Welcome to reversing forward with air toai. I'm pancake and I'm presenting this for the nowsecure connect 2025. My real name is Sergio Alvarez but most people know me as pancake. I'm working at now secure in the search team and I'm in the position of the mobile security search engineer. I'm a free software hacker and I mainly focus on iOS. I'm also the author of radar fsmon apple sign and many other free software tools. You can read my timeline in the following fediverse account. But first of all, let's see the last news from Tulan. There was the last release of RAR that happened in November 24. Uh right now we are in the API breaking season. This means that there is a lot of changes in the API and every time you pull a new version from the git, you probably need to build and recompile all the plugins that you are using. Um but this means that we are changing a lot of APIs also improving the code quality and changing the behavior of some of the libraries. Uh and at the end of this season hopefully in a month something like that uh you will be able to experience stable releases again. Uh there is a lot of changes not just from the API changes um that are improving the code quality analysis and also improving the the support for many binaries like for example improving the relocks on ELF um improving the code analysis and also the better sweep support. Uh all the mangling and analysis for embedded strings uh has been improved quite a lot. Uh there is also support for a new feature which is uh imports kinds which basically classifies all the imports that you have from your application and ends up organizing them into different sections. So this means that you can uh filter all the imports by network access format strings uh thread safety etc. Also there is an a new file format supported for patching which is the expite which amps to handle a standard file format like unified diing but for binary format. uh this is still still an ongoing uh standard but this is already supported in Rodaria and this helped us to improve the organization of all the libraries that are implemented uh for difficult and another interesting feature that we have right now is the app entry points. There is a list of entry points not just from the main executable but also from all the other libraries and callbacks that can happen when an application is running. This means that for example we can list and enumerate all the entry points for an iOS application that is accessing the uh or handling some specific uh application views. This is helping a lot on representing mobile applications in the around the main project. We have a whole ecosystem of different plugins. Uh for example there is a new version of the yara plugin. The YA plug-in has been uh maintained for a while and it was not properly u developed as a properly project. Right now we have a separate repo with the CI builds uh tested on all the predictors and also improving some of the features. This plug-in can help us to define uh JA signatures which can identify some uh some signatures and some features of the applications like for example uh static uh link libraries, some packers etc. Also there is a new build of the web assembly support for HTML 5. Uh you can build our tool for web assembly and then use it in your own website. Execute the shell, execute any of the internal APIs or just run the comments and get the output embedded from JavaScript. There is a lot of new stuff in Yito which is the graphical user interface. There is a uh many of the widgets that was missing in the last release are now implemented. This means that you can now uh define memory layouts. Um there is also so many features like for example integrated with AAI configuring different options uh scripting widgets etc. Uh there was a bunch of improvements on the way that we distribute the tool. Uh but this won't be released uh until we get the new version out. There is uh support for DMG. We are embedding R2 inside the build for Yito. Uh so you don't need to build or bypass any signature check. Just download the DMG, run it and that's it. That will work on all the platforms. Um we use flatback for Linux and there is also native builds for Windows. Also there is an updated support uh for uh different plugins that for example Dart, Unity and Sarif. uh the Dart programming language um builds some specific metadata and we have some plugins that can extract this metadata to improve the disassembly. Same happens with Unity. If you have any Unity app that you want to analyze, R2 can help in a much better way. Now just run the plug-in, it will be parsing all the metadata and finally at the end you will get a proper uh disassembly with meaningful names. Also articra has been updated and R2D as well. These are probably the two main the compilers that we use in introd. But first of all um we would like to talk about Arto Freda. Arto Freda is probably the main plug-in that we distribute across uh from NSCure and this is the plug-in that integrates Freda within Rodar. So you basically get the best from uh static analysis and dynamic analysis. Um, Erto Freda has been always updating and pulling the last version of Ofreda in order to test and verify that every single release is solid and also uh testing it in more different ways than just injecting scripts. Uh, with the last version of Freda, you can use native breakpoints and watch points. This is because Freda have been adding support for uh native breakpoint and widespoint APIs. Also uh there is improved support for tracing and waiting models. This means that uh when an application is loading a library or a framework uh you can get notified about that and same happens when there is a new thread created destroyed etc. You can enumerate the threads uh and detect when a new thread is created and also enumerate all the thread entry points. This means that when you attach to an application you can list not just the threads that the application have and the name that they have been assigned but also you can get the function pointer that is handling the beginning of the thread. This is very helpful for analyzing large applications and it will help you for sure. Also, we added support for remote Freda device servers. This is a new feature that we have in Freda that uh basically allows you to expose even the USB connections through the network. You don't need to depend not just on local device or network connection to get access to their USB devices. And finally, we have support for the app specific entry points. This is the same thing that we had before and I was explaining in the air application entry points but implemented inside freedom. So one of the main problems that we have in R2 is the learning curve. Uh there is a lot of people complaining or um spending lot of time trying to learn and use because it's a common tool with lot of features and so many different comments that probably can be a little bit overwhelming when starting to learn engineering. So I want to introduce you to AAI as a way for reducing this learning group and get a better understanding on how the tool works and how to manage to solve some of the problems. So let's start for the AI integration in RA. So this is not something new actually was the first tool uh to integrate artificial intelligence in engineering. It was start in the early 2023 we get support for that. uh but as long as this is uh technology in the computer field that it's evolving pretty fast uh there is a lot of improvements a lot of new features new models and new uh capabilities that we can get uh integrated with our tool so it's evolving all the time you get get new changes every single week and and there is a lot of people playing with that um it supports many providers this means that you can use AAI not just with local models um if you care about privacy but you can also connect to any remote service like uh open AAI uh or cloud for example it's all supporting rock deepseek etc uh but we main to focus on local models the reason is because we want not to depend on external services for reverse engineering because uh applying these kind of techniques uh usually you don't want to leak or inform anyone that what you are doing but for sure that's something that's require some specific hardware local some uh computer performance and also you need a lot of hardware for running this and also the quality for remote services usually is quite better and faster. So uh depends on the on the project that you are working on. You may evaluate which is the best solution. Um there is so many different ways to use AAI and I will explain from the beginning to the end but basically uh you can use language models to make questions and get some answers but you can also use that as a way that the language model or to or the AI it interacts with R2 directly. Uh with that you can maybe just ask the model to solve a crack me and the model will be running comments um inside your shell and get the output pass the output and evaluate which is the next step that needs to be done. Same thing happens with the MCP server which is kind of the same solution of the auto mode but integrated with clot and clot is basically separate app that you get a way to interact with external tools and air can be exposed as a tool for that. There is also a native support for vector database and a custom data set for uh training and fine-tuning all the language models. The custom BDB which is a vector database allows us to extend the knowledge for a specific uh language model to instruct the model uh about how to use or to many language models don't really know how to use the data properly or maybe they just um do it but they miss some of the comments. Uh so this is the key trick to improve the quality of the results and reduce analysis set for when interacting with language models inside our two. Uh also the initial implementation that was done in 2023 was written in Python but uh over time we realized that this was a big problem for many um users because it's depending on the different versions of the of Python installed in the device and it's also depending on on the all the dependencies which end up uh taking more than one gigabyte of disk. So we end up rewriting everything in C and JavaScript. And we have a couple of plugins. One is called the Kai and one is called Earth2 AI. And basically the R2AI serial right u takes like 20 kilobytes in disk and just communicates with your local or remote models is able to do the same thing that the gigabyte python implementation. So to summarize we have air2ai model data set. We have air2 clippy which is an assistant in the form of a clippy and it's helping you to answer questions about how to use air tool or maybe not just about just um how to use the tool but also how to do some specific analysis. So if you're analyzing iOS application or an Android one you maybe you don't know where to start. So you can ask the clippy um where to start to look at or which is the next things or which are the hints that can give you or which are the OASP um rules that are recommended for following uh proper uh mobile application analysis and and so uh it's not just an assistant to help you onto but also to help you on all the analysis when working on on on any reverse engineering project. Also the everything was written in C. Uh so Python is no longer a dependency. Uh the DAI focus on the compiling. So you basically get um the output of the cell disassembler inside R2 and many other comments as context for feeding the language model and providing a custom uh prompt uh with some specific options to make the output deterministic. You can basically get a proper the compiler output in the language you like. This means that you can get swift de compilation, C# de compilation and if you like you can get the output in any other language like maybe bash python etc. Um the guy is also providing auto support and many other uh comments like can help you to rename functions do type propagation etc. So uh both plugins can work independently. Uh but the guy is probably the one that you are more interested because it's easier to update and also it's evolving much faster than the seal right. Uh but at some point when both projects get stable they will be getting the same features in in both sides. Um then we have tomcp which is the MCP service don for uh clot. There is other non-cloud um uh servers and demons for using um the context protocol like uh for example open web UI you can use um uh other tools that integrate external tools to to connect rod to this service and then you can just talk with the model and uh tell them to analyze one binary uh and solve some specific questions like create like a full automated analysis for uh security or the network endpoints or the any issues that you can find in there and then the model will be basically understanding the question following the guidelines for proper mobile security um development and then give you a proper analysis after taking all the data from R2 and finally we got the inline auto mode which is implemented in the kai and also in in aai so what we're doing here is basically prompt the language model from inside rod to solve one specific question and then it will be executing the comment getting the output back and then uh analyzing the output until this solution is is there some of the features that I was explaining before is that you can get uh autonaming functions variables you can solve difficult tasks like for example uh solving trackm it's also able to find vulnerabilities you can provide a binary with and ask the model to find vulnerabilities in there it will be looking for the most common things but you can also continue talking with the model to to solve the more complex task or model specific things like uh SSL connections which uh arguments have been passed to some APIs things like that. Um it's also identify proper types um using function signatures and also able to transpile the compilation. It's also helpful for documenting full binaries or commenting code. All these features are great not just for analysts but also for learners that want to understand better how to analyze applications or how to learn and use in a better way. And now let's start with the demo. We'll go into a repo that's called examples that contains different binaries uh that can be used for testing and the guy. Uh the first demo that I will show you is how an iOS swift application in release mode can be the compiled using air2ai. So I will be loading the script that basically analyze a few functions that I'm interested on and jams directly into the function that checks for the password. We can compare the output from pdd and also from uh gedra. As you can see the output is very verbose and contains a lot of boiler plate and the string is composed in assembly. Um this is why earth to analysis find outs by emulating the code uh when the string is constructed in memory and all this stuff will not be working on any other compiler there because this is just uh constructed using constants and this is uh not working with the standard the compilers. You can also use pdg to compare the outputs with the gira and you can see that the string is also available as a comment. So the string itself will be basically uh the these constant numbers. So it's not really useful if you don't use emulation. And what we can do now is basically use the Kai. The Kai is the R2JS um plug-in for to it's integrating different language models for the compiling. Uh we can check the configuration options with minus E and we'll see that now it's using the cloud API and also it's using Swift as the compiler output language. We can also change the prompt but for now this is fine. I will just the run the k minusd that will be taking the output from pdc that's specified in here and then um analyze it to uh remove all the boiler plate remove and any other things integrating strings as comments. Uh so at the end the output is transformed and transpiled into swift code which is very uh readable and idiomatic and very easy for the analyzer. Um, we can also check that we can change for example the language and use Python. Maybe we can also choose a different model like maybe Germany or maybe we want to use uh JavaScript and then the compile using Mistral. As you can see, the Kai is very uh powerful and you can change anything. You can even change all the configuration options for the low-level uh temperature uh because by default the deterministic option is enabled. This means that every time that you provide the same input to the model, it will be giving you the same answer. Um so let's go into the next demo. Uh I will be checking a stackable overflow program. So this is a small C program that contains a very simple buffer overflow vulnerability. It's using a string copy taking the first argument and copying that into a local uh buffer. Uh the problem is that this buffer have a 32 byt in size but the input can be longer but can be longer. This means that uh if we provide a longer string as input it will be overflowing the stack and therefore can be executing code. So we have compiled the problem here and we just load that into aai and now we'll just use the kai to solve the problem. So uh find enable already in this program and explain how to exploit it and how to fix it. I'm using the kinos a which will be running in auto mode. will start thinking then the model will be answering which is the action that must be executed inside R2 in this case he need uh the model needs uh to get basic information so it's trying to run the I common we can just press enter we you will see the output of the command and then we'll start thinking again it's saying that it needs to analyze the binary so it needs to run a aaa let's just press enter we'll be running the same thing now it wants to count how many functions there are in the binary as you can see we can also skip this step we can also uh press Q to solve with the current information or change the behavior. We can provide a different comment and different description. So the model will be learning from our workflows and use cases. Let's for now just press enter. It's requesting to run FALM which is basically listing all the functions with the uh functions called and then it's uh requesting to uh the compile the main function. This is the output. starting to think about that and then we can probably get the result out of that. There there it is. Soi well in this case um the guy is identifying the polarity. It's saying that the main function is using a string copy and it's trying to copy a longer buffer inside. So in this case explaining that needs to uh so in order to overflow we can use this line and how to fix the monority it's providing uh some good recommend coding recommendations and other security um considerations that must be taken into account. Now let's jump into a more complex problem. Uh let's try to solve a crack me. In this case I'll be using ai instead of the guy. So I will load the binary. We can use minus e. We will see that by default we are using open AAI. Uh I was using uh clo before in the other demos but we can choose whatever model we like. Um so let's just do the same solve this crack me. It's prompting me to execute Ialize then getting binary from information and then list of functions. Then it's requesting to disassemble the main function. As you can see the prompt of showing me the model, the amount of the tokens and also you can see uh how many money you're spending here. So uh now it's explaining in every single step what the function is doing and what will be the next step. So it seems like it needs to disassemble the check function. So I will just accept that. Uh seems like the check symbol doesn't exist because the name should be uh prefixed with the sim token. So I will it's requesting to run the same thing using the u virtual address. So we get the proper disassembly of the function. It's analyzing the disassembly. Then it's trying to disassemble some more bytes. It's finding out that it's calling uh other functions like the sim.parang. So it's requesting to do that same issue as before. As you can see the model is trying different ways to solve the same problem in case anything fails like any human will do. And now we can see that we had that the function is basically parsing the string that is provided by the by the user and checking for the lower bit. So if this is correct this means that the check um must pass uh when the number that is provided by the user is an number. Like for example any correct input that is matching this will work in this case it's providing um uh 16 as a valid password and we can try that that will work okay so um after that I will go into check with MCP mcp is a way to communicate model uh language models for example open web UI cloud etc and connect external tools to it so in this case I have um entropy cloud application that it's connected to R2. R2 is providing all these methods. So it can open file, it can list functions, list libraries, import sections, etc. And all these actions will be executed by the model when requested. So I will say open/DMP/DS which is basically a copy of the DeepSc iOS application binary and follow the OASP security guidelines to generate a uh a report with all the findings about privacy issues, security and vulnerabilities with the disk encryption. then network. This is an iOS application. Uh and then just wait for it. So it seems like it's now starting to uh call. So we will just accept that. As you can see, it's um uh MCP is just executing code. It's just asking you if you want to execute or not. You don't have a way to uh specify a different behavior, skip any comment or um give some feedback to the model in order to get them uh learn from your actions. So, it's less powerful than air2ai, but it's more powerful because in the sense that you can execute uh and get better reports out of that. You can also ask uh the kio to AI to generate reports in the same way. Uh but the cool thing is that uh clot is integrating all these and you can basically uh get analysis from that. So as you can see right now uh R2 is being executed by um clot which is kind of dangerous. This means that uh any if you have multiple MCPS that can be executing code in your machine can be accessing files can be accessing um uh private data or anything like that. So it's important that you verify everything that you do and also the M it's important to know that MCPS can happen with this in this case uh R2 MCP is running in sandbox mode. So it's not able to execute or access data from anything else than just this /dmp and it's also not running um uh it's running sandbox. So it can it won't be able to do much stuff outside that. And also as you can saw um I'm only having the R2MCP. There is no other MCP servers running in this machine. So it won't be able to get code injection like in prompt injection from different models. So it's something to take into account when you use MCPS. So what we can see here is that apart from executing all the code we get the output to get the prompt what's executed by clot and what's uh the output from uh from two and then it's we can read all the evaluation and all the steps that uh cloth is is taking into account to perform the next step starting to the compile functions and the cool thing is that MCPS provide a more idomatic way to expose all the metadata. instead of running air to comments it's providing um uh the action name with a description. So it's more high level than uh just running air to comments. So as you can saw the learning curve for using the other um comments like AAI and the Kai is much better for learning but in this case uh you can use um R2AI uh R2 MCP in this case to get some feedback from the binary. So we can see that all this information and this report is being executed and generated in few minutes in your in uh by using uh entropic plot. You can see that there is some network security issues. It's listing all the endpoints the remote servers that it's using and the paths and so on. Also we can ask the model to get some uh recommendations. And as you can see this application is not secure. We already wrote a document in the blog of NASsecure um with some of these vulnerabilities. And the cool thing or probably the most important part of this is that um you should be verifying every single thing that the language model AI is is giving to you because anything can be vulnerable, anything can be false, it can be hallucinating data. So it's important to take all this information as uh something that you should be verifying and not trust the AI output uh by itself. But anyway, as you can see, all this data is correct because I was verifying that before. And it can be very helpful for getting some reports and analysis. So to finish my presentation, I will say that future is now. Uh so there is a lot of things that you can do with AI uh without having to know what you are doing. But this is kind of dangerous. I will always recommend you to learn more, learn how to analyze applications, learn how to use the tools and use this AI as a tool not as a replacement for an analyst or someone else because it's provide it's able to do so many things but it's always require humans to verify things and use the tools in a proper way to the to get the proper results. Um in the future I want to improve AI to AI uh with learning per user learning per app. This means that every single application can have a project that can be uh providing better context for the analysis and also it should be adapted to the user. So every user works and uses are too different. So it's important to behave different on each case. Also um we have a a data set for extending and training models to user R2 in a better way. So this data set will be improved over time and we will be providing more data models that you can use in local with few megabytes of RAM. You don't really need to use large um uh language models in local to do the same thing. And then I would like to have support for conversational support. Um already it already is supporting voice. So you can talk with your voice to the machine and it will be running comments without having to uh um say the comments by itself. just asking for the action and then R2 AI will know what comments should be doing and uh but it's not a conversation you cannot stop the conversation or the actions or run things in background it's it's like one step then the next one etc. So and after that I would like to release 6.0 that will be uh marking the new stage of development and that's it. If you have any questions, please drop them in the chat or join the Telegram Matrix Discord channels. Uh and I will be always available for helping and resolving any question you have. Thanks for watching.