Hacking strace for System Call Instrumentation

I was always fascinated by projects like Unicorn Engine and Capstone Engine where the author repurposed existing software development tools, such as QEMU and LLVM, for Software Security. While working on Reverse Engineering a binary in the MIPS WiFi Router. I needed to intercept and manipulate Syscall data exchange between router application with a kernel driver. I couldn’t find any open-source tool that could do that for MIPS architecture, then it stuck me that was the perfect opportunity to do something like Unicorn project.

Read more

Decrypting Mirai configuration With radare2 (Part 2)

This is the third part of our three-part series on code emulation for malware analysis:

  • Part 1 explains how to use radare2’s function emulation feature, featuring a password-cracking exercise using radare2’s Python scripting plugin, r2pipe.
  • Part 2 demonstrates how to decode the configuration of the Mirai IoT botnet by writing an automation script using radare2’s Python scripting capabilities.
  • Part 3 (this post) builds on the previous script by adding support for searching encrypted string addresses and generating function signatures to locate the decryption routine dynamically.

In the previous two posts, we explored how to emulate string decryption routines using radare2 macros and Python scripts. We successfully decrypted parts of the configuration, but not all of it. In this post, we will enhance our automation script to solve this. Specifically, we will find the addresses of the encrypted data dynamically and feed them into our emulator.

We will also address another interesting challenge: when testing our script against different Mirai variants, the decryption function offset changes. Even though the underlying assembly remains identical, the hardcoded address breaks. We can elegantly solve this by creating function signatures—another incredibly useful feature in radare2. Let’s get right into it!

Read more

Decrypting Mirai configuration With radare2 (Part 1)

This is the second part of a three-part series on code emulation for reverse engineering malware:

  • Part 1 covers radare2 function emulation basics and walk through cracking a password-checking function using radare2’s Python scripting plugin, r2pipe.
  • Part 2 (this post) details how to leverage emulation to decode the configuration of a Mirai IoT botnet sample by implementing a decryption script in Python.
  • Part 3 refactors our script to automatically locate encrypted string references and generate function signatures, eliminating hardcoded function offsets.

In the previous post, we explored how to use partial code emulation to decrypt obfuscated strings inside a binary. In this post, we will look at a real-world sample of the infamous Mirai IoT malware. We chose Mirai because it hides critical configuration details—like command-and-control (C2) servers and ports—behind encryption. Since Mirai is compiled for multiple architectures, we will focus on the x86 variant for this analysis.

Our main goal is to automate the decryption of this configuration array using radare2. Along the way, we will perform static analysis on the binary and reverse-engineer the decryption routine to understand its inner workings.

Read more

Emulating decryption function with radare2

This is the first part of our three-part series on code emulation for malware analysis:

  • Part 1 (this post) explains how to use radare2’s function emulation feature, featuring a password-cracking exercise using radare2’s Python scripting plugin, r2pipe.
  • Part 2 demonstrates how to decode the configuration of the Mirai IoT botnet by writing an automation script using radare2’s Python scripting capabilities.
  • Part 3 builds on the previous script by adding support for searching encrypted string addresses and generating function signatures to locate the decryption routine dynamically.

radare2 is an exceptionally powerful reverse engineering framework supporting a wide variety of CPU architectures. Among its many capabilities, one feature that consistently stands out is partial code emulation. While I was initially skeptical about its practical use cases, experimenting with it quickly revealed its massive potential. It is simply a game-changer for static analysis.

Read more
Your browser is out-of-date!

Update your browser to view this website correctly.&npsb;Update my browser now

×