内容纲要

写这篇起因是我出的一道加了壳的go题,发现由于upx手脱完后一些区段符号和原本的有所不同,导致ida和pe检测工具都无法检查到go标志(明明区段指向的偏移和goid是正确的)

做go题往往是比较恶心的,如果不复原符号做起来简直噩梦(不过复原了做起来也很恶心)

检测go

ida检测go暂时还不知道通过什么

这里放一下DIE检测go

// DIE's signature file
// created by A.S.L - asl@onet.eu - 2019.01
// improved by fernandom - menteb.in - 2020.04

init("compiler","Go");

function detect(bShowType,bShowVersion,bShowOptions)
{
    // All go compiled PE binaries have a .symtab section
    if (!PE.section[".symtab"])
    {
        bDetected=0;
        return result(bShowType,bShowVersion);
    }

    bDetected=1;

    if (PE.compareEP("488d742408488b3c24488d0510000000ffe0cccccccccccccccccccccccccccc") || 
    PE.compareEP("83ec0c8b44240c8d5c241089442404895c2408c70424ffffffffe901000000cc"))
    {
        sVersion="1.7.x-1.9.x";
    }
    else if (PE.compareEP("e90bd8ffffcccccccccccccccccccccc8b5c240464c705340000000000000089") ||
        PE.compareEP("e92bc7ffffcccccccccccccccccccccc51488b01488b7110488b490865488b3c"))
    {
        sVersion="1.10";
    }
    else if (PE.compareEP("e98bc8ffffcccccccccccccccccccccc51488b01488b7110488b490865488b3c") ||
        PE.compareEP("e90bd9ffffcccccccccccccccccccccc8b5c240464c705340000000000000089"))
    {
        sVersion="1.10.x";
    }
    else if (PE.compareEP("e98bdbffffcccccccccccccccccccccc8b5c240464c705340000000000000089") || 
        PE.compareEP("e9dbc5ffffcccccccccccccccccccccc51488b01488b7110488b490865488b3c"))
    {
        sVersion="1.11-1.11.x";
    }
    else if (PE.compareEP("e9ebc5ffffcccccccccccccccccccccc51488b01488b7110488b490865488b3c") ||
    PE.compareEP("e99bdbffffcccccccccccccccccccccc8b5c240464c705340000000000000089"))
    {
        sVersion="1.12 or 1.12.2-1.12.9";
    }
    else if (PE.compareEP("e98bc4ffffcccccccccccccccccccccc51488b01488b7110488b490865488b3c") ||
        PE.compareEP("e99bdaffffcccccccccccccccccccccc8b5c240464c705340000000000000089"))
    {
        sVersion="1.12.1";
    }
    else if (PE.compareEP("e92bc5ffffcccccccccccccccccccccc51488b01488b7110488b490865488b3c") ||
        PE.compareEP("e9cbdaffffcccccccccccccccccccccc8b5c240464c705340000000000000089"))
    {
        sVersion="1.13 or 1.13.2";
    }
    else if (PE.compareEP("e9cbc3ffffcccccccccccccccccccccc51488b01488b7110488b490865488b3c") || 
    PE.compareEP("e9cbd9ffffcccccccccccccccccccccc8b5c240464c705340000000000000089"))
    {
        sVersion="1.13.1 or 1.13.3-9";
    }
    else if (PE.compareEP("e9cbd8ffffcccccccccccccccccccccc8b5c240464c705340000000000000089") || 
    PE.compareEP("e9cbc1ffffcccccccccccccccccccccc51488b01488b7110488b490865488b3c"))
    {
        sVersion="1.14 or 1.14.x";
    }
    else if (PE.compareEP("e9....ffffcccccccccccccccccccccc51488b01488b7110488b490865488b3c2530000000c7476800000000") ||
        PE.compareEP("e9....ffffcccccccccccccccccccccc8b5c240464c705340000000000000089e58b4b0489c8c1e00229c489e78b7308fcf3") )
    {
        sVersion="1.x";
    }
    else {
        bDetected=0;
    }

    return result(bShowType,bShowVersion);
}

All go compiled PE binaries have a .symtab section

通过检测有没有.symtab区段和特征值来判断go

一道go写的pe文件的.symtab区段

image-20210609235129422

(……就这)

通过winhex搜索字符串得到1.14go的字符串匹配

image-20210610000122325

而我upx脱出来的程序不具有.symtab段但能搜索到特征,回头试试看加区段能不能ida识别出来go

待更