BSidesSF 2026 - Reverse Engineering Go Malware: From Manual to AI-Powered Analysis (Asher Davila)

the main reason you're here. This is the AI theater. AI and LLMs all day long. Of course, that is a huge part of our industry. Uh taking over every aspect and of course it's super popular. And so I'd like to introduce you to present reverse engineering go malware from manual to AI powered analysis. Take it away Asher Dila.

>> Thank you. Hello, my name is Asher. Uh, thank you Jeremy for the kind introduction. I'm a security researcher at Palato Networks. I do a lot of um things around IoT and OT security research. I publish some articles for unit 42 and also I like to develop open source tools and share some of the things I do here at conference like this one. Uh let's start talking about a little bit about go. So go some people call it Golang. Um I think the official name is Go. I don't care how you call it, but just to let you know that the official name is go. Some people uh say that probably they started naming it Golang

because it's easier to search for it in Google. It was uh designed by Robert Griezmmer in 2007, but it was uh publicly available until 2009. Uh it's been very popular in malware. And so one of the reasons or one of the many reasons for using uh malware is because it is uh it can be uh it can support different uh platforms. It's a cross compilation supports cross compilation and it also uh let's say quote unquote by default it can be if if you compile a go binary is a statically linked uh and it could produce very large uh binary files. So uh it's difficult to distribute but also make it difficult to analyze for some edrs that

have limitations for static analysis on certain sizes. So you wouldn't see that some antiviruses can struggle to statically analyze these kind of files. Uh also as when you when you include sego so is basically when when go um implements or imports a C library is going to use this sego implementation and libraries like net or IOS user which are used for things like DNS resolution which is very common in malware. uh it is not going to be statically linked, it's going to be dynamically linked. So there's no default behavior. Uh but it's it's going to depend on the build environment that you that you utilize. Uh so for those are one some of the reasons why it's harder to analyze and

reverse new compared to C C++ binaries. And if we look in the news, do you see that there's an increase of usage of this language for for malware? You can see it in IoT botn nets. can see it in um rats in ransomware all kind of malware. So uh we in our telemetry from uh our firewalls we saw an increase from 2024 to 2025th. We wanted to see what exactly uh was there in that increase of uh kinds of like piece of malware for go. We saw that it's it's we have a a variety of malware. some it's ransomware IoT botnets which were previously not very common and um in 2024 we saw the first ICS malware targeting Modbus and

this malware was developed in go also I won't I don't know if you heard of this malware but in summary it was uh disrupting uh critical infrastructure from Ukraine and it has uh it also we also found another artifact which was called go encrypt and it was used to encrypt and decrypt JSON files, configuration files for the malware which contained IP addresses and other data that could be spotted by the EDR or firewall. So we believe that that was some of the reason they were using it and yeah so we're using we are seeing go being used for malware everywhere and some of the challenges to analyze these kind of files is as I said they

are they produce very large file sizes. So that sometimes that make it very complex to analyze the the count for functions you're going to see that is uh quite different like for go binaries it's quite huge compared to CC C++ and also one of the limitations are tools and tooling because uh most of the tools are made for C++ and when you try to parse these kind of binaries uh some of the tools kind of struggle for um opening them parsing them and show you the information about the binary And one of last thing uh from the large of of one of the biggest challenges to analyze is the strange string handling. So instead of being null terminated like

CC++ they are a a structure of two uh elements one is the string itself and the other one is the length of the string. So uh you you need to parse this in order to know when a string starts and when a string ends. And of course you can use the typical or the traditional tools that you use to analyze any other kind of binaries like radar ID pro binary ninja gedra uh but also you need to use some plugins or even develop your own scripts when dealing with these kind of of binaries and of course since AI is a hot topic I wanted to show you like some of the things I've been using for kind of make

it easier to to parse and analyze these kind of binaries. So let's start talking about some main difference between go and see. So we're going to compare this kind of capture the flag thing where one exercise that we did for for defcon. Uh if you look at them they are both very similar programs. They're like a hello world like programs one in developing go and the other one in C. However, if we look at the sizes, we see that uh the one developing go is quite huge, right? Uh it's 2.2 megs while the C1 is 16K and using radar, which by the way, you're going to see a lot of a lot of these screenshots uh in Radar 2 was one

of my favorite tools. So, here is just a piece of information saying that both of them were compiled in a similar environment in a sim machine. However, the size is quite huge in go compared to the C. If we use the typical command for strings, we see that for C is straightforward. We see the the string that we were expecting. However, if we look into the go one, it's uh it's a blob of multiple strings uh al together. So, it's so since this one is very simple one, it's kind of easy to spot where's the string that we're looking for. But if you are managing or dealing with a more complex binary, it could get

very complicated to find the strings that you're looking for. And then if we check the count number of functions, we see that for this same program um well for go the the amount of functions is is quite huge compared to C. And the reason is it it includes a lot of runtime functions that it requires to initialize. So even if we look at the disassembly for C, it's quite straightforward. is just uh moving the reference of the string to a register and then put it to the puts function. However, in in go even though it's a very simple program, you see that you require more initialization of different functions before uh doing the print. So yeah, I think it's

okay. And um if we use the decompiler pdg in this case is a decompiler that it's uh embedded within radar 2. I think you can you need to install it uh separately but it's uh within radar too uh you don't need to install githra to use it even like this very simple uh program you're going to see that it's understandable what is doing but still uh in go you will need to check the the reference of that uh address that is being passed to uh fp printint line before uh seeing what is being printed in screen but yeah that's the main differences that you're going to see even with simple programs and the sections one of the sections that you're

going to try to look for is the go build info. Uh that section is only going to be a separate one if on ELF and macro binaries. Uh however for PE you're not going to see it as a separate section. It's going to be embedded in its metadata. And uh by default it is compiled with go mode enabled and that's going to tell us uh in that section what were the modules that were included in order to compile this binary. So uh was going to be easier without like decompiling it to at least observe what uh some of the modules that were included within the binary. And this is what it what it looks like the go built info section.

And one of the important things to remember is that the magic number and um is going to change depend on the go version. So you need to be really careful about that. And uh this one is a simple straightforward compilation. But you can see the command line arguments, you can see the tool chain like that was used. You can see the architecture that uh the target architecture and the operating system uh for this binary. H then we're also going to see the string tab section that is all going to be present in unstrict binaries which means that binaries that those symbols were not removed and that is uh they they interact or they are related the

string tab and the sim the sim tab the symbols table and it can contain names like uh package paths uh runtime internal functions. you're going to uh find all of that but however in you know that in malware you're not not always going to have that information so for that you're going to look into this uh section that is one of the most important ones that you need to remember is the go PC PC line table which stands for go program counter to line number table and it was introduced in go 1.2 two. And this table is allows you like to map quickly between uh certain addresses and uh code. It was used to basically trace when like if you're

programming and debugging uh certain crashes or stack traces. So it makes it human readable. That was the reason it was introduced. Uh but you can use it to recover certain symbols, certain name functions and to start poking around. This is a a great start for reverse engineering these kind of binaries. So you see it's a kind of it has a lot of information there but one of the most important things that you need to see is the magic number. Again if you look for that magic number just remember that the magic number is going to change depending on the go version and also the function name offset. uh it's going to help you to calculate where the actual

symbols or the information the from the symbols start which in this case we see that 4 DD880 is the start of the section and then the function name offset is 60. So if we do the calculation we see that the number the resulting number is 4 DD8e0 and that's where the strings start. So uh you if you are developing your own scripts you need to par most likely you're going to need to parse this uh section and I recently open sourced this script that is based on radar. So you you have radar to install you can run this python script and it's going to help you to to parse different uh versions of of go with that that has

this uh go PC line table. if it doesn't have it as a separate section like with elf, it is going to do like a scanning through the binary to try to look for the the magic number and the sections. So, uh when you're trying to reverse engineer, you want to do either one of these three steps or multiple steps sometimes, but uh the the preferred one is go for locate the sim table. Uh however, as I said, sometimes it is not going to be present. So you're going to need to go for the second step that is try to locate the go PC line table if it's a as a separate section or if not

you will need to scan scan the whole binary to locate uh the the section manually and this is a reference from actually from uh official documentation from go. So yeah, some standard tooling is going to look for for strings and there are two kinds of uh strings um statically allocated strings and dynamically allocated strings. So statically allocated are strings that are like straightforward there in a in a reference but dynamically allocated strings are the ones that maybe are going to be concatenated or going to be referenced u maybe for um for format string. Uh so you need to consider that there are these two main types of strings and there are uh well I'm going

to show you later some some tricks for that one. Some some of the compilers have this embedded in which they have like a helper. You can select a compiler settings for for as for uh for for instance you see githra has the golan compiler uh setting. However, even though if you use it without any scripts, you're going to see that it not always uh resolves all the strings correctly. So that's why I my preferred option is go for go strings. I believe it was developed by the NCC group and you have different ways to find for uh this the strings. My preferred way of doing it is in this sequence or not always exactly the same sequence but

this is the idea that you first start to removing the predefined strings that are in the row data section. Then you try to detect known strings like known libraries uh those kind of things and then you recover the static strings first and then you go for the dynamic strings later. Um, and when you run it in that way, even if I select the compiler settings for Golang, you see in the left side that it couldn't find the the string that we're looking for. However, in the in the right one, you see that it was able to directly uh see the the string correctly. Also, IDA Pro 9.3 update did a good a really good job on improving the way it

compiles and references uh go. So you can see something like this. Uh in before the 9.3 uh update, it was kind of like more I mean it's correct but it's kind of like more difficult to read than the after the improvement. But let's talk about also some about AI assisted tooling which I think it's uh one of the coolest part about this is that since you need a lot of parsing uh LLMs can help you with some of these. So one cool thing about our radar is this model called R2 AI and this plug-in uh contains two main models which is the R2 AI and DK. So you can think about R2AI as Clippy. So you remember like back in

the day you were writing a document and it will say something like hey uh it looks like you're stupid. You don't know how to use uh Word. So let me help you with some features how you can how you can do what you're trying to do. Or maybe you're trying to write a resume. Let me help you to polish it. So this kind of uh R2 AI is going to be like clippy which is going to suggest you commands that you can modify or um or just accept them and execute them. Uh basically it's going to save you time for reading documentation. And DK is like an LLM based compilation. So it's instead of using the intermediate

language used by Radar, you're going to use uh this LM basic compilation. is you're going to provide to to the model uh the instructions from the assembly and it's going to try to provide some soda code and it has different use cases. You can use it as as an assistant. I say as as I said you can uh ask for to suggest commands like okay uh I'm trying to obtain the IP addresses from this binary and it can suggest you some some commands. You can use it as the compiler. So instead of using the intermediate language you can use this um you can send the the assembly code to the to the model and see what it

resolves as pseudo code. You can use it as a solver. Right now it's a very controversial topic of using uh AI AI or LLM based solvers but yeah you can still use it for that you can find vulnerability so you can ask directly like hey try to look for dangerous functions try to look for uh something that could be abused and it's going to try to find it as well and also of course renaming functions or variables which is something that reverses spend a lot of time doing it. So it is pretty straightforward to configure. So every time you see minus E, you can uh change one of the settings. Uh and you can use

models both like lo local or open source models. You can use commercials models as well. It supports different providers and also um different models. In this case, for this example, I was setting up a Gemini 2.5 uh pro, but yeah, you can set up different ones. And here here was one of the first uh versions that w that was released. And you see I make a like a simple question like what language does this program develop? It suggests some questions sorry some it suggests some commands and I just accept executing them directly and it the response was that it was that this is a go binary and if you see the reason why it says it was a go binary it

says because it found some like typical strings like like go panic. So, and you're going to see that this is uh one of the things that these models do a lot like they try to look for known strings. So, they try to be lazy. They look for things that says, "Okay, this looks like go." And they just assume it. They're not going to look for like magic numbers. So, very rarely unless you specify that. And you're going to see that DK is just the like the decompiler based uh AI module and it has a pre-append uh instruction for that. Uh but yeah, you can configure different things. You can put the language that you want to see the pseudo code. So it

doesn't have to be C. It could be uh JavaScript, it could be Swift, whatever you prefer. And also you can uh change the human language. So the explanation you can change it for Spanish or whatever other language that you prefer. So here I ask uh another question that is what is this function printing and then it goes directly and tells the conclusion that this is printing uh a simple string directly to the to the screen and that's it and uh through this through the past of these months I've seen that both the models and the tooling have been improving so every time like right now it suggests more u efficient commands. So in the beginning we will suggest

first to go and try to look for the symbol strings maybe look for information about the binary but this one it goes directly for more straightforward uh commands that could help you to achieve your your your task more efficiently and and faster and let's talk about so about uh MCP plus agents so I think uh it's something that right now also everyone is talking about MCP so I wanted to introduce you a little bit uh about some of the usage of MCPS here for this task and you can think about MCP as a bridge of different APIs into you can talk using a single API through different uh tooling. So you can talk to IDA uh gira

agent or same client. So in this case uh the first one I used was cloud desktop and plus radar and the configuration is pretty straightforward. you just set the JSON file uh pointing to R2MCP and then you can start asking questions. So you I in this case I was uh making a very simple question like tell me what this program is doing. Uh it asks for permissions to using radar to achieve it. It passes the instructions for the program into to the model and then it gives you the execution flow as along with the result. Uh you can see that you're going to you're going to find a lot of open source MCP servers for different

tooling. In this case, I was using the Mr. Exodia one, but you can see that there are so many you can develop your own. And these are two there are other agents that can be run uh through the CLI. In my case this and and the configuration is pretty much the same right the same same JSON file. In this case it has two configuration two MCP configured the AR 2 and IDA pro. This is one of my favorite agents which is open code and it's pretty very well known uh right now. And the reason is that it's more direct to use and it's quite easier to configure like the model the tasks. I think uh cloud desktop I

think the reason is because I'm lazy. But this one tells you more about like you want to configure this project uh what kind of access do do I have to this project? But this one is more straightforward and you can have access to pretty much as long as you just allow it. It will have uh access to the entire uh base code whatever you are trying to to reverse. And then the the configuration files is always the same. And this is one of the first kind of like agents or uh first integrations within these assemblers was sidekick as one of the first that that that I tried and it is embedded within binary ninja. So it has a manual mode and a guided

mode. So in a manual mode you like specify specific like task and it it will try to execute them directly. But with a guided mode, it's going to start prompting questions like uh do you want me to do this or what how do you suggest me to to do to do it? And uh let me see. Yeah, I think that's that's one of the ideas, right? Like like um not only for for binary ninja but in every agent you use is like I suggest that you try to guide the model as much as you can and not let the model guide you. So one of the examples I wanted to try some of this tooling was Pumabot IoT malware

because the other one was uh too simple. So first we look in virus total it was uh we detect this um malware sample and then we we check in radar that actually it is uh it was programming go and then we see this in the go PC line table section we see that it is using sego because most likely it is going to be used for uh network features network operations. And the same for Gedra. I try to open it using the Golang compiler feature. And you can see after running GRA and go strings, we can see the strings are uh formatted correctly like this one. Pumatronics. And uh I use Sidekick to ask like simple

questions. And first I start like in a very generic way and like telling like what is the most important behaviors of this malware? It tells me that it is using uh largecale SSH brute force attacks by fetching target IP addresses. It tells me that it implements and and establish connections to C2 uh servers. It tells me the domain that it is connecting to. It tells me some of the uh strings like Pumatronics that is um a camera brand. So it tells us like generic things and if we start asking more specific task or specific questions like what this function is doing it then provides better better responses like okay this uh function is doing a brute force using

maybe SSH credentials or whatever is doing right but in this case you need to spec ask very specific questions and be very specific about what you're trying to achieve otherwise it just provides generic information. Uh so as long uh the the more descriptive you are the better results you're going to see. So uh in this case I just ask a simple question or like more generic questions about this function which like hey what is this brute force or this uh try SSH login doing. It describes correctly that it is uh attempting to authenticate to a target IP and port using username and password and that it established an SSH connection and that it tries up to five

times. Right? And we can see that the loop in in the the compiler code that the loop seems correct. it is trying five times to connect and if not it is going to uh not going to attempt it again. And if I ask like hey what is the C2 domain it also provides certain things but as you can see again it is not getting these answers because it is looking into the network features and trying to see okay we saw that this is uh it is creating a socket towards this uh domain. No, you see it's only because it's s a string and that's the the the only reason it it flags it as a C2

domain but it's not very uh smart or is not very it is not doing it in a very smart way. If we uh change for set 4.5 uh we ask the same questions like what is the C2 domain and at least it's going to find more more references. So I think it depends on what you're trying to do. You're going to look for different kind of models or different kind of agents. So here again we try to compare sitekit with uh radar plus gemini and in sidekit we ask simple questions like uh is this sample a variant of pumabot or pumatronics and it says well yeah I saw the pumatronic string and that's it and

even if you see the string reference in the pod in the pseudo code you see that the string is not properly parsed. So yeah, it is not doing a great job. But as I said, if you're asking for specific questions, then it can you can try to look for uh maybe generic answers. But uh if we look in radar plus Gemini, we ask uh the same question. And actually this is a better answer. It tells you that that pumatronics is been looked for after executing youame minus a command, which is something that uh cameras contain. So after the malware executes that command in the camera, it confirms that that this is a pumatronics camera and that's why it is attributed to be a

part of the pumabot. Uh we also ask questions for hey is this malware doing some kind of evasion or persistent techniques. It tells you that it it only found one thing. It says that it is creating a system service that it has been trying to be disguised as readies. However, if we look manually into it, we see that there is a my mySQI uh that instead of MySQL, it is using the I to deceive uh the service as uh MySQL service, right? So, it is not able to identify all the persistent methods that the malware was using. Uh and then this there's this uh green blood go ransomware which is also pretty popular and I tried to analyze it.

again in a very dumb way but now providing more examples what they call a one shot or few shots and then I'm providing here a set of instructions that some models call uh skills like cloud skills right that's this is one of the uh ways you can improve your results is by providing a set of in of rules of what you want to do what are the steps that you want to take and and what are what is the format of the answers that you want to receive so it's a cleaner way to do it would be using the agent class to trigger different agents and to run it uh like specify an agent for

different uh different tools within the within your arsenal. But in this case, we're just trying to see like in a kind of dumb way what was the result. So we specify some of the instructions like and this is one of the most important part in which you still need uh a human someone with expertise that provides uh good example good instructions like a step by step how to do it and this is where a human with expertise needs to put their effort in like in specifying on how to do it uh what are the steps that should be taken uh divide it in different phases and provide a good plan that's going to make a huge difference on your results.

Uh so yeah for in this case it was like more it is for malware but it is more like generic instructions like okay get some IOC's and try to get some artifacts which by the way uh I've seen that most of the models uh have problems identifying IP addresses because not not all of them are in a string mode. So if like if it it is as a decimal u representation of the IP address then it's not going to be able to or not always is able to identify it. So you need to be really careful to specify how to uh find it uh or how how the model should find it. However, yeah we've seen

that it still fails a lot. Another thing that it fails a lot is even if we specify to look for uh encryption algorithms uh they it tends to com confuse uh the encryption algorithm that is using so for that I think the only way to improve it is using uh rack which is a retrieval um generation which you can provide more patterns more examples on what are the the different uh algorithms that can be found there and how it can be identified uh how how it can identify them. So you see in open code you have a window in which it tells you how much you have spent uh what are the steps that it has finished and which are the

the missing steps uh from your plan and it also provides you with cool key findings uh summary. So in this case it gives you like the hash the contact for the ransom note uh some of the capabilities the machine fingerprint and some anti-reovery techniques that it is uh implementing. So it is a good key finding summary and for about $1 you can have a full report with uh very decent results. So I think you can use it as an assistant. So like, hey, I want to have like a quick validation of what this is doing, then yeah, of course, you can uh do it with a with a for a $1. And then if we use a more advanced model

like Oppus 4.6, uh well, you're going to receive a more complete analysis for less than $5, I think it discovers more things, although not very different results. uh pretty much what some of the ex some of the things it found differently is the file types. In the first analysis for $1, it identified 50 plus file types while actually the binary contained more than uh 140 file extensions that it is encrypting. Also the machine ID generation, the fingerprinting in the first one, it said that uh the way to fingerprint the machine was through BIOS UU ID uh only. However, the malware was using different uh features to get the fingerprint like Windows product ID, serial numbers, host

name, etc. And the ransom note was uh document was missing from the first report. However, it's not a huge deal, right? I mean, depending what you're trying to do and the go compiler version was reported as 1.24 plus in the first model. Uh whereas in the newer model, it identified the precise uh version of the go. Again it's not a huge deal but yeah it improves the things that it can get. One of the uh differences like the main difference that you that we we observe is uh again that when you see the encryption algorithms it tends to confuse them a lot. So in the first one uh it confused the chaa 8 uh usage of the algorithm and

the reason is because there are some strings that mention that. Uh however in the in the in the new one it it was using uh a aes also I compared them with uh public blocks that were available although I'm not completely sure that they were using the same uh sample that I was looking into because not all of them contained the hash that they were using but at least one of them contained the hash and it was exactly the same and if uh we were able to identify some possible mistakes and again we're not completely sure cuz we're not have that sample but at least one mentioned the usage of chaa 8 as encryption algorithm

again uh but it was not the algorithm that they were uh implementing in the in the malware and of course there are also ways to implement dynamic analysis uh that's not my case or that's not the usage I was trying to get here for my case uh the way I see it is more like another sandbox or another kind of source of truth that you can have but again if you if you want use uh more approaches on dynamic analysis. There's the MCP for GDB and x64 DBG MCP in which you can run uh dynamic analysis. You can let the debugger interact with your with your models and there's also remnox and there are so many right now uh different

orchestrators. So this is an AI assisted malware analysis orchestrator that triggers uh more than 200 tools and it like has some uh workflows and some plans already integrated which gives you some ideas on okay how to start what are the the steps that you should that you should take. So if you don't have any experience I think it's great uh you're going to have great great results from here. Uh let me see if I can show you an example. Here's an IoT botnet and you can see that yeah you ask like hey can you analyze this file and then it's going to download the file and it's going to provide some some answers. Let's see.

So yeah, you can see it fails. This is something it fails a lot as well like uh unpacking binaries. Uh it's not very straightforward especially if you're doing only statically it's very hard to to see a good result from from unpacking. Although if it's a straightforward technique and it's a very well-known and documented then it might be able to provide you something uh very useful but not always. So yeah I think packing is also another thing that is not very good at and that's it. So yeah, I think uh there are a lot of things like this that are oh what there are a lot of uh sim things similar to this one that are orchestrators of

how to run run different tools. However, I would say I would suggest that you should be the one that guide the model try to pro uh provide a plan for the model that you're depending what you're trying to achieve. So uh it's going to depend I would say in this these cases of course it's open source and you would try you can try to modify it but for me it was not very straightforward. So yeah whatever works for you but my my suggestion is always try to guide the model much as you can and also giving a plan depending on the task that you're trying to achieve. Uh finally I want to give you this uh reverse me kind of

thing CTF challenge. uh it was developed by one of my co-workers Chris and he uh we tried to put this challenge uh for two different uh models and none of them was able to solve it although the the way to solve it is quite simple although not straightforward so I'm going to give you a hint which is it is using uh inline assembly code and it is trying to do it the way is trying to unpack it is like the typical way you unpack a binary however it has this has a little trick that uh at least none of the models has been able to solve it so far. So if you want to uh download the challenge, this

is a mega file uh you can download and that's the password if you want to give it a try. I would suggest maybe try to do a hybrid approach between AI and manual analysis and let's see how how it goes for you. So some of the key takeaways is that don't be afraid of opening different file structures. You're going to face similar issues if you're trying to reverse Rust. uh so try to combine traditional reverse engineering tooling with AI assisted tools. I think one of the cool things for us is like we have different sandboxes and we want to quickly determine if to which sandbox we want to send the the malware to or the sample to

and this is can uh quickly identify certain strings that points like okay this is a go uh binary and it's doesn't have to look for the uh for the magic numbers and also uh it is recommended that you ask specific questions or you provide a good plan have this idea of having someone uh human verifying the results or the answers. Do not trust uh blindly the results from the models. We see a lot of misidentification on CVE. So if you're doing a lot of like triage, could be difficult to just uh trust blindly in models. Although I think it's very good for chunk analysis. So if you grab a group of malware and you want to

know if they are related to each other, you can put it in a folder there with your agent and tell them like hey analyze all these malware and tell me your like the relation that could exist between or among them and it's going to provide very decent answers. But again uh human is always uh recommended to have to be uh in the loop like reviewing the answers and just also propo proposing efficient workflows and think about human workflows first then see how to make it like an automated way. Uh some people say that this is nothing different from uh providing a sandbox and just uh telling with a script like hey execute this command after the other

and I completely agree. I think it's just like any other sandbox. Uh however it is quite easier and and more simple to deploy than creating a sandbox from scratch like uh creating all these like implementations developing all these tools or putting them together to make it uh run in a pipeline way. I think that's something that you're going to uh find easier using LLMs. Other than that I don't feel like you have a very different results to what you get from a from another sandbox. it just maybe helps you to summarize things to provide uh maybe more structured reports but yeah other than that uh as I said also tends to confuse a lot the al uh the encryption

algorithm so be careful about that and and if you're doing a vulnerability research the way I I I see it is that it can tells you where to look at so instead of like looking at the entire binary it can helps you reduce the attack surface and quickly point you at some interesting things that you can manually validate and You don't have to use all these tools that I mentioned to start opening uh go binaries. This is just uh I wanted to give you like different ideas to improve your uh to start uh so you can start playing with them but also uh try to not take it as a cookbook right just these are just ideas

that you can implement and also the way I did it was not the best like for for example for for LM based reverse engineering of course the the best way to do it is with agents and specifying like what you want to do with each agent um and of course in an isolated environment But this was just like I wanted to throw things uh straightforward in the most dumb way and see what the results uh were and also how to start looking and poking around different uh structures or different file structures from C++. So these are the the tool links that I mentioned in the presentation. So yeah um you you can do both. You don't have

to have paid tools. You can start with uh just a few bucks and open source tools. So yeah, thank you so much. You can find me everywhere as Asher_Davida. Thank you so much. >> All right. Thank you, Asher. Uh this is a topic that's dear to my heart. So now we have time for for questions. We've got two questions in. I'm going to reiterate how we do questions here, especially because this was super full. We might have people in overflow who can't ask in person. So we use Slido. That is sli.o. If you go to that website and you can type in the code bsides sf2026 or you could go to bsidesf.orgqna that is quebec november alpha that has a

shorter link that you can go through. So why don't we go ahead and go for the first two questions here. I think these are really good ones. Um the questioner here has limited experience with reverse engineering but has noticed at least in large C and C++ binaries that aggressive C compiler inlining really makes it hard to determine where the functions in R. So is there a similar issue with Golang and Go when it's compiled where it's hard to determine what the higher level code structure was. Do things get inlined aggressively like that? >> Well, yeah, I think in those cases it's pretty much exactly the same as C++. I would it wouldn't make much difference.

I would say this is more about uh the only difference is the strings and the way maybe some um functions and symbols get offuscated. But I would say that that the techniques for unpacking would be the exact same. >> Great. And again we're in theater 14. So even if you're another theater watching this, if you submit the questions to theater 14 and Slido, we'll be able to see them better. Uh do any of the techniques that you've shown here apply to shared libraries implemented at Go like uh JNI modules? for that one. I'm not sure. I haven't looked into that using like LMS for example, but for manual analysis that yeah, that would be exact the exact

same. >> I'm going to throw in one of my own questions. I I noticed you had IDA in an MCP mode. Um, is that still usable with the latest versions of IDA that are kind of like cloud-based? Uh, >> uh, I don't know, honestly. I don't know if the cloud cuz that's like the cheapest version, right? The cloud version. I don't know if that one supports uh Go. I guess I my guess is that it does. >> Okay, very handy. Uh how about any um again we can keep slide go through Slido here. We have a few more minutes. Uh any questions locally if you're too afraid to type in and just why don't we go

here? I'll repeat the question for everyone. So I'm a developer and I know that you have the same vulnerabilities that you for flutter. >> So let me repeat the question. So the question is like in flutter are there the similar vulnerabilities that you would have in go? >> I I honestly haven't looked into flutter so I don't know. No I I don't want to give a wrong answer because I haven't looked into flutter. I'm sorry. Right. I I saw one more over here. Don't be shy. Your question is probably super relevant and everyone else is dying to ask the same one.

Oh, let me check through Slido here. Some more have come in. No, that seems about it. Cool. Thank you again. Oh, hey, one more. Okay. Is there a benefit of using different tools like how you did with the different MCP MCP servers? >> Yeah, for me that's a good question. I would say I prefer using some for scripting and some others for like more manual analysis or more manual verification. So I always use radar too for scripting because for me it's way straightforward very easy to verify and debug. So everything that has to do with scripting uh or almost everything has to do with scripting I use Roari 2. uh it has uh different binds for different

languages but uh it also has a API for Python so you can script directly there well for GDra uh I think it supports Jyon I don't know if it supports Python directly but for me I don't want to develop in Java so that's why I try to avoid that scripting for gira ID pro I think recently has been improving the way you can debug your scripts but for me the simplest way is related to um and also binary ninja. So anything that has to do like more like script or low more lowlevel like look directly into assembly code I always use radar too for things more like renaming variables like or providing maybe uh flow of what

things are happening for me I prefer uh using things like IDA pro or better decompilers than the one that radar 2 has because even radar says that the the compiler that it has embedded is not a decompiler itself is more like a kind of something in between some like intermediate language that it tries to provide for uh things like flat calculation and different things. So I would say for more manual verification or more visual things I prefer using either gira or IDA but whereas something that you need to script or something more lowle I prefer uh radar too. >> And this will be our last question it is an exciting one that is popular. What

are your thoughts on using MCP for CTFs and have you competed in any CTFs? No, I I recently like I I have stopped computing CTFs since like five years ago. So no, I I I haven't solved anything. I would say well CTFs uh using in my opinion using LLMs for CTFs it depends on how you want to see it like if you want to learn a specific topic and you're you're or the way I see it is you use CTFs for learning and then you throw the challenge to other then what's the point, right? But if I mean you're just trying to get points and have fun and and see how capable a model is, then

well go ahead. As long as the as the CTF does not prohibit it, then why not to use it and why not to check it out? And of course like it's a new par paradigm, right? And everyone's going to start using it. So I think even CTF challenge developers need to think about it like uh uh hackers are going to use whatever they have at hand. They're not going to see, oh, uh, we're not going to use LLMs because it's not, uh, professional or it's not ethical, whatever. Of course, they're going to use whatever they have at at their disposition. So, even CTF challenge developers need to think about the usage of LLMs. >> All right. Thank you, Asher Deila, and

thank you all. Our next talk starts in 15 minutes. Uh, there is coffee upstairs all the way until 4 p.m. So, if you really need coffee, feel feel free to go ahead and do that. And we will see you back here soon.