Abstract: After the Go language source code is compiled into binary files, where are the strings in the source code stored? How is it organized?
This article is shared from Huawei cloud community “Go language reverse technology – Constant string decryption”, author: security technology ape.
After the Go source code is compiled into a binary file, where are the strings in the source code stored? How is it organized?
Take the following go language source code as an example:
Package main import "FMT" func main() {FMT.Println(" Hello, World! )}Copy the codeIt just prints the string “Hello, World!” The generated binary file contains a large number of strings:
Where are strings stored in Go binaries? The actual storage location follows the ELF format principle in the. Rodata section (as shown in the figure above).
The elf format compiled in C is also used to store strings in this way. What is the difference between the string organization method of Go and the string organization method of C? The big difference is that C strings end with ‘\x00’, so that different strings can be easily cut with ‘\x00’, whereas Go strings do not end with ‘\x00’, as in the above “Hello, World! This is followed by “SIGKILL: “without the ‘\x00’ separator.
Go language strings are organized as follows:
-
Strings are arranged in ascending order of length
-
Strings of the same length are arranged from smallest to largest by character comparison
-
Invisible strings are escaped and then stored
In addition, Go language strings are generally stored from the go_string position, as shown in the following figure
There are two ways to correctly slice the Go language string in reverse:
- Disassemble, parse assembly instructions, determine string start position and processing length
- Cut directly according to the Go language string organization principle
Fast cutting algorithm based on string organization principle of Go language:
1. Search to determine the start position of go_string
2. Set the start length of string search to 1
3. Cut the string according to the current string length
4. Pre-cut the next string and compare it with the current string to check whether the principle is violated. If the current string is saved, continue to cut the next string in step 3; otherwise, the string has changed and proceed to step 5
5. Add 1 to the current string length and continue the search in step 3 until all searches are complete
As shown below (a string of 13 bytes) :
【 Summary 】 Go language string cutting in binary security detection can truly restore the source code quoted string information, improve detection accuracy.
You can try the following leak-scanning services to see if the system has security risks: >>> Vulnerability scanning services
Click to follow, the first time to learn about Huawei cloud fresh technology ~