscalls int 0x80. AI does it for you.<a href="https://asciinema.org/a/4PY8wn2TPg2oBdDQ0Q5bgMYjk" rel="nofollow noopener" translate="no" target="_blank">https://asciinema.org/a/4PY8wn2TPg2oBdDQ0Q5bgMYjk</a><a href="https://mastodon.social/tags/r2ai" class="mention hashtag" rel="nofollow noopener" target="_blank">#r2ai</a> <a href="https://mastodon.social/tags/decai" class="mention hashtag" rel="nofollow noopener" target="_blank">#decai</a> <a href="https://mastodon.social/tags/r2" class="mention hashtag" rel="nofollow noopener" target="_blank">#r2</a> <a href="https://mastodon.social/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#malware</a> <a href="https://mastodon.social/tags/shellcode" class="mention hashtag" rel="nofollow noopener" target="_blank">#shellcode</a> <a href="https://mastodon.social/tags/syscall" class="mention hashtag" rel="nofollow noopener" target="_blank">#syscall</a> <a href="https://mastodon.social/tags/linux" class="mention hashtag" rel="nofollow noopener" target="_blank">#linux</a>

cryptaxA blog post on r2ai / decai by <a href="https://infosec.exchange/@pancake" class="u-url mention" rel="nofollow noopener" target="_blank">@pancake</a> which shows decompiling to Swift : <a href="https://www.nowsecure.com/blog/2025/01/29/decompiling-apps-with-ai-language-models/" rel="nofollow noopener" translate="no" target="_blank">https://www.nowsecure.com/blog/2025/01/29/decompiling-apps-with-ai-language-models/</a><a href="https://mastodon.social/tags/radare2" class="mention hashtag" rel="nofollow noopener" target="_blank">#radare2</a> <a href="https://mastodon.social/tags/decai" class="mention hashtag" rel="nofollow noopener" target="_blank">#decai</a> <a href="https://mastodon.social/tags/decompile" class="mention hashtag" rel="nofollow noopener" target="_blank">#decompile</a> <a href="https://mastodon.social/tags/AI" class="mention hashtag" rel="nofollow noopener" target="_blank">#AI</a>

cryptaxr2ai solves my CrackMe in a few seconds. It's both elegant and educational.Read this: <a href="https://cryptax.medium.com/cracking-my-own-crackme-with-r2ai-5629bcc7d5fe" rel="nofollow noopener" translate="no" target="_blank">https://cryptax.medium.com/cracking-my-own-crackme-with-r2ai-5629bcc7d5fe</a>And view <a href="https://infosec.exchange/@dnakov" class="u-url mention" rel="nofollow noopener" target="_blank">@dnakov</a> video at r2con: <a href="https://www.youtube.com/watch?v=UxE5GNUBCXo" rel="nofollow noopener" translate="no" target="_blank">https://www.youtube.com/watch?v=UxE5GNUBCXo</a>cc: <a href="https://infosec.exchange/@radareorg" class="u-url mention" rel="nofollow noopener" target="_blank">@radareorg</a> <a href="https://mastodon.social/tags/radare2" class="mention hashtag" rel="nofollow noopener" target="_blank">#radare2</a> <a href="https://mastodon.social/tags/r2ai" class="mention hashtag" rel="nofollow noopener" target="_blank">#r2ai</a> <a href="https://mastodon.social/tags/decai" class="mention hashtag" rel="nofollow noopener" target="_blank">#decai</a> <a href="https://mastodon.social/tags/crackme" class="mention hashtag" rel="nofollow noopener" target="_blank">#crackme</a>

cryptaxI've been running decai with Claude AI on a malware named Goldoon.Ghidra is usually quite good to decompile, but just compare the decompiled output with r2 (<a href="https://infosec.exchange/@radareorg" class="u-url mention" rel="nofollow noopener" target="_blank">@radareorg</a>) decai/Claude and ghidra! This is marvelous. So much clear and concise + Claude immediately thought this was malicious (I didn't hint anything).NB. I will talk about this at <a href="https://infosec.exchange/@1ns0mn1h4ck" class="u-url mention" rel="nofollow noopener" target="_blank">@1ns0mn1h4ck</a> <a href="https://mastodon.social/tags/AI" class="mention hashtag" rel="nofollow noopener" target="_blank">#AI</a> <a href="https://mastodon.social/tags/radare2" class="mention hashtag" rel="nofollow noopener" target="_blank">#radare2</a> <a href="https://mastodon.social/tags/decai" class="mention hashtag" rel="nofollow noopener" target="_blank">#decai</a> <a href="https://mastodon.social/tags/ghidra" class="mention hashtag" rel="nofollow noopener" target="_blank">#ghidra</a>

cryptax<a href="https://infosec.exchange/@radareorg" class="u-url mention" rel="nofollow noopener" target="_blank">@radareorg</a> the program was implemented using Swift, which does not disassemble very nicely. So, I tried decai. Output in C wasn't nice, but output in Java is quite usable. At least, the password is very visible.<a href="https://mastodon.social/tags/decai" class="mention hashtag" rel="nofollow noopener" target="_blank">#decai</a> <a href="https://mastodon.social/tags/radare2" class="mention hashtag" rel="nofollow noopener" target="_blank">#radare2</a>

:radare2: radare :verified:When you find a method with a curious name and what to know what it’s doing with <a href="https://infosec.exchange/tags/decai" class="mention hashtag" rel="nofollow noopener" target="_blank">#decai</a>. (But don’t use it for cheating, you know 😜) <a href="https://infosec.exchange/tags/r2con2024" class="mention hashtag" rel="nofollow noopener" target="_blank">#r2con2024</a>

:radare2: radare :verified:Once again <a href="https://infosec.exchange/tags/r2ai" class="mention hashtag" rel="nofollow noopener" target="_blank">#r2ai</a>, <a href="https://infosec.exchange/tags/decai" class="mention hashtag" rel="nofollow noopener" target="_blank">#decai</a> and <a href="https://infosec.exchange/tags/r2frida" class="mention hashtag" rel="nofollow noopener" target="_blank">#r2frida</a> to the rescue! They were really helpful in <a href="https://infosec.exchange/@as0ler" class="u-url mention" rel="nofollow noopener" target="_blank">@as0ler</a>’s, combining them in the process. <a href="https://infosec.exchange/tags/r2con2024" class="mention hashtag" rel="nofollow noopener" target="_blank">#r2con2024</a>

:radare2: radare :verified:Tomorrow we’ll be able to see how <a href="https://infosec.exchange/tags/decai" class="mention hashtag" rel="nofollow noopener" target="_blank">#decai</a> was really helpful to decompile the STM8 firmware. So don’t miss it! <a href="https://infosec.exchange/tags/r2con2024" class="mention hashtag" rel="nofollow noopener" target="_blank">#r2con2024</a>

:radare2: radare :verified:Some more examples of <a href="https://infosec.exchange/tags/decai" class="mention hashtag" rel="nofollow noopener" target="_blank">#decai</a> decompilation. And with -Q command you can also ask if the code is vulnerable and where, and it will answer that! Isn’t it awesome? <a href="https://infosec.exchange/tags/r2con2024" class="mention hashtag" rel="nofollow noopener" target="_blank">#r2con2024</a>

:radare2: radare :verified:Decompiling with <a href="https://infosec.exchange/tags/decai" class="mention hashtag" rel="nofollow noopener" target="_blank">#decai</a> provides a really nice output, as you can see in the example below. But even with more complex binaries the results are surprising. <a href="https://infosec.exchange/tags/r2con2024" class="mention hashtag" rel="nofollow noopener" target="_blank">#r2con2024</a>

Marc RCrazy things at the <a href="https://infosec.exchange/@radareorg" class="u-url mention" rel="nofollow noopener" target="_blank">@radareorg</a> conference!! <a href="https://infosec.exchange/@pancake" class="u-url mention" rel="nofollow noopener" target="_blank">@pancake</a> joins to the stage to do a surprise talk about <a href="https://mastodont.cat/tags/decai" class="mention hashtag" rel="nofollow noopener" target="_blank">#decai</a> <a href="https://mastodont.cat/tags/r2con2024" class="mention hashtag" rel="nofollow noopener" target="_blank">#r2con2024</a>

:radare2: radare :verified:When dealing with python is a mess, you can write your own plugin in js, so that was how <a href="https://infosec.exchange/tags/decai" class="mention hashtag" rel="nofollow noopener" target="_blank">#decai</a> was born. <a href="https://infosec.exchange/tags/ia" class="mention hashtag" rel="nofollow noopener" target="_blank">#ia</a> <a href="https://infosec.exchange/tags/r2con2024" class="mention hashtag" rel="nofollow noopener" target="_blank">#r2con2024</a>

:radare2: radare :verified:And now… surprise talk from <a href="https://infosec.exchange/@pancake" class="u-url mention" rel="nofollow noopener" target="_blank">@pancake</a>! He will show us some of the <a href="https://infosec.exchange/tags/decai" class="mention hashtag" rel="nofollow noopener" target="_blank">#decai</a> magic. <a href="https://infosec.exchange/tags/r2con2024" class="mention hashtag" rel="nofollow noopener" target="_blank">#r2con2024</a>

cryptaxI got decai (radare2's AI-assisted decompiler) to work with a local model, and tried it over a basic Caesar implementation in C and in Dart.To be honest, I think the conclusion is that the model I selected is not good enough ;) but <a href="https://mastodon.social/tags/r2ai" class="mention hashtag" rel="nofollow noopener" target="_blank">#r2ai</a> and <a href="https://mastodon.social/tags/decai" class="mention hashtag" rel="nofollow noopener" target="_blank">#decai</a> are really great tools. Read my post to understand how to install, configure and use. Or RTFM :P<a href="https://cryptax.medium.com/using-ai-assisted-decompilation-of-radare2-e81a882863c9" rel="nofollow noopener" translate="no" target="_blank">https://cryptax.medium.com/using-ai-assisted-decompilation-of-radare2-e81a882863c9</a>many thanks to <a href="https://mastodon.social/@Pancake" class="u-url mention" rel="nofollow noopener" target="_blank">@Pancake</a> for his patience! "it's not working on my laptop", "try this then" etc<a href="https://mastodon.social/tags/radare2" class="mention hashtag" rel="nofollow noopener" target="_blank">#radare2</a> <a href="https://mastodon.social/tags/decompiler" class="mention hashtag" rel="nofollow noopener" target="_blank">#decompiler</a> <a href="https://mastodon.social/tags/dart" class="mention hashtag" rel="nofollow noopener" target="_blank">#dart</a> <a href="https://mastodon.social/tags/C" class="mention hashtag" rel="nofollow noopener" target="_blank">#C</a>

Frühere Suchanfragen

Suchoptionen

Verwaltet von:

Serverstatistik:

#decai