Wrong function addresses for Go 1.20

mandiant / GoReSym

Go symbol recovery tool

MIT License

498 stars 62 forks source link

Wrong function addresses for Go 1.20 #19

Closed nfllab closed 1 year ago

nfllab commented 1 year ago

Hi, GoReSym returns wrong function addresses for Go 1.20 samples.

For example running the v2.2 release on itself returns:

$ ./GoReSym_lin GoReSym_lin | grep -B 3 '"main.main"'
            "Start": 7449600,
            "End": 7451360,
            "PackageName": "main",
            "FullName": "main.main"

Here 7449600 equals 0x71AC00, but the correct address of main.main is 0x53f2c0.

It is also notable that moduleData was not found:

$ ./GoReSym_lin GoReSym_lin | grep -A 2 "ModuleMeta"
    "ModuleMeta": {
        "VA": 0,
        "TextVA": 0,

output.txt

stevemk14ebr commented 1 year ago

I'll look into this shortly. The moduleData is used to help resolve the correct VA of the pclntab which is necessary for computing the correct function VA's

stevemk14ebr commented 1 year ago

I found the bug, I forgot to add a case here for the new 1.20 layout: https://github.com/mandiant/GoReSym/blob/0704f37cede1a0b5c8a03fb57fbb4fc1f6ada76b/objfile/objfile.go#L260-L262

I should have a fix in a few days, thanks for the report!

stevemk14ebr commented 1 year ago

Please try the new release https://github.com/mandiant/GoReSym/releases/tag/v2.3 and re-open this issue if you notice issues still.

nfllab commented 1 year ago

Looks good, thanks!