Conversation

Notices

1. Embed this notice
   ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Friday, 25-Apr-2025 03:46:47 JST ✧✦Catherine✦✧

   looking at some malware that has a string encryption routine and a string decryption routine

   it encrypts a string and immediately decrypts it

   the original string is there in the binary

   (all these pairs of funcitons implement the same silly XOR algorithm in slightly different code. yes, i've lifted them to LLVM IR to check if they really do that. yes, they do)

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Friday, 25-Apr-2025 03:53:13 JST ✧✦Catherine✦✧

     in reply to

     they're all like that. even the gibberish looking ones. i beg of you malware authors please try to be more competent, it's not fun at all

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Friday, 25-Apr-2025 03:55:49 JST ✧✦Catherine✦✧

     in reply to

     • bars

     @bars binary.ninja

   • Embed this notice
     bars (bars@mastodon.uno)'s status on Friday, 25-Apr-2025 03:55:51 JST bars

     in reply to

     @whitequark what are you using to do this? I love the Rust-like syntax and the explicit mut/non-mut distinction

   • Embed this notice
     Fi 🏳️‍⚧️ (munin@infosec.exchange)'s status on Friday, 25-Apr-2025 03:58:21 JST Fi 🏳️‍⚧️

     in reply to

     @whitequark

     lol I wonder if this is a sign that 'vibe coding' has come to malware.

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Friday, 25-Apr-2025 03:58:21 JST ✧✦Catherine✦✧

     in reply to

     • Fi 🏳️‍⚧️

     @munin they're probably years ahead of schedule