| 03:42:04 | * | FromDiscord quit (Remote host closed the connection) |
| 03:42:18 | * | FromDiscord joined #nim |
| 04:27:54 | * | maytha8 quit (Ping timeout: 260 seconds) |
| 04:31:02 | * | fallback quit (Quit: IRCNow and Forever!) |
| 04:37:15 | * | maytham joined #nim |
| 04:47:47 | * | fallback joined #nim |
| 07:27:16 | * | nils` quit (Ping timeout: 244 seconds) |
| 07:34:56 | FromDiscord | <goyoismain> yo im new-ish to programming and ive used python a bit but im trying to get into Nim to learn how to code malware (to only use on extra laptops and pcs i have laying around NOT to commit crimes with) where should i get started? |
| 08:13:23 | FromDiscord | <nnsee> In reply to @goyoismain "yo im new-ish to": sorry, we can't help with that. but learning to code is learning to code regardless of what you're writing. just start with basic tutorials, especially if you're new |
| 08:13:55 | FromDiscord | <goyoismain> ok thanks. yeah i understand not being able to help with making malware lol |
| 08:14:07 | FromDiscord | <goyoismain> do you have any recommendations for resources to learn nim with? |
| 08:19:01 | FromDiscord | <heysokam> Instant ignore. F malware, and F everyone who writes it in Nim. Go use a different lang, and gtfo of nim https://media.discordapp.net/attachments/371759389889003532/1385172004398825552/image.png?ex=68551975&is=6853c7f5&hm=080ce4ba08bb4d81dd3c991885bfa0d0a824f8c66906f6307acfedc14967d656& |
| 08:19:56 | FromDiscord | <heysokam> We don't need more false flagging by antiviruses bc some scriptkids thought nim was easy to learn |
| 08:27:42 | FromDiscord | <aintea> The thing is |
| 08:27:51 | FromDiscord | <aintea> Nim is horrible to reverse engineer and decompile |
| 08:27:59 | FromDiscord | <aintea> And easy to write↵And fast to run |
| 08:28:09 | FromDiscord | <aintea> Therefore the best choice for writing malwares |
| 08:29:12 | FromDiscord | <aintea> The thing is even the nim compiler is flagged by Windows but for some reason, nim executables don't |
| 08:31:22 | FromDiscord | <nnsee> In reply to @aintea "Nim is horrible to": not really lol |
| 08:32:37 | FromDiscord | <aintea> At least if you let it in debug mode |
| 08:33:25 | FromDiscord | <ayex> and the executables are tiny 🙂 |
| 08:34:58 | FromDiscord | <aintea> Unlike rust |
| 08:35:11 | FromDiscord | <aintea> Nim is literally the dream for a red team |
| 08:39:53 | FromDiscord | <aintea> I'll go try to reverse engineer a release mode Nim binary and update my opinion |
| 09:23:09 | * | Guest25 joined #nim |
| 09:23:42 | * | Guest25 quit (Client Quit) |
| 09:36:45 | * | nils` joined #nim |
| 10:22:59 | FromDiscord | <aintea> like |
| 10:23:10 | FromDiscord | <aintea> sent a code paste, see https://play.nim-lang.org/#pasty=MrLiGNoi |
| 10:24:55 | Amun-Ra | that's non constant time password check |
| 10:27:13 | FromDiscord | <aintea> the danger compiled version is easy to reverse engineer |
| 10:27:18 | FromDiscord | <aintea> but the debug one ? oh boy |
| 10:27:42 | FromDiscord | <aintea> In reply to @Amun-Ra "that's non constant time": I mean I could add a length factor but I'm too lazy to do so |
| 10:30:31 | Amun-Ra | aintea: https://play.nim-lang.org/#pasty=WWVDaXXM |
| 10:30:49 | Amun-Ra | it's not about length in that sense |
| 10:31:01 | FromDiscord | <aintea> oh yeah ok |
| 10:31:03 | FromDiscord | <aintea> I see |
| 10:31:33 | FromDiscord | <aintea> thanks |
| 10:35:10 | Amun-Ra | well, to be honest, mine's not ct neither |
| 10:35:14 | Amun-Ra | sec |
| 10:36:06 | Amun-Ra | it is now: https://play.nim-lang.org/#pasty=xoerJWpu |
| 10:36:49 | FromDiscord | <aintea> let me make a constant time |
| 10:37:06 | FromDiscord | <aintea> sent a code paste, see https://play.nim-lang.org/#pasty=TDwTPMjm |
| 10:37:09 | FromDiscord | <aintea> now it's good |
| 10:37:14 | * | tiorock joined #nim |
| 10:37:14 | * | tiorock quit (Changing host) |
| 10:37:14 | * | tiorock joined #nim |
| 10:37:14 | * | rockcavera quit (Killed (tantalum.libera.chat (Nickname regained by services))) |
| 10:37:14 | * | tiorock is now known as rockcavera |
| 10:58:46 | FromDiscord | <griffith1deadly> In reply to @aintea "go ahead and try": nim does not add so much code in debug/release/danger to be harder to reverse it |
| 10:59:18 | FromDiscord | <griffith1deadly> it's basically stackframes with push/pop and something else, but it general it doesnt make reversing harder |
| 11:02:59 | FromDiscord | <griffith1deadly> reversing nim without debuginfo in binary is very like c if compiled to, or cpp |
| 11:03:50 | FromDiscord | <saint._._.> In reply to @ehmry "and hopefully staying that": Yeah honestly I like that |
| 11:03:57 | FromDiscord | <saint._._.> In reply to @adrianotech "atrociously bad": That’s good to hear |
| 11:06:48 | FromDiscord | <griffith1deadly> In reply to @aintea "go ahead and try": in general that kind of "checking functions" can be just nop'ed and instantly just to return true |
| 11:06:54 | FromDiscord | <griffith1deadly> nothing special about it |
| 11:07:12 | FromDiscord | <griffith1deadly> (edit) "just" => "jump " |
| 11:07:27 | FromDiscord | <griffith1deadly> (edit) removed "" |
| 11:08:04 | FromDiscord | <griffith1deadly> In reply to @aintea "Unlike rust": rust also used in malwares |
| 11:08:27 | FromDiscord | <aintea> yes but way harder to write since stricter rules |
| 11:09:22 | FromDiscord | <aintea> In reply to @griffith1deadly "in general that kind": I'm curious on how that works or how to do that if you have any resources |
| 11:09:48 | FromDiscord | <aintea> or is it just dumping the assembly and rewriting the parts of the check |
| 11:09:49 | FromDiscord | <griffith1deadly> sent a long message, see https://pasty.ee/ilvCECkj |
| 11:12:22 | FromDiscord | <griffith1deadly> In reply to @aintea "or is it just": it's runtime modify of code instructions |
| 11:12:43 | FromDiscord | <griffith1deadly> it's like middle of knowlenge of game hacking especially for internal |
| 11:13:10 | FromDiscord | <griffith1deadly> (edit) "it's like middle of knowlenge of game hacking especially for internal ... " added "cheats" |
| 11:17:38 | FromDiscord | <nnsee> In reply to @aintea "yes but way harder": i write what you'd call "malware" for a living and do it mostly in rust, after abandoning nim for this purpose (which i moved to from C) |
| 11:17:54 | FromDiscord | <aintea> oh really ? that's interesting |
| 11:17:55 | FromDiscord | <griffith1deadly> In reply to @aintea "I'm curious on how": about good english explanations idk, bc im not native english speaker, but in russian is good this one for especially this kind of code:↵https://www.youtube.com/watch?v=aZeDTkmA6ks you can use subs or search for your language something like this |
| 11:18:26 | FromDiscord | <aintea> what is the reason you abandonned nim and preferred rust ? |
| 11:20:16 | FromDiscord | <nnsee> In reply to @aintea "I'm curious on how": open your binary in your disassembler of choice (that supports patching), r2 is pretty good for this purpose but ghidra can also do patching. identify the function responsible for checking your password. identify the control flow path which jumps to the success state (or error state depending on how it's laid out) and change the (very likely) `jne` function to `je` or vice versa |
| 11:20:53 | FromDiscord | <aintea> yeah I know how to read basic assembly |
| 11:20:54 | FromDiscord | <aintea> like very basic |
| 11:20:55 | FromDiscord | <griffith1deadly> In reply to @nnsee "open your binary in": ye, in video i shared it's literally patching `jne` to `je` but with explanations |
| 11:21:08 | FromDiscord | <aintea> oh so it's actually patching the binary |
| 11:21:13 | FromDiscord | <aintea> ok I see |
| 11:21:21 | FromDiscord | <nnsee> it doesn't necessarily have to be patching on disk |
| 11:21:28 | FromDiscord | <griffith1deadly> it can patch in memory |
| 11:21:29 | FromDiscord | <nnsee> you can also patch it in memory |
| 11:21:36 | FromDiscord | <aintea> sounds nice |
| 11:21:44 | FromDiscord | <aintea> I really need to work on my reverse engineering skills |
| 11:22:04 | FromDiscord | <nnsee> load the binary in a debugger and let it initialize itself in memory but not run, patch the instructions, run |
| 11:23:04 | FromDiscord | <nnsee> In reply to @aintea "what is the reason": got tired of fighting with mingw and "false positive" AV detections in windows |
| 11:23:17 | FromDiscord | <nnsee> rust has those too, but to a much smaller extent |
| 11:24:05 | FromDiscord | <griffith1deadly> from my java (codegeneration in runtime) skill's and nim game hacking skill's: if you know java and libraries like asm/bytebuddy then patching binaries is like java bytecode manipulations, just more hard to read instructions and you need knowlengle of asm language & understand target abi |
| 11:24:32 | FromDiscord | <nnsee> and i like the safety guarantees rust provides me, especially if i'm writing long-running implants. i know i'm unlikely to accidentally trigger a memory bug that only manifests itself like a month down the line |
| 11:24:51 | FromDiscord | <aintea> yeah that's a very good point |
| 11:25:05 | FromDiscord | <griffith1deadly> In reply to @nnsee "rust has those too,": isn't default rust abi on windows is msvc? |
| 11:26:56 | FromDiscord | <nnsee> yes |
| 11:27:34 | FromDiscord | <griffith1deadly> so you mean that rust have detections too with mingw, or with msvc? |
| 11:29:07 | FromDiscord | <nnsee> i meant with msvc, and these false positives have been rare, can probably count them on one hand. i haven't attempted to use mingw with rust |
| 11:29:13 | FromDiscord | <nnsee> anyways this is getting a bit #offtopic |
| 11:34:37 | FromDiscord | <griffith1deadly> In reply to @nnsee "i meant with msvc,": nim compiler & nim programs compiled with clang/msvc also has fewer detections than with mingw |
| 11:34:48 | FromDiscord | <griffith1deadly> i once read that most antiviruses do this because in reality few people use mingw on windows, since it's more a case of cross-compiling windows binaries from linux |
| 12:06:32 | * | beholders_eye joined #nim |
| 12:14:39 | FromDiscord | <janakali> Sad fact: malware devs can write Nim without using Nim runtime, because it is easily detected by AVs - https://youtu.be/EXX3HmCG3pw.↵↵So, in theory, legitimate code gets flagged and malware doesn't. 😔 |
| 12:15:19 | FromDiscord | <janakali> (edit) "Sad fact: malware devs can write Nim without using Nim runtime, because it is easily detected by AVs - https://youtu.be/EXX3HmCG3pw.↵↵So, in theory, legitimate ... code" added "Nim" |
| 12:29:27 | * | nils` quit (Ping timeout: 276 seconds) |
| 13:09:41 | * | nils` joined #nim |
| 13:27:08 | FromDiscord | <m4ul3r> In reply to @janakali "Sad fact: malware devs": ayyy it was fun research, it was a very bad way of writing in nim at that time. surprisingly i write a lot of nim stuff at work that does |
| 13:27:27 | * | beholders_eye quit (Quit: WeeChat 4.6.3) |
| 13:27:39 | FromDiscord | <m4ul3r> (edit) "surprisingly" => "I had improved it to be more nim-like, but sitting on it for a talk somewhere else↵surprisingly" | "does" => "doesn't involve malware" |
| 13:56:20 | FromDiscord | <kapendev> Maybe the solution is to deprecate the Nim runtime. |
| 14:24:52 | * | Torro joined #nim |
| 14:36:07 | * | beholders_eye joined #nim |
| 14:45:15 | FromDiscord | <eugaming> In reply to @janakali "Sad fact: malware devs": if you want to make good software in a language you can always get a cert, also you normaly obf your code anyways in production aswell opensource projects dont need nessesary to have compiled binaries even if convenient in the end it doesnt matter if stuff is flagged on default or not if people trust the software or get a optional way to trust it |
| 14:45:54 | FromDiscord | <eugaming> i cant see how your sadfact is really bothering anybody most wont even care if they are not like 4yo |
| 14:54:43 | * | cmc joined #nim |
| 14:54:59 | * | cmc quit (Client Quit) |
| 14:55:12 | * | capocasa joined #nim |
| 15:22:16 | * | capocasa quit (Quit: Client closed) |
| 15:47:05 | FromDiscord | <goyoismain> Ive found a youtube tutorial by steves teacher, a github page by narimiran, and the introduction if nim on nim-lang.org, are these pretty much the resources i should use? |
| 15:48:02 | FromDiscord | <goyoismain> oh and a book named Nim in Action but realistically ill never take a look at it unless someone recommends it |
| 15:53:51 | FromDiscord | <Robyn [She/Her]> In reply to @nnsee "i meant with msvc,": tbf since it's Rust, any false positives are more likely to also be fixed too |
| 15:58:44 | * | capocasa joined #nim |
| 16:15:28 | FromDiscord | <janakali> In reply to @eugaming "i cant see how": It's not bothering me as well, because 90% of my programs don't target windows. And when they do, I usually use zig for cross-compilation - it seems to greatly reduce false positives. Also, don't focus too much on word "sad", I first wrote "Fun fact" and then changed it to "Sad fact", because it's a bit negative. |
| 16:33:34 | FromDiscord | <adrianotech> In reply to @janakali "Sad fact: malware devs": the video is a year old... nim devs already did something about it |
| 16:33:35 | FromDiscord | <adrianotech> right? |
| 17:15:01 | FromDiscord | <eugaming> doing what about it |
| 17:15:06 | FromDiscord | <eugaming> its a programming language xd |
| 17:15:32 | FromDiscord | <eugaming> In reply to @janakali "It's not bothering me": never heard of zip sounds interresting ;o |
| 17:27:30 | * | jjido joined #nim |
| 18:18:59 | FromDiscord | <shalokshalom> In reply to @janakali "It's not bothering me": Zig sounds like a proper solution to that |
| 18:19:24 | FromDiscord | <shalokshalom> Did you try combining it with Cosmopolitan? |
| 18:32:35 | FromDiscord | <nervecenter> In reply to @goyoismain "Ive found a youtube": My greatest success has always been using X in Y Minutes plus documentation to translate a well-worn program I made (a gambling simulator and statistical distribution printer) into the new language as idiomatically correctly as possible.↵https://learnxinyminutes.com/nim/↵https://nim-lang.org/docs/lib.html |
| 18:35:11 | * | jjido quit (Quit: My laptop has gone to sleep. ZZZzzz…) |
| 18:37:08 | * | jjido joined #nim |
| 18:45:06 | FromDiscord | <kapendev> In reply to @adrianotech "the video is a": You can't do something about it. It's a Windows problem and every language has to deal with it. Cert is the only solution. |
| 18:46:30 | FromDiscord | <adrianotech> then nvm |
| 20:21:14 | * | skippy8 joined #nim |
| 20:50:05 | * | beholders_eye quit (Quit: WeeChat 4.6.3) |
| 21:05:28 | * | Torro quit (Quit: bye) |
| 21:08:56 | FromDiscord | <m4ul3r> In reply to @janakali "It's not bothering me": I wouldn’t really say a sad fact, it doesn’t include any indications of nim, so there’s nothing that detects it actually being a nim binary - so no nim flagged and wouldn’t affect future nim programs from being flagged . ↵From the talk, it would just be a simple looking binary that would look suspicious |
| 21:18:46 | FromDiscord | <Elegantbeef> I love looking at my helloworld.exe which is just `printf("Hello World\n");` compiled with mingw grow in threat as time goes on https://www.virustotal.com/gui/file/323f01cf10ab9889d374391028e3809c71c069269fcb76f98d81eb436a6f7cca/detection |
| 21:19:03 | FromDiscord | <Elegantbeef> In feburary 2024 that was 9/70 now it's 32/72 |
| 21:24:53 | FromDiscord | <Elegantbeef> Just tested again for shits and giggles, stripped helloworld -O3 compiled with mingw 3 false positives, non stripped 19 false positives |
| 21:25:02 | FromDiscord | <Elegantbeef> (Maybe mingw is actually compromised\ |
| 21:27:44 | * | skippy8 quit (Quit: WeeChat 4.6.3) |
| 21:30:53 | * | jjido quit (Quit: My laptop has gone to sleep. ZZZzzz…) |
| 21:41:08 | FromDiscord | <leorize> I guess it depends on your mingw |
| 21:46:30 | FromDiscord | <leorize> here's fedora's mingw on -O3 hello world, no stripping\: https://www.virustotal.com/gui/file/292954afad5d714e5c425a7f5f4b2341dffb83c91aba819a84f6c23f11c32788/detection |
| 21:46:36 | FromDiscord | <leorize> non-optimized hello world is the same |
| 21:47:20 | FromDiscord | <leorize> > gcc version 14.2.1 20240801 (Fedora MinGW 14.2.1-4.fc42) (GCC) |
| 21:48:21 | FromDiscord | <Elegantbeef> `x86_64-w64-mingw32-gcc (GCC) 15.1.0` in my case |
| 21:50:11 | FromDiscord | <leorize> mine is the ucrt-based version, so that probably helped |
| 21:50:52 | FromDiscord | <leorize> just for fun, here's\: `echo "Hello, world!"` from skull + mingw\: https://www.virustotal.com/gui/file/5203cc2de969be900654e588057c0c7bc283e22687272af91d5a58ef7d88348a |
| 21:52:03 | FromDiscord | <leorize> looks like only non-reputable scanners catch this stuff, so I suppose just use ucrt if you don't want to be catched by "heuristics" |
| 22:57:18 | * | beholders_eye joined #nim |
| 23:22:23 | rockcavera | leorize, I have indeed noticed that false positives happen with RT msvcrt, however, RT uctr has not been reporting as many false positives |
| 23:22:36 | rockcavera | ucrt |
| 23:32:42 | * | Lord_Nightmare quit (Ping timeout: 252 seconds) |
| 23:32:49 | * | capocasa quit (Quit: Client closed) |
