pancake Feb 24

I read the binaryaudit post few days ago, and despite #radare2 winning the opensource reversing tools benchmark i was surprised that IDA was faster.. but didn’t really checked how they were running it until now 🤦‍♂️ so here i am once again sharing the same basic tips:

- do not install radare2 from debian, their package was updated 5 years ago 👉 use last release deb files or build from source
- do not use aaaa unless you dont care about time 👉 there are many specific analysis
- pdc is not a decompiler, it’s a pseudodisassembler 👉 use r2dec, decai or r2ghidra instead

Show threadpancake Feb 24
Let’s dig into these 3 details a little 👇
Show threadpancake 

So what’s up with pdc? Well, it’s the entrypoint for all decompilers, you can setup cmd.pdc eval variable to use any other decompiler (use “e cmd.pdc=?”) to list them all.

By default it’s using the pseudo disassembler because it’s native to r2, it’s fast, uses esil emulation and it wont lie. It’s good quality? No. Can be considered a decompiler? Once again: no.

But it works quite well and AI can understand the output very well and that was used by decai to transpile using LLMs from assembly to any language like bash, haskell or c#.

The r2ghidra plugin has been improved a lot recently. I think last release is probably the first one i would care to use, but still it’s not 1:1 with r2 analysis and doesn’t takes advantage of the esil emulation which is sometimes important when analysing malware (strings build with registers or stack, etc)

R2dec is the other option, its more verbose than r2ghidra, there are almost no optimization passes, its not leveraging esil, not the output is aligned with r2 analysis.

Which one is the best? Can’t say because in r2land there’s usually not a single correct answer. So better try them out and take your own conclussions.

Feb 24 at 8:37amWeb