-
-
[讨论] go语言程序逆向
-
发表于: 2021-11-4 05:45 6525
-
go源码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 | package main import ( "time" "fmt" "net/http" "log" "net" ) / / Get preferred outbound ip of this machine func GetOutboundIP() net.IP { conn, err : = net.Dial( "udp" , "1.1.1.1:80" ) / / 8.8 . 8.8 : 80 ") if err ! = nil { log.Fatal(err) } defer conn.Close() localAddr : = conn.LocalAddr().( * net.UDPAddr) return localAddr.IP } func debuginfo(w http.ResponseWriter, req * http.Request) { fmt.Fprintf(w, "<html><head/><body>" ) fmt.Fprintf(w, "%s<br/>" , time.Now()) fmt.Fprintf(w, "%s<br/>" , GetOutboundIP()) for name, headers : = range req.Header { for _, h : = range headers { fmt.Fprintf(w, "%v: %v<br/>" , name, h) } } fmt.Fprintf(w, "</body></html>" ) } func main() { http.HandleFunc( "/debug" , debuginfo) http.ListenAndServe( ":8888" , nil) } |
IDA逆向后的三个函数伪代码
main 函数
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 | / / write access to const memory has been detected, the output may be wrong! void __cdecl main_main() { __int64 v0; / / rdx int v1; / / edi __int64 v2; / / rsi __int64 v3; / / r8 __int64 v4; / / r9 __int64 v5; / / rcx int v6; / / edx int v7; / / ecx __int64 v8; / / r8 __int64 v9; / / r9 void * v10; / / rdx int v11; / / er8 int v12; / / er9 void * v13; / / rdi void * v14; / / rcx void * retaddr; / / [rsp + 30h ] [rbp + 0h ] BYREF v5 = * (_QWORD * )NtCurrentTeb() - >NtTib.ArbitraryUserPointer; if ( (unsigned __int64)&retaddr < = * (_QWORD * )(v5 + 16 ) ) runtime_morestack_noctxt(); net_http___ServeMux__Handle(v1, v2, v0, v5, v3, v4); runtime_newobject(v1, v2, v6, v7, v8, v9); v13 = &unk_6EF3B4; * ((_QWORD * )&unk_6EF3B4 + 1 ) = 5LL ; if ( runtime_writeBarrier ) { runtime_gcWriteBarrier(&unk_6EF3B4); } else { v14 = &unk_6EF1E4; unk_6EF3B4 = &unk_6EF1E4; } * ((_QWORD * )&unk_6EF3B4 + 2 ) = 0LL ; if ( runtime_writeBarrier ) { runtime_gcWriteBarrier((char * )&unk_6EF3B4 + 24 ); v13 = v10; } else { * ((_QWORD * )&unk_6EF3B4 + 3 ) = 0LL ; } net_http___Server__ListenAndServe(( int )v13, v2, (_DWORD)v10, (_DWORD)v14, v11, v12, (__int64)v13); } |
debuginfo 函数
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 | __int64 __fastcall main_debuginfo(__int64 a1, __int64 a2, __int64 a3, __int64 a4, __int64 a5, __int64 a6, __int64 a7, __int64 a8) { __int64 v8; / / rcx int v9; / / edx int v10; / / er8 int v11; / / er9 int v12; / / edx int v13; / / ecx int v14; / / er8 int v15; / / er9 int v16; / / er8 int v17; / / er9 int v18; / / er8 int v19; / / er9 int v20; / / edx int v21; / / er8 int v22; / / er9 int v23; / / edx __int64 v24; / / rcx int v25; / / er8 int v26; / / er9 int v27; / / edx int v28; / / ecx int v29; / / er8 int v30; / / er9 int v31; / / er8 int v32; / / er9 int v33; / / edx int v34; / / er8 int v35; / / er9 __int64 * v36; / / rdi __int64 v37; / / rax int v38; / / edx int v39; / / er8 int v40; / / er9 int v41; / / edx int v42; / / ecx int v43; / / er8 int v44; / / er9 __int64 * v45; / / rdx __int64 v46; / / rbx __int64 v47; / / rax int v48; / / edx int v49; / / er8 int v50; / / er9 int v51; / / er8 int v52; / / er9 int v53; / / edx int v54; / / er8 int v55; / / er9 __int64 v56; / / rcx int v57; / / edx int v58; / / er8 int v59; / / er9 __int64 * v61; / / [rsp + 0h ] [rbp - 150h ] __int64 v62; / / [rsp + 10h ] [rbp - 140h ] BYREF __int64 v63; / / [rsp + 18h ] [rbp - 138h ] _BYTE v64[ 24 ]; / / [rsp + 20h ] [rbp - 130h ] __int64 v65; / / [rsp + 60h ] [rbp - F0h] __int64 v66; / / [rsp + 68h ] [rbp - E8h] __int64 v67; / / [rsp + 70h ] [rbp - E0h] __int64 v68; / / [rsp + 78h ] [rbp - D8h] __int64 v69; / / [rsp + 80h ] [rbp - D0h] __int64 v70; / / [rsp + 88h ] [rbp - C8h] __int64 v71; / / [rsp + 90h ] [rbp - C0h] BYREF __int64 * v72; / / [rsp + 98h ] [rbp - B8h] __int128 v73; / / [rsp + A0h] [rbp - B0h] BYREF __int64 v74[ 3 ]; / / [rsp + B0h] [rbp - A0h] BYREF __int128 v75; / / [rsp + C8h] [rbp - 88h ] BYREF __int128 v76; / / [rsp + D8h] [rbp - 78h ] __int64 * v77; / / [rsp + E8h] [rbp - 68h ] BYREF __int64 v78; / / [rsp + F0h] [rbp - 60h ] __int64 v79; / / [rsp + 148h ] [rbp - 8h ] BYREF v8 = * (_QWORD * )NtCurrentTeb() - >NtTib.ArbitraryUserPointer; if ( (unsigned __int64)&v71 < = * (_QWORD * )(v8 + 16 ) ) runtime_morestack_noctxt(a1, a2, a3, v8, a5, a6); runtime_convI2I(a1, a2, a8, a7, a5, a6, (__int64)&unk_69DBA0, a7, a8, * (__int128 * )&v64[ 8 ]); fmt_Fprintf( a1, a2, v9, * (_DWORD * )&v64[ 8 ], v10, v11, * (__int64 * )&v64[ 8 ], * (__int64 * )&v64[ 16 ], byte_6F2EB5, 19LL , 0LL , 0 , 0 ); time_Now(a1, a2, v12, v13, v14, v15, v62, v63, * (__int64 * )v64); v74[ 0 ] = v62; v74[ 1 ] = v63; v74[ 2 ] = * (_QWORD * )v64; v73 = 0LL ; runtime_convT2E( a1, a2, * (_DWORD * )v64, v63, v16, v17, (__int64)&unk_6E8C00, (__int64)v74, * (__int64 * )v64, * (__int64 * )&v64[ 8 ]); v73 = * (_OWORD * )v64; runtime_convI2I(a1, a2, a8, a7, v18, v19, (__int64)&unk_69DBA0, a7, a8, * (__int128 * )&v64[ 8 ]); fmt_Fprintf( a1, a2, v20, (unsigned int )&v73, v21, v22, * (__int64 * )&v64[ 8 ], * (__int64 * )&v64[ 16 ], byte_6EF637, 7LL , (__int64)&v73, 1 , 1 ); main_GetOutboundIP(a1, a2, v23, v24, v25, v26); runtime_convTslice(a1, a2, v27, v28, v29, v30, v62, v63, * (__int64 * )v64, * (__int64 * )&v64[ 8 ]); * (_QWORD * )&v73 = &unk_6D7600; * ((_QWORD * )&v73 + 1 ) = * (_QWORD * )&v64[ 8 ]; runtime_convI2I(a1, a2, a8, a7, v31, v32, (__int64)&unk_69DBA0, a7, a8, * (__int128 * )&v64[ 8 ]); fmt_Fprintf( a1, a2, v33, * (_DWORD * )&v64[ 8 ], v34, v35, * (__int64 * )&v64[ 8 ], * (__int64 * )&v64[ 16 ], byte_6EF637, 7LL , (__int64)&v73, 1 , 1 ); v36 = &v62 + 23 ; v61 = &v79; v37 = sub_45B6C1(v36, 0.0 ); runtime_mapiterinit( (_DWORD)v36, a2, v38, (unsigned int )&unk_6D1280, v39, v40, (__int64)&unk_6D1280, v37, (__int64)&v77); while ( v77 ) { v45 = * (__int64 * * )v78; v56 = * (_QWORD * )(v78 + 8 ); v46 = * v77; v47 = v77[ 1 ]; if ( v56 > 0 ) { v66 = * (_QWORD * )(v78 + 8 ); v69 = v46; v65 = v47; a2 = 0LL ; while ( 1 ) { v72 = v45; v68 = a2; v70 = * v45; v67 = v45[ 1 ]; LODWORD(v36) = v67; runtime_convTstring(v67, a2, (_DWORD)v45, v70, v43, v44, v46, v47, * (__int64 * )v64); v71 = * (_QWORD * )v64; runtime_convTstring((_DWORD)v36, a2, v48, v67, v49, v50, v70, v67, * (__int64 * )v64); * (_QWORD * )&v75 = &unk_681F20; * ((_QWORD * )&v75 + 1 ) = v71; * (_QWORD * )&v76 = &unk_681F20; * ((_QWORD * )&v76 + 1 ) = * (_QWORD * )v64; runtime_convI2I( (_DWORD)v36, a2, a7, (unsigned int )&unk_681F20, v51, v52, (__int64)&unk_69DBA0, a7, a8, * (__int128 * )&v64[ 8 ]); fmt_Fprintf( ( int )v36, a2, v53, (unsigned int )&v75, v54, v55, * (__int64 * )&v64[ 8 ], * (__int64 * )&v64[ 16 ], byte_6F0583, 11LL , (__int64)&v75, 2 , 2 ); LODWORD(v56) = v66; if ( v68 + 1 > = v66 ) break ; v45 = v72 + 2 ; v46 = v69; a2 = v68 + 1 ; v47 = v65; } } runtime_mapiternext((_DWORD)v36, a2, (_DWORD)v45, v56, v43, v44, (__int64)&v77); } runtime_convI2I((_DWORD)v36, a2, v41, v42, v43, v44, (__int64)&unk_69DBA0, a7, a8, * (__int128 * )&v64[ 8 ]); return fmt_Fprintf( ( int )v36, a2, v57, * (_DWORD * )&v64[ 16 ], v58, v59, * (__int64 * )&v64[ 8 ], * (__int64 * )&v64[ 16 ], "</body></html><not Stringer>Accept-CharsetCertCloseStoreContent-LengthCreateProcessWCryptGenRandomDkim-SignatureFindFirstFileWFormatMessageWGC assist waitGC worker initGetConsoleModeGetProcAddressGetUserNameExWINTERNAL_ERRORMAX_FRAME_SIZEMB; allocated NetUserGetInfoNot AcceptableOther_ID_StartPROTOCOL_ERRORPattern_SyntaxProcess32NextWQuotation_MarkRCodeNameErrorREFUSED_STREAMREQUEST_METHODRegSetValueExWSetFilePointerTranslateNameWaccept-charsetallocfreetracebad allocCountbad record MACbad span statebad stack sizecontent-lengthdata truncatedfile too largefinalizer waitgcstoptheworldgetprotobynameinternal errorinvalid methodinvalid syntaxis a directorylevel 2 haltedlevel 3 haltedneed more datanil elem type!no module datano such deviceprotocol errorruntime: base=runtime: full=s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytoo many linkstoo many usersunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.Pointerwinapi error #work.full != 0x509ignoreCN=1zero parameter with GC prog\n is unavailable()<>@,;:\\\"/[]?=0601021504Z0700400 Bad Request476837158203125: cannot parse :ValidateLabels<invalid Value>ASCII_Hex_DigitAccept-EncodingAccept-LanguageBelowExactAboveCreateHardLinkWDeviceIoControlDuplicateHandleFailed to find Failed to load FlushViewOfFileGateway TimeoutGetAdaptersInfoGetCommandLineWGetProcessTimesGetStartupInfoWHalfClosedLocalHanifi_RohingyaIdempotency-KeyImpersonateSelfLength RequiredNonTransitionalNot ImplementedOpenThreadTokenOther_LowercaseOther_UppercasePartial ContentProcess32FirstWPsalter_PahlaviRegCreateKeyExWRegDeleteValueWRequest TimeoutUnmapViewOfFileX-Forwarded-For]\n\tmorebuf={pc:accept-encodingaccept-languageadvertise errorapplication/oggapplication/pdfapplication/zipbad certificatebad debugCallV1bad trailer keyfont/collectionforce gc (idle)invalid booleaninvalid paddinginvalid pointerkey has expiredmalloc deadlockmissing addressmissing mcache?ms: gomaxprocs=negative updatenetwork is downno medium foundno such processnon-minimal tagrecord overflowrecovery failedruntime error: runtime: frame scan missed a gstartm: m has pstopm holding punexpected typeunknown Go typeunknown networkunknown versionwrite error: %v already; errno= mheap.sweepgen= not in ranges:\n t.span.base()= untyped locals %s %s HTTP/1.1\r\n, not a function.WithValue(type 0123456789ABCDEF0123456789abcdef2384185791015625: value of type :VerifyDNSLengthAddDllDirectory" , 14LL , 0LL , 0 , 0 ); } |
GetOutboundIP 函数
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 | __int64 __fastcall main_GetOutboundIP( int a1, int a2, int a3, __int64 a4, int a5, int a6) { __int64 v6; / / rcx int v7; / / er8 __int64 v8; / / r9 __int128 v9; / / rcx int v10; / / edx int v11; / / ecx int v12; / / er8 int v13; / / er9 int v14; / / er8 int v15; / / er9 __int64 v17; / / [rsp + 0h ] [rbp - B0h] __int64 v18; / / [rsp + 0h ] [rbp - B0h] void * * v19; / / [rsp + 8h ] [rbp - A8h] __int64 v20; / / [rsp + 10h ] [rbp - A0h] __int64 v21; / / [rsp + 20h ] [rbp - 90h ] __int64 v22; / / [rsp + 28h ] [rbp - 88h ] __int64 v23; / / [rsp + 30h ] [rbp - 80h ] __int64 v24; / / [rsp + 38h ] [rbp - 78h ] int v25[ 6 ]; / / [rsp + 48h ] [rbp - 68h ] BYREF __int64 v26; / / [rsp + 60h ] [rbp - 50h ] __int64 v27; / / [rsp + 78h ] [rbp - 38h ] char v28; / / [rsp + 80h ] [rbp - 30h ] BYREF __int64 v29; / / [rsp + 90h ] [rbp - 20h ] __int128 v30; / / [rsp + 98h ] [rbp - 18h ] BYREF v6 = * (_QWORD * )NtCurrentTeb() - >NtTib.ArbitraryUserPointer; if ( (unsigned __int64)&v28 < = * (_QWORD * )(v6 + 16 ) ) runtime_morestack_noctxt(); net_Dial(a1, a2, a3, v6, a5, a6, (__int64)&unk_6EEF18, 3LL , (__int64)&unk_6F012D, 10LL ); v29 = v22; * ((_QWORD * )&v9 + 1 ) = v24; if ( v23 ) { * (_QWORD * )&v9 = * (_QWORD * )(v23 + 8 ); v30 = v9; v20 = 1LL ; log_Fatal(a1, a2, v21, v9, v7, v8, (__int64)&v30, 1LL ); } v25[ 0 ] = 24 ; v26 = v21 + 24 ; v27 = v29; if ( (unsigned int )runtime_deferprocStack(a1, a2, (unsigned int )v25, v29, v7, v8, (__int64)v25) ) return runtime_deferreturn(a1, a2, v10, v11, v12, v13, v17); v18 = v29; ( * (void ( * * )(void))(v21 + 32 ))(); if ( v19 ! = &go_itab__net_UDPAddr_net_Addr ) runtime_panicdottypeI( a1, a2, (unsigned int )&go_itab__net_UDPAddr_net_Addr, v20, v14, v15, (__int64)v19, (__int64)&unk_6BF8A0, (__int64)&unk_69F3A0); return runtime_deferreturn(a1, a2, * (_QWORD * )(v20 + 8 ), * (_QWORD * )(v20 + 16 ), v14, v15, v18); } |
赞赏
他的文章
看原图
赞赏
雪币:
留言: