[Barb'hack 2025] Decompile Linux malware with r2ai

About reversing 2 Linux malware with AI assistance. Learn to spot AI errors + learn to tweak your context size and prompt to get the best results.

---

This talk presents 2 different Linux malware:

• a shellcode, named Linux/Shellcode_ConnectBack.H!tr. The binary is small and compact, but traditional disassemblers like Ghidra fail to produce understandable decompiled code. With AI assistance in Radare 2, we manage to get far better code. There are few things to fix in the code though.

• a ransomware, named Linux/Trigona. This binary is bigger and more complex. We analyze with AI, but there are several technical issues due to its size, because the AI context is too big. We show how to workaround the issue, by configuration of r2ai, adequate choice of model, different prompts and different approaches.

References

• barbhack: https://barbhack.fr/2025/fr/ (the conference is in French, the slides are in English)