<— Back

Reversing Nim Binaries

For a reverse engineer one of the first steps is to differentiate between library code and code the author wrote. This can be especially hard depending on how the compiler has optimized the code or which programming language was used. This research’s objective is to make life easier for analysts and reverser engineers while analysing Nim based binaries. We started this research a while ago, because we saw more and more interest in Nim in the offensive security community and more malware authors using Nim executables to make the life of an reverse engineer harder.

The evolution of programming languages has created more portable languages that can be compiled for different platforms with little or no changes, without the recourse to virtual machines. This comes at the cost of a lot of boilerplate code which is added by the compiler or the Intermediate code translator. These languages often have their own definition of strings, calling convention and in some cases the intermediate code translator can implement different optimizations which in the end results in very complex executables.

The NIM compiler has several optimization options, it can be optimized for speed or size for example, which will result in dramatically different binaries. This presentation starts to demonstrate these differences and their impact on the final binary. Then it moves to show how an analyst can identify the non-library code, so that she can focus her efforts on analysing the logic of the executable, instead of getting lost in library code. To help out in this task we will present IDAPro scripts that will do part of the binary analysis and identify imported library or boilerplate code and create well known structures for language specific objects like strings. We will demonstrate how to write a COFF parser to automatically generate IDA FLIRT Signature files from Nims source code files. The latter can easily be applied to other programming languages or certain libraries built with uncommon compiler switches.