* [Blog](https://www2.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/)
* [Events](https://www2.paloaltonetworks.com/blog/category/events/)
* REcon Recap: Here's What ...

# REcon Recap: Here's What Caught My Eye

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2015%2F07%2Frecon-recap%2F)  
[](https://twitter.com/share?text=REcon+Recap%3A+Here%27s+What+Caught+My+Eye&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2015%2F07%2Frecon-recap%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2015%2F07%2Frecon-recap%2F&title=REcon+Recap%3A+Here%27s+What+Caught+My+Eye&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2015/07/recon-recap/&ts=markdown)  
\[\](mailto:?subject=REcon Recap: Here's What Caught My Eye)  
Link copied  
By [Josh Grunzweig](https://www.paloaltonetworks.com/blog/author/josh-grunzweig/?ts=markdown "Posts by Josh Grunzweig")  
Jul 02, 2015  
7 minutes  
[Events](https://www.paloaltonetworks.com/blog/category/events/?ts=markdown)  
[exploitation](https://www.paloaltonetworks.com/blog/tag/exploitation/?ts=markdown)  
[REcon](https://www.paloaltonetworks.com/blog/tag/recon/?ts=markdown)  
[reverse engineering](https://www.paloaltonetworks.com/blog/tag/reverse-engineering/?ts=markdown)

A few weeks ago I was fortunate enough to attend [REcon](http://recon.cx/) in Montreal, Canada. This conference focuses on reverse engineering and exploitation techniques and has been going on for roughly a decade. In this post, I'll recap some of the presentations witnessed during the conference and provide a general overview of the conference itself.

Despite its long run, REcon is still fairly unknown in the broader information security community. It's a three day, single track conference covering topics ranging from exploitation, software reverse engineering, malware analysis, and hardware reverse engineering, to name a few.

The conference is generally limited to a few hundred attendees, which produces a very relaxed atmosphere. No jostling to try and get into a talk that you waited 45 minutes in line to see, and no need to compromise between attending talk 'A', talk 'B', or talk 'C', which all happen to be taking place at the same time in different tracks. The talks themselves often verge on the more technical side, with really interesting work being discussed and presented.

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/07/recon-logo.png)  
[![recon logo](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/07/recon-logo.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/07/recon-logo.png)

Figure 1. [REcon Logo](http://recon.cx/2015/index.html)

Because of the smaller crowd and intimate atmosphere at REcon, I've yet to attend this conference without meeting at least a dozen new and interesting people. This year was no different. People are generally very friendly and it's not surprising to find yourself chatting with folks at the hotel bar or joining a group of people you just met for dinner over in Chinatown.

During the three days of talks at REcon, a number of great talks were presented. Here are some of the REcon talks I found most interesting:

[**Totally Spies**](http://www.recon.cx/2015/schedule/events/35.html)*Joan Calvet, Marion Marschalek, Paul Rascagnères*

As the first official talk of REcon, this presentation did not disappoint. Joan, Marion, and Paul delivered a wonderful talk revolving around their research into the 'AnimalFarm' malware group. Those familiar with my background know that a talk such as this is something right up my alley. The malware group itself is comprised of a number of different individual malware families, such as Babar, NBOT, Bunny, Casper, and Dino. Additionally, AnimalFarm spans a number of years (2009-2014). The presentation was broken up into discussion of individual malware families, and the presenters did a great job discussing some of the more technical curiosities present in each. They also did a wonderful job of pointing out the similarities across all of the discussed samples, which allowed them to group these families together. Overall, this presentation provided an overview of this lesser known group of malware and shed light on various indicators and characteristics present in each malware family.

[**Radare2, building a new IDA**](http://recon.cx/2015/schedule/events/49.html)*Jeffrey Crowell, Julien Voisin*

This presentation was only given a 30 minutes slot. This was somewhat disappointing as I would have loved to see Jeffrey and Julien talk more about Radare2, a fascinating tool. [Radare2](http://www.radare.org/r/) is an open-source project that provides a portable reverse engineering framework. As the title of the presentation implies, the main developers aim to provide an alternative, free framework that reverse engineers can use in their daily work. I did not previously play with Radare2; I had only heard about it in passing from some of my friends and colleagues, but I never took the plunge. After seeing this presentation, I'd highly encourage readers to check out the project. Not only does Radare2 work on a number of platforms (Windows, Linux, OSX, Android, BSD, etc.), but it also supports a wide range of file types (MZ, ELF, Mach-O, Java, firmware, etc.). Radare2 has tons of functionality and I could certainly see it being a great tool to add to any reverse engineer's tool bag.

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/07/recon-2.png)  
[![recon 2](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/07/recon-2-500x383.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/07/recon-2.png)

Figure 2. [Radare2 WebUI](http://www.radare.org/r/img/webui.png)

That being said, there are a couple of limitations: namely, the lack of a proper GUI and a steep learning curve. In typical REcon form, this presentation was great to watch and Jeffrey and Julien did a great job of getting people excited about Radare2

[**0x3E9 Ways to DIE**](http://recon.cx/2015/schedule/events/15.html)*Yaniv Balmas*

This talk focused on a new IDA plugin written by Yaniv Balmas. The plugin, named 'DIE' or Dynamic IDA Enrichment, aims to enrich a reverse engineer's IDA experience by supplementing static analysis with data generated dynamically during runtime.

[![DIE](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/07/DIE.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/07/DIE.png)

Figure 3. DIE Logo

Specifically, Yaniv's plugin looks at function arguments and return variables and performs analysis to infer their variable types. This data is stored in a separate database where it can be queried at the analyst's discretion. A number of great live demonstrations were performed on stage, and this plugin looks like it could be very useful when performing analysis on a file in IDA Pro. For those interested, the plugin can be found [here](https://github.com/ynvb/DIE). Additionally, I should point out that Yaniv used a Hitchhiker's Guide to the Galazy theme, so perhaps I'm a bit partial towards this presentation, being member of the Unit 42 threat intelligence team.

[**The M/o/Vfuscator**](http://recon.cx/2015/schedule/events/55.html)*Christopher Domas*

This would probably win the award for "scariest session", if only because Christopher performed some extraordinary background work for this presentation. It's clear that Christopher is a smart person, and when he discovered that the x86 'mov' instruction was '[Turing Complete](https://en.wikipedia.org/wiki/Turing_completeness)', he decided to work towards writing an obfuscator. Any x86 instruction can be replaced using a series of 'mov' instructions. Christopher replicated control flow and operations including branching, assembly math, and comparisons using nothing but 'mov' instructions. I say this is the scariest presentation because I imagined seeing a malware sample in the wild using this obfuscation technique. To say reversing such a sample would be a challenge would be possibly the biggest understatement of the century. The following image demonstrates both what a non-obfuscated sample looks like (first two images), as well as what it looks like after obfuscation (third image).

[![recon 3](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/07/recon-3-230x528.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2015/07/recon-3.png)

Figure 4. M/o/Vfuscator in Action (Credit: [Twitter](https://twitter.com/daniel_bilar/status/612503306011676673))

For those interested in some proof of concept code written by Christopher, his GitHub project can be found [here](https://github.com/xoreaxeaxeax/movfuscator). The presentation was wonderfully given, as Christopher went through the process of demonstrating the above technique. The groans of dismay from the audience during his live demos were bittersweet, as we both sat in awe over what we'd seen and dreaded seeing it outside of the safety of the REcon presentation.

### Conclusion

There are a number of amazing presentations given at REcon. So many so that we weren't able to cover everything. As an attendee, there is ample opportunity to learn more about some of the latest malware threats, as seen in the *Totally Spies!*. It allows us to not only become more familiar with the latest threats, but also helps us identify variations of them going forward.

If malware is not your primary area of interest, perhaps learning about some brand new or lesser-known tools may be of some use. As we saw in the *Radare2* and *0x3E9 Ways to DIE*, there's a number of amazing tools being released and discussed during this conference. These tools not only aid a reverse engineer in performing his or her job, but also do so quickly and efficiently.

Finally, we saw some truly innovative research being discussed in *M/o/Vfuscator*, as the presenter provided a radically new way of obfuscating code. This will likely have an impact on both the malware community as well as those dealing with software protections. As such, the earlier we can become familiar with the techniques discussed, the better prepared we will be in the event it surfaces in the wild.

I can't say enough good things about REcon. I have only been to the conference a couple of times, but each has been a positive experience. I truly believe that the people really make this conference, and I often find myself astonished at a room full of such amazingly intelligence people gathered together. If you're interested in exploitation, reverse engineering, or just have that a natural curiosity, I'd highly encourage you to check out this conference next year.

*** ** * ** ***

## Related Blogs

### [Events](https://www.paloaltonetworks.com/blog/category/events/?ts=markdown), [Security Platform](https://www.paloaltonetworks.com/blog/category/security-platform/?ts=markdown)

[#### Security Operations Under Fire Inside Black Hat's NOC](https://www2.paloaltonetworks.com/blog/2025/09/security-operations-inside-black-hats-noc/)

### [AI Application Security](https://www.paloaltonetworks.com/blog/network-security/category/ai-application-security/?ts=markdown), [Events](https://www.paloaltonetworks.com/blog/category/events/?ts=markdown)

[#### Securing AI at Google Cloud Next with AI Runtime Protection](https://www2.paloaltonetworks.com/blog/network-security/securing-ai-at-google-cloud-next-with-ai-runtime-protection/)

### [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [Events](https://www.paloaltonetworks.com/blog/category/events/?ts=markdown)

[#### Learn How to Secure Your AWS Workloads at AWS re:Invent 2024](https://www2.paloaltonetworks.com/blog/network-security/learn-how-to-secure-aws-workloads-aws-reinvent-2024/)

### [Events](https://www.paloaltonetworks.com/blog/category/events/?ts=markdown), [News \& Events](https://www.paloaltonetworks.com/blog/sase/category/news-events/?ts=markdown)

[#### Ride the Next Wave of AI-Powered SASE at AWS re:Invent 2024](https://www2.paloaltonetworks.com/blog/sase/ride-the-next-wave-of-ai-powered-sase-at-aws-reinvent-2024/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Company \& Culture](https://www.paloaltonetworks.com/blog/category/company-culture/?ts=markdown), [Events](https://www.paloaltonetworks.com/blog/category/events/?ts=markdown)

[#### Join SASE Converge --- Where the Future of SASE Comes Together](https://www2.paloaltonetworks.com/blog/2024/08/join-sase-converge/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Events](https://www.paloaltonetworks.com/blog/category/events/?ts=markdown), [News \& Events](https://www.paloaltonetworks.com/blog/sase/category/news-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Entering the Next Chapter of SASE at InterSECt 2024](https://www2.paloaltonetworks.com/blog/2024/04/next-chapter-of-sase-at-intersect-2024/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language