首页
社区
课程
招聘
[讨论] go语言程序逆向
发表于: 2021-11-4 05:45 6525

[讨论] go语言程序逆向

2021-11-4 05:45
6525

go源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
package main
 
import (
    "time"
    "fmt"
    "net/http"
    "log"
    "net"
)
 
// Get preferred outbound ip of this machine
func GetOutboundIP() net.IP {
    conn, err := net.Dial("udp", "1.1.1.1:80") // 8.8.8.8:80")
    if err != nil {
        log.Fatal(err)
    }
    defer conn.Close()
    localAddr := conn.LocalAddr().(*net.UDPAddr)
    return localAddr.IP
}
 
func debuginfo(w http.ResponseWriter, req *http.Request) {
 
    fmt.Fprintf(w, "<html><head/><body>")
    fmt.Fprintf(w, "%s<br/>", time.Now())
    fmt.Fprintf(w, "%s<br/>", GetOutboundIP())
    for name, headers := range req.Header {
        for _, h := range headers {
            fmt.Fprintf(w, "%v: %v<br/>", name, h)
        }
    }
    fmt.Fprintf(w, "</body></html>")
}
 
func main() {
 
    http.HandleFunc("/debug", debuginfo)
    http.ListenAndServe(":8888", nil)
}

IDA逆向后的三个函数伪代码

 

main 函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
// write access to const memory has been detected, the output may be wrong!
void __cdecl main_main()
{
  __int64 v0; // rdx
  int v1; // edi
  __int64 v2; // rsi
  __int64 v3; // r8
  __int64 v4; // r9
  __int64 v5; // rcx
  int v6; // edx
  int v7; // ecx
  __int64 v8; // r8
  __int64 v9; // r9
  void *v10; // rdx
  int v11; // er8
  int v12; // er9
  void *v13; // rdi
  void *v14; // rcx
  void *retaddr; // [rsp+30h] [rbp+0h] BYREF
 
  v5 = *(_QWORD *)NtCurrentTeb()->NtTib.ArbitraryUserPointer;
  if ( (unsigned __int64)&retaddr <= *(_QWORD *)(v5 + 16) )
    runtime_morestack_noctxt();
  net_http___ServeMux__Handle(v1, v2, v0, v5, v3, v4);
  runtime_newobject(v1, v2, v6, v7, v8, v9);
  v13 = &unk_6EF3B4;
  *((_QWORD *)&unk_6EF3B4 + 1) = 5LL;
  if ( runtime_writeBarrier )
  {
    runtime_gcWriteBarrier(&unk_6EF3B4);
  }
  else
  {
    v14 = &unk_6EF1E4;
    unk_6EF3B4 = &unk_6EF1E4;
  }
  *((_QWORD *)&unk_6EF3B4 + 2) = 0LL;
  if ( runtime_writeBarrier )
  {
    runtime_gcWriteBarrier((char *)&unk_6EF3B4 + 24);
    v13 = v10;
  }
  else
  {
    *((_QWORD *)&unk_6EF3B4 + 3) = 0LL;
  }
  net_http___Server__ListenAndServe((int)v13, v2, (_DWORD)v10, (_DWORD)v14, v11, v12, (__int64)v13);
}

debuginfo 函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
__int64 __fastcall main_debuginfo(__int64 a1, __int64 a2, __int64 a3, __int64 a4, __int64 a5, __int64 a6, __int64 a7, __int64 a8)
{
  __int64 v8; // rcx
  int v9; // edx
  int v10; // er8
  int v11; // er9
  int v12; // edx
  int v13; // ecx
  int v14; // er8
  int v15; // er9
  int v16; // er8
  int v17; // er9
  int v18; // er8
  int v19; // er9
  int v20; // edx
  int v21; // er8
  int v22; // er9
  int v23; // edx
  __int64 v24; // rcx
  int v25; // er8
  int v26; // er9
  int v27; // edx
  int v28; // ecx
  int v29; // er8
  int v30; // er9
  int v31; // er8
  int v32; // er9
  int v33; // edx
  int v34; // er8
  int v35; // er9
  __int64 *v36; // rdi
  __int64 v37; // rax
  int v38; // edx
  int v39; // er8
  int v40; // er9
  int v41; // edx
  int v42; // ecx
  int v43; // er8
  int v44; // er9
  __int64 *v45; // rdx
  __int64 v46; // rbx
  __int64 v47; // rax
  int v48; // edx
  int v49; // er8
  int v50; // er9
  int v51; // er8
  int v52; // er9
  int v53; // edx
  int v54; // er8
  int v55; // er9
  __int64 v56; // rcx
  int v57; // edx
  int v58; // er8
  int v59; // er9
  __int64 *v61; // [rsp+0h] [rbp-150h]
  __int64 v62; // [rsp+10h] [rbp-140h] BYREF
  __int64 v63; // [rsp+18h] [rbp-138h]
  _BYTE v64[24]; // [rsp+20h] [rbp-130h]
  __int64 v65; // [rsp+60h] [rbp-F0h]
  __int64 v66; // [rsp+68h] [rbp-E8h]
  __int64 v67; // [rsp+70h] [rbp-E0h]
  __int64 v68; // [rsp+78h] [rbp-D8h]
  __int64 v69; // [rsp+80h] [rbp-D0h]
  __int64 v70; // [rsp+88h] [rbp-C8h]
  __int64 v71; // [rsp+90h] [rbp-C0h] BYREF
  __int64 *v72; // [rsp+98h] [rbp-B8h]
  __int128 v73; // [rsp+A0h] [rbp-B0h] BYREF
  __int64 v74[3]; // [rsp+B0h] [rbp-A0h] BYREF
  __int128 v75; // [rsp+C8h] [rbp-88h] BYREF
  __int128 v76; // [rsp+D8h] [rbp-78h]
  __int64 *v77; // [rsp+E8h] [rbp-68h] BYREF
  __int64 v78; // [rsp+F0h] [rbp-60h]
  __int64 v79; // [rsp+148h] [rbp-8h] BYREF
 
  v8 = *(_QWORD *)NtCurrentTeb()->NtTib.ArbitraryUserPointer;
  if ( (unsigned __int64)&v71 <= *(_QWORD *)(v8 + 16) )
    runtime_morestack_noctxt(a1, a2, a3, v8, a5, a6);
  runtime_convI2I(a1, a2, a8, a7, a5, a6, (__int64)&unk_69DBA0, a7, a8, *(__int128 *)&v64[8]);
  fmt_Fprintf(
    a1,
    a2,
    v9,
    *(_DWORD *)&v64[8],
    v10,
    v11,
    *(__int64 *)&v64[8],
    *(__int64 *)&v64[16],
    byte_6F2EB5,
    19LL,
    0LL,
    0,
    0);
  time_Now(a1, a2, v12, v13, v14, v15, v62, v63, *(__int64 *)v64);
  v74[0] = v62;
  v74[1] = v63;
  v74[2] = *(_QWORD *)v64;
  v73 = 0LL;
  runtime_convT2E(
    a1,
    a2,
    *(_DWORD *)v64,
    v63,
    v16,
    v17,
    (__int64)&unk_6E8C00,
    (__int64)v74,
    *(__int64 *)v64,
    *(__int64 *)&v64[8]);
  v73 = *(_OWORD *)v64;
  runtime_convI2I(a1, a2, a8, a7, v18, v19, (__int64)&unk_69DBA0, a7, a8, *(__int128 *)&v64[8]);
  fmt_Fprintf(
    a1,
    a2,
    v20,
    (unsigned int)&v73,
    v21,
    v22,
    *(__int64 *)&v64[8],
    *(__int64 *)&v64[16],
    byte_6EF637,
    7LL,
    (__int64)&v73,
    1,
    1);
  main_GetOutboundIP(a1, a2, v23, v24, v25, v26);
  runtime_convTslice(a1, a2, v27, v28, v29, v30, v62, v63, *(__int64 *)v64, *(__int64 *)&v64[8]);
  *(_QWORD *)&v73 = &unk_6D7600;
  *((_QWORD *)&v73 + 1) = *(_QWORD *)&v64[8];
  runtime_convI2I(a1, a2, a8, a7, v31, v32, (__int64)&unk_69DBA0, a7, a8, *(__int128 *)&v64[8]);
  fmt_Fprintf(
    a1,
    a2,
    v33,
    *(_DWORD *)&v64[8],
    v34,
    v35,
    *(__int64 *)&v64[8],
    *(__int64 *)&v64[16],
    byte_6EF637,
    7LL,
    (__int64)&v73,
    1,
    1);
  v36 = &v62 + 23;
  v61 = &v79;
  v37 = sub_45B6C1(v36, 0.0);
  runtime_mapiterinit(
    (_DWORD)v36,
    a2,
    v38,
    (unsigned int)&unk_6D1280,
    v39,
    v40,
    (__int64)&unk_6D1280,
    v37,
    (__int64)&v77);
  while ( v77 )
  {
    v45 = *(__int64 **)v78;
    v56 = *(_QWORD *)(v78 + 8);
    v46 = *v77;
    v47 = v77[1];
    if ( v56 > 0 )
    {
      v66 = *(_QWORD *)(v78 + 8);
      v69 = v46;
      v65 = v47;
      a2 = 0LL;
      while ( 1 )
      {
        v72 = v45;
        v68 = a2;
        v70 = *v45;
        v67 = v45[1];
        LODWORD(v36) = v67;
        runtime_convTstring(v67, a2, (_DWORD)v45, v70, v43, v44, v46, v47, *(__int64 *)v64);
        v71 = *(_QWORD *)v64;
        runtime_convTstring((_DWORD)v36, a2, v48, v67, v49, v50, v70, v67, *(__int64 *)v64);
        *(_QWORD *)&v75 = &unk_681F20;
        *((_QWORD *)&v75 + 1) = v71;
        *(_QWORD *)&v76 = &unk_681F20;
        *((_QWORD *)&v76 + 1) = *(_QWORD *)v64;
        runtime_convI2I(
          (_DWORD)v36,
          a2,
          a7,
          (unsigned int)&unk_681F20,
          v51,
          v52,
          (__int64)&unk_69DBA0,
          a7,
          a8,
          *(__int128 *)&v64[8]);
        fmt_Fprintf(
          (int)v36,
          a2,
          v53,
          (unsigned int)&v75,
          v54,
          v55,
          *(__int64 *)&v64[8],
          *(__int64 *)&v64[16],
          byte_6F0583,
          11LL,
          (__int64)&v75,
          2,
          2);
        LODWORD(v56) = v66;
        if ( v68 + 1 >= v66 )
          break;
        v45 = v72 + 2;
        v46 = v69;
        a2 = v68 + 1;
        v47 = v65;
      }
    }
    runtime_mapiternext((_DWORD)v36, a2, (_DWORD)v45, v56, v43, v44, (__int64)&v77);
  }
  runtime_convI2I((_DWORD)v36, a2, v41, v42, v43, v44, (__int64)&unk_69DBA0, a7, a8, *(__int128 *)&v64[8]);
  return fmt_Fprintf(
           (int)v36,
           a2,
           v57,
           *(_DWORD *)&v64[16],
           v58,
           v59,
           *(__int64 *)&v64[8],
           *(__int64 *)&v64[16],
           "</body></html><not Stringer>Accept-CharsetCertCloseStoreContent-LengthCreateProcessWCryptGenRandomDkim-SignatureFindFirstFileWFormatMessageWGC assist waitGC worker initGetConsoleModeGetProcAddressGetUserNameExWINTERNAL_ERRORMAX_FRAME_SIZEMB; allocated NetUserGetInfoNot AcceptableOther_ID_StartPROTOCOL_ERRORPattern_SyntaxProcess32NextWQuotation_MarkRCodeNameErrorREFUSED_STREAMREQUEST_METHODRegSetValueExWSetFilePointerTranslateNameWaccept-charsetallocfreetracebad allocCountbad record MACbad span statebad stack sizecontent-lengthdata truncatedfile too largefinalizer waitgcstoptheworldgetprotobynameinternal errorinvalid methodinvalid syntaxis a directorylevel 2 haltedlevel 3 haltedneed more datanil elem type!no module datano such deviceprotocol errorruntime: base=runtime: full=s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytoo many linkstoo many usersunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable:  unsafe.Pointerwinapi error #work.full != 0x509ignoreCN=1zero parameter  with GC prog\n is unavailable()<>@,;:\\\"/[]?=0601021504Z0700400 Bad Request476837158203125: cannot parse :ValidateLabels<invalid Value>ASCII_Hex_DigitAccept-EncodingAccept-LanguageBelowExactAboveCreateHardLinkWDeviceIoControlDuplicateHandleFailed to find Failed to load FlushViewOfFileGateway TimeoutGetAdaptersInfoGetCommandLineWGetProcessTimesGetStartupInfoWHalfClosedLocalHanifi_RohingyaIdempotency-KeyImpersonateSelfLength RequiredNonTransitionalNot ImplementedOpenThreadTokenOther_LowercaseOther_UppercasePartial ContentProcess32FirstWPsalter_PahlaviRegCreateKeyExWRegDeleteValueWRequest TimeoutUnmapViewOfFileX-Forwarded-For]\n\tmorebuf={pc:accept-encodingaccept-languageadvertise errorapplication/oggapplication/pdfapplication/zipbad certificatebad debugCallV1bad trailer keyfont/collectionforce gc (idle)invalid booleaninvalid paddinginvalid pointerkey has expiredmalloc deadlockmissing addressmissing mcache?ms: gomaxprocs=negative updatenetwork is downno medium foundno such processnon-minimal tagrecord overflowrecovery failedruntime error: runtime: frame scan missed a gstartm: m has pstopm holding punexpected typeunknown Go typeunknown networkunknown versionwrite error: %v already; errno= mheap.sweepgen= not in ranges:\n t.span.base()=  untyped locals %s %s HTTP/1.1\r\n, not a function.WithValue(type 0123456789ABCDEF0123456789abcdef2384185791015625: value of type :VerifyDNSLengthAddDllDirectory",
           14LL,
           0LL,
           0,
           0);
}

GetOutboundIP 函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
__int64 __fastcall main_GetOutboundIP(int a1, int a2, int a3, __int64 a4, int a5, int a6)
{
  __int64 v6; // rcx
  int v7; // er8
  __int64 v8; // r9
  __int128 v9; // rcx
  int v10; // edx
  int v11; // ecx
  int v12; // er8
  int v13; // er9
  int v14; // er8
  int v15; // er9
  __int64 v17; // [rsp+0h] [rbp-B0h]
  __int64 v18; // [rsp+0h] [rbp-B0h]
  void **v19; // [rsp+8h] [rbp-A8h]
  __int64 v20; // [rsp+10h] [rbp-A0h]
  __int64 v21; // [rsp+20h] [rbp-90h]
  __int64 v22; // [rsp+28h] [rbp-88h]
  __int64 v23; // [rsp+30h] [rbp-80h]
  __int64 v24; // [rsp+38h] [rbp-78h]
  int v25[6]; // [rsp+48h] [rbp-68h] BYREF
  __int64 v26; // [rsp+60h] [rbp-50h]
  __int64 v27; // [rsp+78h] [rbp-38h]
  char v28; // [rsp+80h] [rbp-30h] BYREF
  __int64 v29; // [rsp+90h] [rbp-20h]
  __int128 v30; // [rsp+98h] [rbp-18h] BYREF
 
  v6 = *(_QWORD *)NtCurrentTeb()->NtTib.ArbitraryUserPointer;
  if ( (unsigned __int64)&v28 <= *(_QWORD *)(v6 + 16) )
    runtime_morestack_noctxt();
  net_Dial(a1, a2, a3, v6, a5, a6, (__int64)&unk_6EEF18, 3LL, (__int64)&unk_6F012D, 10LL);
  v29 = v22;
  *((_QWORD *)&v9 + 1) = v24;
  if ( v23 )
  {
    *(_QWORD *)&v9 = *(_QWORD *)(v23 + 8);
    v30 = v9;
    v20 = 1LL;
    log_Fatal(a1, a2, v21, v9, v7, v8, (__int64)&v30, 1LL);
  }
  v25[0] = 24;
  v26 = v21 + 24;
  v27 = v29;
  if ( (unsigned int)runtime_deferprocStack(a1, a2, (unsigned int)v25, v29, v7, v8, (__int64)v25) )
    return runtime_deferreturn(a1, a2, v10, v11, v12, v13, v17);
  v18 = v29;
  (*(void (**)(void))(v21 + 32))();
  if ( v19 != &go_itab__net_UDPAddr_net_Addr )
    runtime_panicdottypeI(
      a1,
      a2,
      (unsigned int)&go_itab__net_UDPAddr_net_Addr,
      v20,
      v14,
      v15,
      (__int64)v19,
      (__int64)&unk_6BF8A0,
      (__int64)&unk_69F3A0);
  return runtime_deferreturn(a1, a2, *(_QWORD *)(v20 + 8), *(_QWORD *)(v20 + 16), v14, v15, v18);
}

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 0
支持
分享
最新回复 (1)
雪    币: 288
活跃值: (320)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
难搞
2021-11-4 17:17
0
游客
登录 | 注册 方可回帖
返回
//