Variants of 2025 of Symbiote and BPFDoor support IPv6, UDP communication with C2.
Reverse engineering the samples with r2ai and r2mcp.
www.fortinet.com/blog/threat-...
#malware #Linux #BPF #r2ai #r2mcp
Pour mon atelier "Reverse engineering with r2ai" à @uybhys.bsky.social demain, si vous avez un laptop x86, téléchargez en avance l'image:
docker pull cryptax/r2ai:2025.11
#radare2 #IA #r2ai #UYBHYS25 #docker #workshop
One of the demos is here: asciinema.org/a/pBPEaJhp6c...
It demonstrates the automatic mode of r2ai, where we can ask a question whose answer requires to read/understand several functions of the binary.
#radare2 #r2ai #AI #LLM
My blog post on how AI is reshaping malware and malware analysis is out: www.fortinet.com/blog/threat-...
Examples on Linux/Trigona, Linux/Prometei, Linux/Ladvix and Android/SpyLoan.
Enjoy.
#malware #r2ai #r2 #claude #delphi #trigona #rust #flutter
r2ai does that in the automatic mode. It's tedious, I agree, to be asked for every single move, but if you're working on malware, it's the only way.
#radare2 #r2ai #mcp 2/2
Slides of my presentation at @northsec.io are available here www.fortiguard.com/events/6101/...
Work on 2 different malware samples and showed how good the AI performed overall in decompiling them or de-obfuscating, but also some errors that it did in details.
#r2ai #ladvix #shellcode #linux #IoT
First page of the paper
Wrote a paper, with Daniel Nakov, on comparing the #quality & the speed of #malware analysis assisted by #r2ai, or without.
Spoiler 1: quality is =, speed is ++.
Spoiler 2: do not expect to get good results in a single question.
arxiv.org/pdf/2504.07574
cc: @radareorg.bsky.social #arxiv #radare2
For those interested in r2mcp, it is now possible to run it locally with OpenWebUI and MCPO. #r2ai #radare2 #reverseengineering #llm
Wrote “Analyzing a shellcode with #r2ai" article posted in the latest PagedOut ezine
pagedout.institute/download/Pag...
Enjoy!
#shell #linux #radare2 #AI #malware
The C rewrite of #r2ai can do auto mode at the same level of the original Python implementation now. Kudos to @dnakov.bsky.social for the effort! #ai #vibereversing #reverseengineering
it's an excellent move, and I guess the MCP SDK is going to be used more and more in the future as it offers an API to AI tools (and more)
github.com/modelcontext...
+ I'm sure new tools are going to be added to:
github.com/LaurieWired/...
#r2ai #radare2 #mcp #ghidra
Comparing Decai decompilation using @anthropic.com 's Claude 3.5 vs 3.7 with a simple strcoll wrapper function #r2ai #radare2
At last! I finished reversing the communication protocol of Linux/Prometei, with AI's assistance.
A bunch of hallucinations from the AI, but if you struggle on, in the end, you get the info you want.
cryptax.medium.com/communicatio...
#linux #prometei #rc4 #botnet #AI #r2ai #radare2
For Ph0wn Labs, yesterday, we had a 4 level crackme to work on. Watch how easily r2ai solves level 4!
(well, don't watch it you don't want the spoil!)
asciinema.org/a/B8UalyH6I3...
#radare2 #r2ai #AI #crackme #ph0wn
Last weekend I did some improvements for Decai
- load custom decompiler pipelines from external json
- deterministic mode for ollama, openai and claude
- add mistral endpoint.
- implement a vector database for embeddings from scratch in C with 0 deps
#radare2 #r2ai
Analyzing ELF/Sshdinjector (IoT bot) with r2ai.
Really helpful and time save to use AI (with r2ai) for analysis *but* use it with a non-AI decompiler side by side:
1. To direct the AI
2. To spot more easily hallucinations or extrapolations.
www.fortinet.com/blog/threat-...
#r2ai #IoT #botnet #AI
The Python program was generated by AI through r2ai. I edited slightly the output. I believe there are still a few errors. The program shows the decrypted values for the table created in table_init
This is decompiled source code generated by r2ai for table_init
the IP address 89.190.156[.]145 apparently comes from the encrypted tab of values set in table_init. I had difficulties getting the final values with r2 + r2ai, and finally managed to. Entry 15 decrypts to this IP address.
#aquabot #mirai #r2ai
Unlock binary cracking with the r2ai tool in the radare2 framework. It enhances analysis by simulating human reasoning and automatically detecting errors. Stay aware of compatibility issues and best practices for optimal results. #cybersecurity #threat #binaryanalysis #r2ai
Some updates on #r2ai:
- added auto mode to decai with all models
- Support Gemini and X.AI
- Started full C rewrite (no more Python/JS)
- Use gpt4-turbo for 128K context instead of 8K on OpenAI
- Recursive decompilation to inline stubs and better type propagation
#reverseengineering #llm #radare2
