
Reversing Go Binaries Like a Pro - FiloSottile
https://rednaga.io/2016/09/21/reversing_go_binaries_like_a_pro/
======
kevinburke
I'm getting a Chromium security error because this website is presenting a
certificate from *.github.com.

~~~
FiloSottile
It's my fault. I use HTTPS Everywhere in full HTTP blocking mode, so when a
link isn't HTTPS I just try manually, and accept the error for common Akamai
and Github Pages certs, which is still much better than HTTP (for random
sites).

But then I ended up submitting that broken link. The interesting thing is that
it reached the top (#4 right now) of HN anyway.

~~~
tedunangst
Go? Reversing? Say no more, have an upvote!

------
cbdfghh
Just curious, is a Go string a C string inside (rune array + nil) or a proper
class array?

In other words, in

a:="b"+"c"

IOW, does it implement the Slemiel's painting algorithm or not?

~~~
razakel
>Just curious, is a Go string a C string inside (rune array + nil) or a proper
class array?

I can't imagine how you would even implement a string as anything other than a
rune array.

Even a Pascal string is just the string length followed by characters.

~~~
unwind
In Haskell strings are lists of characters
([https://hackage.haskell.org/package/base-4.9.0.0/docs/Data-S...](https://hackage.haskell.org/package/base-4.9.0.0/docs/Data-
String.html)). I hear not everyone is thrilled with the performance
implications. :)

Also not a Haskell programmer, and really not meaning to criticize. Haskell
seems awesome and I should learn it some day.

~~~
jerf
Just so people know, there are arrays used for text manipulation in Haskell in
the Data.Text library, and bytestrings in the ByteString library. The language
as specified does indeed have strings in a linked list of numbers, but if you
even remotely care about performance you don't use those, and most libraries
don't either nowadays.

~~~
unwind
Thanks! I guess I was kind of hoping for someone with actual knowledge to fill
in the details.

------
devoply
Glad to see the code still looks like crap, beautiful assembly, so using any
of that is not going to make sense. Which is good news for distributing a Go
binary.

------
mappu
_> You can quiet easily differentiate between custom code written for the
binary, for example in the Linux malware “Rex” everything because with that
name space!_

Really? It looks like only `runtime_` gets the prefix, so third-party
libraries and code in go/src (e.g. `fmt`) would get mixed in here too, right?

~~~
differentials
Everything get prefixed by the package namespace, so things pulled from
github.com/group_name/package ends up looking like
`github_com_group_name_package_class_funcname. This why why "rebuilding" the
function names was a good way to quickly filter out the "known" code from the
malicious functionality.

~~~
ninov
Is this really how the names are represented internally? if so, how can it
tell apart e.g. "github.com/group_name/package" and
"github.com/group/name_package"?

~~~
differentials
Good question, I assume there is some way the compiler/runtime would dedupe
these for the coder at compile time. However I don't honestly know enough
about the Go internals... Honestly, I wrote more Go code during this blog post
than I ever had, even though I had been reversing it for a while...

------
nadermx
working link

[http://rednaga.io/2016/09/21/reversing_go_binaries_like_a_pr...](http://rednaga.io/2016/09/21/reversing_go_binaries_like_a_pro/)

~~~
differentials
The https link should be working now, switched over to cloudflare. Thanks for
the link though!

~~~
alblue
There's a typo in the write up - lenght

------
fbreduc
if err != nil ?

