[讨论] go语言程序逆向-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[讨论] go语言程序逆向

2021-11-4 05:45 5783

[讨论] go语言程序逆向

微启宇

2021-11-4 05:45

5783

go源码

package main
 
import (
    "time"
    "fmt"
    "net/http"
    "log"
    "net"
)
 
// Get preferred outbound ip of this machine
func GetOutboundIP() net.IP {
    conn, err := net.Dial("udp", "1.1.1.1:80") // 8.8.8.8:80")
    if err != nil {
        log.Fatal(err)
    }
    defer conn.Close()
    localAddr := conn.LocalAddr().(*net.UDPAddr)
    return localAddr.IP
}
 
func debuginfo(w http.ResponseWriter, req *http.Request) {
 
    fmt.Fprintf(w, "<html><head/><body>")
    fmt.Fprintf(w, "%s<br/>", time.Now())
    fmt.Fprintf(w, "%s<br/>", GetOutboundIP())
    for name, headers := range req.Header {
        for _, h := range headers {
            fmt.Fprintf(w, "%v: %v<br/>", name, h)
        }
    }
    fmt.Fprintf(w, "</body></html>")
}
 
func main() {
 
    http.HandleFunc("/debug", debuginfo)
    http.ListenAndServe(":8888", nil)
}

IDA逆向后的三个函数伪代码

main 函数

// write access to const memory has been detected, the output may be wrong!
void __cdecl main_main()
{
  __int64 v0; // rdx
  int v1; // edi
  __int64 v2; // rsi
  __int64 v3; // r8
  __int64 v4; // r9
  __int64 v5; // rcx
  int v6; // edx
  int v7; // ecx
  __int64 v8; // r8
  __int64 v9; // r9
  void *v10; // rdx
  int v11; // er8
  int v12; // er9
  void *v13; // rdi
  void *v14; // rcx
  void *retaddr; // [rsp+30h] [rbp+0h] BYREF
 
  v5 = *(_QWORD *)NtCurrentTeb()->NtTib.ArbitraryUserPointer;
  if ( (unsigned __int64)&retaddr <= *(_QWORD *)(v5 + 16) )
    runtime_morestack_noctxt();
  net_http___ServeMux__Handle(v1, v2, v0, v5, v3, v4);
  runtime_newobject(v1, v2, v6, v7, v8, v9);
  v13 = &unk_6EF3B4;
  *((_QWORD *)&unk_6EF3B4 + 1) = 5LL;
  if ( runtime_writeBarrier )
  {
    runtime_gcWriteBarrier(&unk_6EF3B4);
  }
  else
  {
    v14 = &unk_6EF1E4;
    unk_6EF3B4 = &unk_6EF1E4;
  }
  *((_QWORD *)&unk_6EF3B4 + 2) = 0LL;
  if ( runtime_writeBarrier )
  {
    runtime_gcWriteBarrier((char *)&unk_6EF3B4 + 24);
    v13 = v10;
  }
  else
  {
    *((_QWORD *)&unk_6EF3B4 + 3) = 0LL;
  }
  net_http___Server__ListenAndServe((int)v13, v2, (_DWORD)v10, (_DWORD)v14, v11, v12, (__int64)v13);
}

debuginfo 函数

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

__int64 __fastcall main_debuginfo(__int64 a1, __int64 a2, __int64 a3, __int64 a4, __int64 a5, __int64 a6, __int64 a7, __int64 a8)
{
  __int64 v8; // rcx
  int v9; // edx
  int v10; // er8
  int v11; // er9
  int v12; // edx
  int v13; // ecx
  int v14; // er8
  int v15; // er9
  int v16; // er8
  int v17; // er9
  int v18; // er8
  int v19; // er9
  int v20; // edx
  int v21; // er8
  int v22; // er9
  int v23; // edx
  __int64 v24; // rcx
  int v25; // er8
  int v26; // er9
  int v27; // edx
  int v28; // ecx
  int v29; // er8
  int v30; // er9
  int v31; // er8
  int v32; // er9
  int v33; // edx
  int v34; // er8
  int v35; // er9
  __int64 *v36; // rdi
  __int64 v37; // rax
  int v38; // edx
  int v39; // er8
  int v40; // er9
  int v41; // edx
  int v42; // ecx
  int v43; // er8
  int v44; // er9
  __int64 *v45; // rdx
  __int64 v46; // rbx
  __int64 v47; // rax
  int v48; // edx
  int v49; // er8
  int v50; // er9
  int v51; // er8
  int v52; // er9
  int v53; // edx
  int v54; // er8
  int v55; // er9
  __int64 v56; // rcx
  int v57; // edx
  int v58; // er8
  int v59; // er9
  __int64 *v61; // [rsp+0h] [rbp-150h]
  __int64 v62; // [rsp+10h] [rbp-140h] BYREF
  __int64 v63; // [rsp+18h] [rbp-138h]
  _BYTE v64[24]; // [rsp+20h] [rbp-130h]
  __int64 v65; // [rsp+60h] [rbp-F0h]
  __int64 v66; // [rsp+68h] [rbp-E8h]
  __int64 v67; // [rsp+70h] [rbp-E0h]
  __int64 v68; // [rsp+78h] [rbp-D8h]
  __int64 v69; // [rsp+80h] [rbp-D0h]
  __int64 v70; // [rsp+88h] [rbp-C8h]
  __int64 v71; // [rsp+90h] [rbp-C0h] BYREF
  __int64 *v72; // [rsp+98h] [rbp-B8h]
  __int128 v73; // [rsp+A0h] [rbp-B0h] BYREF
  __int64 v74[3]; // [rsp+B0h] [rbp-A0h] BYREF
  __int128 v75; // [rsp+C8h] [rbp-88h] BYREF
  __int128 v76; // [rsp+D8h] [rbp-78h]
  __int64 *v77; // [rsp+E8h] [rbp-68h] BYREF
  __int64 v78; // [rsp+F0h] [rbp-60h]
  __int64 v79; // [rsp+148h] [rbp-8h] BYREF
 
  v8 = *(_QWORD *)NtCurrentTeb()->NtTib.ArbitraryUserPointer;
  if ( (unsigned __int64)&v71 <= *(_QWORD *)(v8 + 16) )
    runtime_morestack_noctxt(a1, a2, a3, v8, a5, a6);
  runtime_convI2I(a1, a2, a8, a7, a5, a6, (__int64)&unk_69DBA0, a7, a8, *(__int128 *)&v64[8]);
  fmt_Fprintf(
    a1,
    a2,
    v9,
    *(_DWORD *)&v64[8],
    v10,
    v11,
    *(__int64 *)&v64[8],
    *(__int64 *)&v64[16],
    byte_6F2EB5,
    19LL,
    0LL,
    0,
    0);
  time_Now(a1, a2, v12, v13, v14, v15, v62, v63, *(__int64 *)v64);
  v74[0] = v62;
  v74[1] = v63;
  v74[2] = *(_QWORD *)v64;
  v73 = 0LL;
  runtime_convT2E(
    a1,
    a2,
    *(_DWORD *)v64,
    v63,
    v16,
    v17,
    (__int64)&unk_6E8C00,
    (__int64)v74,
    *(__int64 *)v64,
    *(__int64 *)&v64[8]);
  v73 = *(_OWORD *)v64;
  runtime_convI2I(a1, a2, a8, a7, v18, v19, (__int64)&unk_69DBA0, a7, a8, *(__int128 *)&v64[8]);
  fmt_Fprintf(
    a1,
    a2,
    v20,
    (unsigned int)&v73,
    v21,
    v22,
    *(__int64 *)&v64[8],
    *(__int64 *)&v64[16],
    byte_6EF637,
    7LL,
    (__int64)&v73,
    1,
    1);
  main_GetOutboundIP(a1, a2, v23, v24, v25, v26);
  runtime_convTslice(a1, a2, v27, v28, v29, v30, v62, v63, *(__int64 *)v64, *(__int64 *)&v64[8]);
  *(_QWORD *)&v73 = &unk_6D7600;
  *((_QWORD *)&v73 + 1) = *(_QWORD *)&v64[8];
  runtime_convI2I(a1, a2, a8, a7, v31, v32, (__int64)&unk_69DBA0, a7, a8, *(__int128 *)&v64[8]);
  fmt_Fprintf(
    a1,
    a2,
    v33,
    *(_DWORD *)&v64[8],
    v34,
    v35,
    *(__int64 *)&v64[8],
    *(__int64 *)&v64[16],
    byte_6EF637,
    7LL,
    (__int64)&v73,
    1,
    1);
  v36 = &v62 + 23;
  v61 = &v79;
  v37 = sub_45B6C1(v36, 0.0);
  runtime_mapiterinit(
    (_DWORD)v36,
    a2,
    v38,
    (unsigned int)&unk_6D1280,
    v39,
    v40,
    (__int64)&unk_6D1280,
    v37,
    (__int64)&v77);
  while ( v77 )
  {
    v45 = *(__int64 **)v78;
    v56 = *(_QWORD *)(v78 + 8);
    v46 = *v77;
    v47 = v77[1];
    if ( v56 > 0 )
    {
      v66 = *(_QWORD *)(v78 + 8);
      v69 = v46;
      v65 = v47;
      a2 = 0LL;
      while ( 1 )
      {
        v72 = v45;
        v68 = a2;
        v70 = *v45;
        v67 = v45[1];
        LODWORD(v36) = v67;
        runtime_convTstring(v67, a2, (_DWORD)v45, v70, v43, v44, v46, v47, *(__int64 *)v64);
        v71 = *(_QWORD *)v64;
        runtime_convTstring((_DWORD)v36, a2, v48, v67, v49, v50, v70, v67, *(__int64 *)v64);
        *(_QWORD *)&v75 = &unk_681F20;
        *((_QWORD *)&v75 + 1) = v71;
        *(_QWORD *)&v76 = &unk_681F20;
        *((_QWORD *)&v76 + 1) = *(_QWORD *)v64;
        runtime_convI2I(
          (_DWORD)v36,
          a2,
          a7,
          (unsigned int)&unk_681F20,
          v51,
          v52,
          (__int64)&unk_69DBA0,
          a7,
          a8,
          *(__int128 *)&v64[8]);
        fmt_Fprintf(
          (int)v36,
          a2,
          v53,
          (unsigned int)&v75,
          v54,
          v55,
          *(__int64 *)&v64[8],
          *(__int64 *)&v64[16],
          byte_6F0583,
          11LL,
          (__int64)&v75,
          2,
          2);
        LODWORD(v56) = v66;
        if ( v68 + 1 >= v66 )
          break;
        v45 = v72 + 2;
        v46 = v69;
        a2 = v68 + 1;
        v47 = v65;
      }
    }
    runtime_mapiternext((_DWORD)v36, a2, (_DWORD)v45, v56, v43, v44, (__int64)&v77);
  }
  runtime_convI2I((_DWORD)v36, a2, v41, v42, v43, v44, (__int64)&unk_69DBA0, a7, a8, *(__int128 *)&v64[8]);
  return fmt_Fprintf(
           (int)v36,
           a2,
           v57,
           *(_DWORD *)&v64[16],
           v58,
           v59,
           *(__int64 *)&v64[8],
           *(__int64 *)&v64[16],
           "</body></html><not Stringer>Accept-CharsetCertCloseStoreContent-LengthCreateProcessWCryptGenRandomDkim-SignatureFindFirstFileWFormatMessageWGC assist waitGC worker initGetConsoleModeGetProcAddressGetUserNameExWINTERNAL_ERRORMAX_FRAME_SIZEMB; allocated NetUserGetInfoNot AcceptableOther_ID_StartPROTOCOL_ERRORPattern_SyntaxProcess32NextWQuotation_MarkRCodeNameErrorREFUSED_STREAMREQUEST_METHODRegSetValueExWSetFilePointerTranslateNameWaccept-charsetallocfreetracebad allocCountbad record MACbad span statebad stack sizecontent-lengthdata truncatedfile too largefinalizer waitgcstoptheworldgetprotobynameinternal errorinvalid methodinvalid syntaxis a directorylevel 2 haltedlevel 3 haltedneed more datanil elem type!no module datano such deviceprotocol errorruntime: base=runtime: full=s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytoo many linkstoo many usersunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable:  unsafe.Pointerwinapi error #work.full != 0x509ignoreCN=1zero parameter  with GC prog\n is unavailable()<>@,;:\\\"/[]?=0601021504Z0700400 Bad Request476837158203125: cannot parse :ValidateLabels<invalid Value>ASCII_Hex_DigitAccept-EncodingAccept-LanguageBelowExactAboveCreateHardLinkWDeviceIoControlDuplicateHandleFailed to find Failed to load FlushViewOfFileGateway TimeoutGetAdaptersInfoGetCommandLineWGetProcessTimesGetStartupInfoWHalfClosedLocalHanifi_RohingyaIdempotency-KeyImpersonateSelfLength RequiredNonTransitionalNot ImplementedOpenThreadTokenOther_LowercaseOther_UppercasePartial ContentProcess32FirstWPsalter_PahlaviRegCreateKeyExWRegDeleteValueWRequest TimeoutUnmapViewOfFileX-Forwarded-For]\n\tmorebuf={pc:accept-encodingaccept-languageadvertise errorapplication/oggapplication/pdfapplication/zipbad certificatebad debugCallV1bad trailer keyfont/collectionforce gc (idle)invalid booleaninvalid paddinginvalid pointerkey has expiredmalloc deadlockmissing addressmissing mcache?ms: gomaxprocs=negative updatenetwork is downno medium foundno such processnon-minimal tagrecord overflowrecovery failedruntime error: runtime: frame scan missed a gstartm: m has pstopm holding punexpected typeunknown Go typeunknown networkunknown versionwrite error: %v already; errno= mheap.sweepgen= not in ranges:\n t.span.base()=  untyped locals %s %s HTTP/1.1\r\n, not a function.WithValue(type 0123456789ABCDEF0123456789abcdef2384185791015625: value of type :VerifyDNSLengthAddDllDirectory",
           14LL,
           0LL,
           0,
           0);
}

GetOutboundIP 函数

__int64 __fastcall main_GetOutboundIP(int a1, int a2, int a3, __int64 a4, int a5, int a6)
{
  __int64 v6; // rcx
  int v7; // er8
  __int64 v8; // r9
  __int128 v9; // rcx
  int v10; // edx
  int v11; // ecx
  int v12; // er8
  int v13; // er9
  int v14; // er8
  int v15; // er9
  __int64 v17; // [rsp+0h] [rbp-B0h]
  __int64 v18; // [rsp+0h] [rbp-B0h]
  void **v19; // [rsp+8h] [rbp-A8h]
  __int64 v20; // [rsp+10h] [rbp-A0h]
  __int64 v21; // [rsp+20h] [rbp-90h]
  __int64 v22; // [rsp+28h] [rbp-88h]
  __int64 v23; // [rsp+30h] [rbp-80h]
  __int64 v24; // [rsp+38h] [rbp-78h]
  int v25[6]; // [rsp+48h] [rbp-68h] BYREF
  __int64 v26; // [rsp+60h] [rbp-50h]
  __int64 v27; // [rsp+78h] [rbp-38h]
  char v28; // [rsp+80h] [rbp-30h] BYREF
  __int64 v29; // [rsp+90h] [rbp-20h]
  __int128 v30; // [rsp+98h] [rbp-18h] BYREF
 
  v6 = *(_QWORD *)NtCurrentTeb()->NtTib.ArbitraryUserPointer;
  if ( (unsigned __int64)&v28 <= *(_QWORD *)(v6 + 16) )
    runtime_morestack_noctxt();
  net_Dial(a1, a2, a3, v6, a5, a6, (__int64)&unk_6EEF18, 3LL, (__int64)&unk_6F012D, 10LL);
  v29 = v22;
  *((_QWORD *)&v9 + 1) = v24;
  if ( v23 )
  {
    *(_QWORD *)&v9 = *(_QWORD *)(v23 + 8);
    v30 = v9;
    v20 = 1LL;
    log_Fatal(a1, a2, v21, v9, v7, v8, (__int64)&v30, 1LL);
  }
  v25[0] = 24;
  v26 = v21 + 24;
  v27 = v29;
  if ( (unsigned int)runtime_deferprocStack(a1, a2, (unsigned int)v25, v29, v7, v8, (__int64)v25) )
    return runtime_deferreturn(a1, a2, v10, v11, v12, v13, v17);
  v18 = v29;
  (*(void (**)(void))(v21 + 32))();
  if ( v19 != &go_itab__net_UDPAddr_net_Addr )
    runtime_panicdottypeI(
      a1,
      a2,
      (unsigned int)&go_itab__net_UDPAddr_net_Addr,
      v20,
      v14,
      v15,
      (__int64)v19,
      (__int64)&unk_6BF8A0,
      (__int64)&unk_69F3A0);
  return runtime_deferreturn(a1, a2, *(_QWORD *)(v20 + 8), *(_QWORD *)(v20 + 16), v14, v15, v18);
}

[培训]二进制漏洞攻防（第3期）；满10人开班；模糊测试与工具使用二次开发；网络协议漏洞挖掘；Linux内核漏洞挖掘与利用；AOSP漏洞挖掘与利用；代码审计。

#其他内容

收藏・1

点赞・0

打赏

最新回复 (1)
wx_want 雪币： 280 活跃值： (200) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 5 粉丝 0 关注私信	wx_want 2021-11-4 17:17 2 楼 0 难搞
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复