Code emulation is a well-known technique widely used in many scenarios non related to reverse engineering. However, it can also be leveraged as a great tool aiding in different reversing processes and it is becoming more and more popular for this purpose recently.
We will start by providing an overview of the capabilities and basic usage of the radare2 free and open source reverse engineering framework.
Then, we will explain the basics of code emulation, focusing on the reasons why it can be useful in reverse engineering processes and how it is implemented and used within radare2 by ESIL (Evaluable Strings Intermediate Language). In particular, we will explain the workings behind its implementation as a “stack machine on steroids”.
We will continue by explaining how to script on top of radare2 capabilities by leveraging it from different programming languages using r2pipe.
We will explore practical exercises and live demos using emulation, scripting and a combination of both that will show how to make the most out of them in different case scenarios related to reverse engineering, ranging from simple CTF challenges up to pseudo-debugging and analysis of non-native architectures, safe dynamic analysis of untrusted code and recovering original code from encryption/decryption routines inside obfuscated malware code.
Finally, we will discuss about the current possible decompilation backends that can be leveraged by radare2, with a special focus on the Ghidra decompiler and its built-in integration with Cutter, the official radare2 GUI.
The main goal of the talk is to dig deeper into the radare2 reversing framework, mainly its emulation engine ESIL, highlighting the different ways in which reverse engineers can take advantage from code emulation techniques for daily tasks in different scenarios, as well as scripting capabilities on top of radare2 and the different modern decompilation options that we can take advantage of within radare2 and Cutter, its official GUI.
The general outline for the lab will be as follows:
1. Overview of radare2
2. Intermediate languages & ESIL
3. ESIL operation
4. ESIL practical usage
5. radare2 scripting with r2pipe
6. Decompilation options
7. Ghidra decompiler and integration with Cutter
Each section will be accompanied by different demos and exercises prepared for the attendees to solve in place with the assistance and guidance from the trainer.
# Attendee Requirements
There are no specific knowledge requirements for attendees, although the following is desired for the attendees to get the most of the lab and the practical exercises:
– Basic understanding of computer organization and operating systems.
– Basic understanding of x86/x64 ASM and C.
– Basic exposure to the radare2 framework
Attendees that want to follow the demos and practical exercises should bring a laptop running a GNU/Linux distribution (natively or on a VM) with at least the following installed:
– Last version of radare2
– Last version of Cutter
– Last version of r2pipe (we will use python)
An installation script and/or a pre-built VM will be provided few days before the session.