Hacker News new | past | comments | ask | show | jobs | submit login

It looks like gobfuscator just modifies the source code by renaming package and file names to random strings, and adds string encryption. The resulting source code is compiled by the Go compiler as usual, and no further obfuscation is applied.

This is fairly weak: Go runtime functions are unobfuscated, and package names are consistently renamed (that is, if "geacon" is renamed to "ammopppfcdmmecpgbkkj" in one function, it's renamed that way consistently for all functions). This in turn should make it much easier to deobfuscate by gradually expanding the set of "known" package, class and function names.

XOR-encoding of strings is slightly annoying, but since gobfuscator replaces each string with an anonymous function, you could in principle write a simple Unicorn script to emulate each string decoder function, coupled with some heuristics to detect such functions (e.g. just look for functions which have an xor and a single call to runtime_slicebytetostring).

Having worked on really "heavily obfuscated" code (flattened control flow, functions implemented in obfuscated VMs, custom incompatible ABI, cryptographic encryption of code, etc.), this gobfuscator looks comparatively easy :)




> 'Having worked on really "heavily obfuscated" code (flattened control flow, functions implemented in obfuscated VMs, custom incompatible ABI, cryptographic encryption of code, etc.), this gobfuscator looks comparatively easy :) '

For any HN readers who have not already encountered the MOVfuscator [1] I cannot recommend this Blackhat talk highly enough -- the x86 MOV instruction is turing complete, and it flattens arbitrary code to MOVs. It's also the only time I've ever seen brainfuck being used as a seriously sensible intermediate language ;-)

[1] https://www.youtube.com/watch?v=R7EEoWg6Ekk [I think this is the preferred link!]



The "sort of" part is fantastic:

The mov-only DOOM renders approximately one frame every 7 hours, so playing this version requires somewhat increased patience.


I might finally beat nightmare!


Seems very reminiscent of early java bytecode obfuscators.


Excellent analysis


What is your background? Your experience sounds very interesting.


They have their website [0] in their profile, which has some interesting background.

[0] https://robertxiao.ca


Man, that Dragon CTF was awesome.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: