I recently ran across some packed/obfuscated Go samples that modify the pclntab magic bytes. This causes GoReSym to have issues parsing the table, particularly it seems when you try to load the table with what I assume is the runtime code.
This patch is something that I scripted in python for myself, but I still use GoReSym to repair the symbols after fixing the pclntab magic bytes, so I figured we may consolidate here and offer the patch as well in this PR.
I'm not too familiar with the runtime, nor the GoReSym codebase, so it might be possible to optimize the repair by adding it to another portion of code, although here is how it currently works:
Find the first package/function in the pclntab (almost always internal/cpu.Initialize)
go to the top of the struct (96 bytes before this entry)
add pclntab candidates for the struct, but replace the first 6 bytes with the list of sigs specified in the scanner function
This adds one candidate for each signature in the signature list
At this point, they are added to the list of candidates and can be used when attempting to find suitable candidates by loading the symbol table using the runtime code.
Again, not super familiarized with GoReSym project, but this has been an ongoing hangup for obfuscated/packed Go samples and here is a somewhat reasonable solution.
If you have any questions, comments, or concerns, let me know.
Thanks!
Hello!
I recently ran across some packed/obfuscated Go samples that modify the pclntab magic bytes. This causes GoReSym to have issues parsing the table, particularly it seems when you try to load the table with what I assume is the runtime code.
This patch is something that I scripted in python for myself, but I still use GoReSym to repair the symbols after fixing the pclntab magic bytes, so I figured we may consolidate here and offer the patch as well in this PR.
I'm not too familiar with the runtime, nor the GoReSym codebase, so it might be possible to optimize the repair by adding it to another portion of code, although here is how it currently works:
At this point, they are added to the list of candidates and can be used when attempting to find suitable candidates by loading the symbol table using the runtime code.
Again, not super familiarized with GoReSym project, but this has been an ongoing hangup for obfuscated/packed Go samples and here is a somewhat reasonable solution.
If you have any questions, comments, or concerns, let me know. Thanks!