When examining the NotRobin binaries from a FireEye report, the script can't find FB FF FF FF 00 00 and fails due to Gopclntab.findGoPcLn() returning an invalid offset. This function became even more troublesome after updating API calls due to ida_search.find_binary() requiring a start and end offset for the search.
I've made an update that I'll try to push soon that works in every Go binary I've tested so far. Some binaries in the report were also go 1.13.x, so I updated the string search as well. If it's acceptable, below is a quick snippet of my solution for the LineTable search:
When examining the NotRobin binaries from a FireEye report, the script can't find
FB FF FF FF 00 00and fails due toGopclntab.findGoPcLn()returning an invalid offset. This function became even more troublesome after updating API calls due toida_search.find_binary()requiring a start and end offset for the search.I've made an update that I'll try to push soon that works in every Go binary I've tested so far. Some binaries in the report were also go 1.13.x, so I updated the string search as well. If it's acceptable, below is a quick snippet of my solution for the LineTable search:
EDIT: I hope "LineTable" was the correct term? I'm not familiar with Go and found the term in their source here.