Twitter Updates

    follow me on Twitter

    List for 4.5% and get 1% cash back on your purchase


    How much is your home worth?
    Receive Home Listings By Email

    Saturday, August 29, 2020

    Introduction To Reversing Golang Binaries


    Golang binaries are a bit hard to analyze but there are some tricks to locate the things and view what is doing the code.






    Is possible to list all the go files compiled in the binary even in an striped binaries, in this case we have only one file gohello.go this is a good clue to guess what is doing the program.


    On stripped binaries the runtime functions are not resolved so is more difficult to locate the user algorithms:


    If we start from the entry point, we will found this mess:

    The golang string initialization are encoded and is not displayed on the strings window.


    How to locate main?  if its not stripped just bp on [package name].main for example bp main.main, (you can locate the package-name searching strings with ".main")


    And here is our main.main:


    The code is:

    So in a stripped binary we cant find the string "hello world" neither the initialization 0x1337 nor the comparator 0x1337, all this is obfuscated.

    The initialization sequence is:


    The procedure for locating main.main in stripped binaries is:
    1. Click on the entry point and locate the runtime.mainPC pointer:



    2. click on runtime.main function (LAB_0042B030):


    3. locate the main.main call after the zero ifs:



    4. click on it and here is the main:




    The runtime is not obvious for example the fmt.Scanf() call perform several internal calls until reach the syscall, and in a stripped binary there are no function names.



    In order to identify the functions one option is compile another binary with symbols and make function fingerprinting.

    In Ghidra we have the script golang_renamer.py which is very useful:


    After applying this plugin the main looks like more clear:




    This script is an example of function fingerprinting, in this case all the opcodes are included on the crc hashing:
    # This script fingerprints the functions
    #@author: sha0coder
    #@category fingerprinting

    print "Fingerprinting..."

    import zlib


    # loop through program functions
    function = getFirstFunction()
    while function is not None:
    name = str(function.getName())
    entry = function.getEntryPoint()
    body = function.getBody()
    addresses = body.getAddresses(True)

    if not addresses.hasNext():
    # empty function
    continue

    ins = getInstructionAt(body.getMinAddress())
    opcodes = ''
    while ins and ins.getMinAddress() <= body.getMaxAddress():
    for b in ins.bytes:
    opcodes += chr(b & 0xff)
    ins = getInstructionAfter(ins)
    crchash = zlib.crc32(opcodes) & 0xffffffff

    print name, hex(crchash)


    function = getFunctionAfter(function)





    More info


    Posted by at

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)

    Home for sale- $2,000 rebate!

    Ready Real Estate slide show

    View sdutton's profile on slideshare

    Become a fan of my page

    Sheree Dutton, Reatlor, DFW, Texas on Facebook
    Powered By Blogger

    Pandora Faves

    Back on the market, price reduced, 1% cash back rebate offered

    Sheree Dutton | Ready Real Estate | 817-975-0461
    222 Birchwood, Azle, TX
    Back on the market, price reduced and 15 cash back rebate offered!
    3BR/2BA Single Family House
    offered at $102,500
    Year Built 2006
    Sq Footage 1,142
    Bedrooms 3
    Bathrooms 2 full, 0 partial
    Floors 1
    Parking 3 Covered spaces
    Lot Size .225 acres
    HOA/Maint $0 per month

    DESCRIPTION

    Wow, talk about pride of ownership! This house has too many upgrades to count, and is so well cared for. You must see it to believe it! A lot of value in this perfect starter home.

    OPEN HOUSE SUNDAY MAY 3RD 2+5 pm

    see additional photos below
    PROPERTY FEATURES
    - Central A/C - Central heat - Fireplace
    - High/Vaulted ceiling - Walk-in closet - Tile floor
    - Living room - Breakfast nook - Dishwasher
    - Refrigerator - Stove/Oven - Microwave
    - Laundry area - inside - Balcony, Deck, or Patio - Yard

    OTHER SPECIAL FEATURES
    - 1 car garage, covered carport for 2 cars
    - covered wood deck in backyard
    - gutters
    - storage shed
    - newly stained wood fence
    - electric fireplace added, with tile hearth
    - upgraded ceiling fans and light fixtures
    - island in kitchen
    ADDITIONAL PHOTOS

    Fantastic curb appeal

    covered wood deck in back

    living room

    kitchen with island

    breakfast nook

    master bedroom
    Contact info:
    Sheree Dutton
    Ready Real Estate
    817-975-0461
    For sale by agent/broker

    powered by postlets Equal Opportunity Housing
    Posted: Sep 11, 2009, 7:31am PDT

    Blog Archive