This is the first part of the three-part series about code Emulation for Reversing Malware :
Part 1 describes how to use radare2 function emulation along with an exercise of cracking password of function implemented using radare2 python scripting plugin r2pipe.
Part 2 describes how to use the feature to decode a configuration of a Mirai IOT botnet, by implementing the solution in radare python scripting capabilities.
Part 3 improves the script created in the previous by adding more features of searching for addresses of encrypted string and creating function signature to search for decryption function instead of using the hard-coded address of the function.
radare2 is reverse engineering tool that can be very useful to reverse engineer malware or any type of binary as it supports many CPU architectures. One of the most striking features I found about radare is the partial code emulation. I was initially sceptical about this feature what could it be actually used for but think it about for a while and playing with that feature I realized its potential, it’s simply amazing.