search

kryptoslogic / binja_degobfuscate

Fix Go obfuscated binaries that were obfuscated using gobfuscator
MIT License
45 stars 7 forks source link

Issues Getting this to Run on Personal License #2

Open komeara1 opened 3 years ago

komeara1 commented 3 years ago

Do I need a commerical license to get this to run? I ask b/c I get an "Exception in thread Thread-2" error.

psifertex commented 3 years ago

Nope, it should work fine in a personal license. I can double check later, but is there any other errors in the log window besides that?

komeara1 commented 3 years ago 

Traceback (most recent call last):

  File "threading.py", line 932, in _bootstrap_inner

  File "C:\Program Files\Vector35\BinaryNinja\plugins\..\python\binaryninja\plugin.py", line 731, in run
    self.task.run()

  File "C:\Users\test\AppData\Roaming\Binary Ninja\repositories\community\plugins\kryptoslogic_binja_degobfuscate\__init__.py", line 424, in run
    if validfunc(self.bv, func):

  File "C:\Users\test\AppData\Roaming\Binary Ninja\repositories\community\plugins\kryptoslogic_binja_degobfuscate\__init__.py", line 360, in validfunc

    morestack_noctxt = bv.get_function_at(morestack_noctxt_sym[0].address)
IndexError: list index out of range
komeara1 commented 3 years ago

FTR I tested using the same hash that was used in the example in the README.

psifertex commented 3 years ago

Just tried it with a personal license and it works fine in my test VM. What version of Python are you using?

komeara1 commented 3 years ago

Python3 - tested on both Wins10 machine and Kali linux machine. Same errors.

komeara1 commented 3 years ago

This is the Kali error

Traceback (most recent call last):
  File "/usr/lib/python3.8/threading.py", line 932, in _bootstrap_inner
    self.run()
  File "/home/kyle/tools/binary_ninja/binaryninja/plugins/../python/binaryninja/plugin.py", line 731, in run
    self.task.run()
  File "/home/kyle/.binaryninja/repositories/community/plugins/kryptoslogic_binja_degobfuscate/__init__.py", line 424, in run
    if validfunc(self.bv, func):
  File "/home/kyle/.binaryninja/repositories/community/plugins/kryptoslogic_binja_degobfuscate/__init__.py", line 360, in validfunc
    morestack_noctxt = bv.get_function_at(morestack_noctxt_sym[0].address)
IndexError: list index out of range
psifertex commented 3 years ago

Sorry, but can you be more specific? I see 3.8 in the kali screenshot, but what exact python version? import sys;print(sys.version) will give me what I'm looking for.

I'm running 3.8.6 on my Ubuntu VM.

Also, which hash did you use? I just tested the 5c9... one.

komeara1 commented 3 years ago

Same verion as well

Python 3.8.6 (default, Sep 25 2020, 09:36:53) 
[GCC 10.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import sys;print(sys.version)
3.8.6 (default, Sep 25 2020, 09:36:53) 
[GCC 10.2.0]
>>>

Yes, I'm using the 5c9b hash to test things and plan to move to another file. I let the analyzing to complete before running the plugin.

psifertex commented 3 years ago

Very strange. Do you have any other plugins installed? I was testing on a BNDB I had saved from previous analysis to speed things up, let me try on the fresh file to see if that makes a difference.

komeara1 commented 3 years ago

I pulled the sample straight from VT. I did an apt update and apt upgrade just to see if that would fix anything and it did not. I have no other plugins installed. I installed this plugin via the Manage Plugins menu.

psifertex commented 3 years ago

Thanks, that's helpful. I'm trying with the fresh binary now -- if it works I'll setup a Kali VM and see if I can reproduce it.

Oh! I just had another thought, what version of Binary Ninja are you running? Make sure you're running on the latest dev build. That's most likely the issue. I should have suggested that first!

komeara1 commented 3 years ago

I'm using Version 2.2.2487 Personal.

psifertex commented 3 years ago

Yup! That will do it. Switch to the dev channel (Preferences / Update Channel)

komeara1 commented 3 years ago

updated to 2.2.2590-dev personal

Try running again and got this errors.

Traceback (most recent call last):
  File "/usr/lib/python3.8/threading.py", line 932, in _bootstrap_inner
    self.run()
  File "/home/kyle/tools/binary_ninja/binaryninja/plugins/../python/binaryninja/plugin.py", line 741, in run
    self.task.run()
  File "/home/kyle/.binaryninja/repositories/community/plugins/kryptoslogic_binja_degobfuscate/__init__.py", line 424, in run
    if validfunc(self.bv, func):
  File "/home/kyle/.binaryninja/repositories/community/plugins/kryptoslogic_binja_degobfuscate/__init__.py", line 360, in validfunc
    morestack_noctxt = bv.get_function_at(morestack_noctxt_sym[0].address)
IndexError: list index out of range

Should I try another dev version?

psifertex commented 3 years ago

Ahh, so I reproduced the issue, sorry it took me so long. I was trying on a BNDB just to save analysis time and it was indeed only reproducible with the raw file. I think there's a step missing from the blog writeup that you have to first run a go debug symbol loading which helps you find the ctxt function which is why that's failing.

@jamie-34254 Might have more thoughts but I think the best way to handle this in the plugin would be to add some error handling here and just catch if the morestack_noctxt_sym doesn't exist and to warn the user they first need to either manually identify that function or run the "golang symbol restore" plugin that's also in the BN Plugin Manager.

komeara1 commented 3 years ago

I will give both methods a try.

komeara1 commented 3 years ago

Still getting this issue. Not sure the problem.

psifertex commented 3 years ago

Which plugin did you use to recover symbols first?