It looks like gobfuscator just modifies the source code by renaming package and file names to random strings, and adds string encryption. The resulting source code is compiled by the Go compiler as usual, and no further obfuscation is applied.
This is fairly weak: Go runtime functions are unobfuscated, and package names are consistently renamed (that is, if "geacon" is renamed to "ammopppfcdmmecpgbkkj" in one function, it's renamed that way consistently for all functions). This in turn should make it much easier to deobfuscate by gradually expanding the set of "known" package, class and function names.
XOR-encoding of strings is slightly annoying, but since gobfuscator replaces each string with an anonymous function, you could in principle write a simple Unicorn script to emulate each string decoder function, coupled with some heuristics to detect such functions (e.g. just look for functions which have an xor and a single call to runtime_slicebytetostring).
Having worked on really "heavily obfuscated" code (flattened control flow, functions implemented in obfuscated VMs, custom incompatible ABI, cryptographic encryption of code, etc.), this gobfuscator looks comparatively easy :)
> 'Having worked on really "heavily obfuscated" code (flattened control flow, functions implemented in obfuscated VMs, custom incompatible ABI, cryptographic encryption of code, etc.), this gobfuscator looks comparatively easy :) '
For any HN readers who have not already encountered the MOVfuscator [1] I cannot recommend this Blackhat talk highly enough -- the x86 MOV instruction is turing complete, and it flattens arbitrary code to MOVs. It's also the only time I've ever seen brainfuck being used as a seriously sensible intermediate language ;-)
This is fairly weak: Go runtime functions are unobfuscated, and package names are consistently renamed (that is, if "geacon" is renamed to "ammopppfcdmmecpgbkkj" in one function, it's renamed that way consistently for all functions). This in turn should make it much easier to deobfuscate by gradually expanding the set of "known" package, class and function names.
XOR-encoding of strings is slightly annoying, but since gobfuscator replaces each string with an anonymous function, you could in principle write a simple Unicorn script to emulate each string decoder function, coupled with some heuristics to detect such functions (e.g. just look for functions which have an xor and a single call to runtime_slicebytetostring).
Having worked on really "heavily obfuscated" code (flattened control flow, functions implemented in obfuscated VMs, custom incompatible ABI, cryptographic encryption of code, etc.), this gobfuscator looks comparatively easy :)