inspection of obfuscated code

[gedw99]

I was curious what can be inspected from an obfuscated golang binary.

I found this after 5 minutes of googling.
https://github.com/mandiant/GoReSym is easy to use, and i was surprised how much stuff is still "exposed" in the binary.

install: go install github.com/mandiant/GoReSym@latest

execute: GoReSym.exe -t -d -p /path/to/binary

sample golang code:

package main

import "fmt"

func main() {
	fmt.Println("hello world")
}

The output from GoReSym is a massive JSON file, which shows you a huge amount of detail.
I produced one for non obfuscated code and one for garble obfuscated code.

Archive.zip contains these two file.

The garble settings were:
literal= false
tiny=false

Archive.zip

---

1. I would appreciate knowing what others use to do this type of inspection. I am sure there are other factors at play that GoReSym does not address. Still i liked the massive depth of info i get from GoReSym.
2. To me, having a quality inspection tool is really useful, otherwise your shooting blind. GoReSym is MIT License so it would be easy to integrate it into garble
3. I was surprised how much is still exposed.

[mvdan]

Tools like GoReSym are very different from garble - I'm willing to bet that they wouldn't be able to share any code at all. I personally don't see a reason to integrate it into this repository or vice versa. They are perfectly fine as two separate projects, and you're free to choose whatever obfuscator and de-obfuscator that works best for you.

As for "shooting blind" - note that there is garble -debugdir=out build, which lets you see the obfuscated code. It's not the whole picture, as part of the obfuscation happens via flags, but it's enough to see most of it.

I was surprised how much is still exposed.

Is there anything in particular where you think garble could do better? If so, I would suggest to file separate issues if there aren't any already. An issue saying "I wish obfuscated binaries exposed less" isn't actionable, so I can't keep it open :)

[mvdan]

Should be done now. It did move all comments as well, so I'm hiding the ones about moving the thread to prevent cluttering.

[gedw99]

Hey @mvdan

I am using redress to see how well its obfuscates ...

https://github.com/goretk/redress
go install github.com/goretk/redress@latest

then:

redress info <golang binary>

redress packages <golang binary>

redress moduledata <golang binary>

Its very helpful for me, and so maybe for you and others as a cross check.

I am using garble to protect the binaries from hacking aspects as the binaries are running on users laptops at the edge, which may also be injected with nasties. SO essentially lowering the attack surface. Its a nice secondary thing that garble is useful for.