GO Forth And Reverse

we're gonna have Tim Jazeera presenting go forth and reverse first though a couple of quick announcements we are streaming this live via the interwebs so please take out your infernal devices make sure they're in silent mode as a courtesy to our speaker and our at-home audience I also have a microphone so if you have questions raise your hand I'll give you the microphone again for the folks watching from home quick announcements about our sponsors besides Las Vegas wouldn't happen without the generous support of our sponsors first bright Pro tippity tenable Amazon and source of knowledge also this is a volunteer run organization and conference so big thanks to the staff and volunteers who are donating their time to make this

wonderful conference happen and supporting our community also if you have any feedback for Tim on that can be given via the sked schedule work website s c h e d org and with that here's Tim thank you so welcome thank you besides for having me here and thank you guys for coming we're gonna do a talk on Go Go Lane that goofy little gopher and just a little quick who's read nagas since it was i'm with red naga we just kind of been together it's a couple people we mainly do routing of Android devices IOT devices that kind of thing it's open to anyone we accept blog posts from anyone it's kind of like that old

hacking and like csgo kind of thing where all you need to do is take a picture of yourself eating the hottest pepper you can stand and you're welcome to join the club everyone else has done different varying levels some people jalapeno some people red Nagas which are the ghost peppers if you check out our website we have lots of different training materials that we put gather the whole thought process behind this and I think b-sides as well is we want everyone in the community to get a lot better because we don't want anyone doing boring work so hopefully everyone gets an awesome set of tools an awesome skill set and then starts releasing things open source so that essentially

you know no one has to do that really bad and boring work anymore that also means that we can concentrate all our time on really fun tasks like you know hitting new devices and you know maybe developers won't be doing these really silly things anymore specifically who am I currently I'm a security engineer at CloudFlare previously I worked at lookout and Sentinel one which are both endpoint detection clients one for mobile one for basically desktops and servers so a lot of the things I've learned over the years are trying to figure out how to unpack things really fast in an automated way do you office Kate them and try and basically reverse things as fast as

possible so that we can confirm whether it's benign or it's malicious and if it's malicious what's it doing and what do we need to protect our our endpoints or customers from and that's sort of where this talk came from we started seeing a big outburst in go malware and we would just see these binaries getting dropped and they were really weird and we'll get into that a little bit later but essentially go is a lot different than let's just say C and then if you were trying to detect malicious binaries or if you were actually gonna be doing penetration penetration testing on you know some kind of binary that someone has on a server or something that that's

getting dropped on a desktop you might want to find out where the quirks are and where things actually are my github is up there my twitter is up there and if you like hot sauces I'll send you something that I made myself you might have to sign a waiver and if you have really hot sauces let's drink them so again why am I here go isn't necessarily new it's it came out and I believe thousand twelve but it got a little bit of pickup people are you know go aficionados already you see it sometimes on job descriptions where you know you have to have 20 years of experience and go even though it didn't exist that long

but you know for reversing I haven't personally seen many people talking about reversing go binaries and what are the nuances of it and how do we get into the good bits of it there's been lots of different malware it's an interesting platform it's in if you're a go developer don't throw anything at me it's sort of like Java or at least the concept of Java of I can write code once and it will run anywhere it's different from Java for many reasons because it's actually fast it's actually pretty memory safe and it actually is nice to write the code so this is sort of a thing that I grabbed from the web one website but basically

things are gonna be more efficient you can write really fast servers and probably like three lines of code and there's a huge open source community around it so it's it's a really great tool and you should check it out and see if like you want to actually use this just in your day to day development I've basically been switching over all my personal reversing tools to start being written and go so I guess I'm a hipster I do live in the Bay Area it's kind of like that but let's dig it in from the reversing side and what it actually looks like differently then let's just say see because you know she's still that master language this is just that

simple hello world that you've probably seen a billion times and this is what I get decompose excuse me disassembled too it's really like a small tiny binary and you're basically going to have one function to look at this is a screenshot of binary ninja but so basically if you took something out and you just reverse it it's pretty straightforward you're only gonna have a couple functions maybe a couple imports but there's really nothing there so if you had a really simple piece of malware you're gonna know exactly where you want to look into the binary so it's low level minimal and it's fast wise go different though so that same example we're going to end up

seeing this it gets a little crazy essentially that one little bit can be you know it can be compiled on any machine to either a PE so that's gonna be a Windows executable an elf so Linux executable or a Mac o file which is going to be the Darwin and Mac OS stuff and then inside that executable it's gonna inject its entire framework and a runtime in there and then your code is going to be inside there so if we were to look at this from a reversing standpoint what we're gonna see is we're gonna see okay there's a start function all right let's go to start because that's what the actual operating systems calling first

and we see that it's like okay well there's some start there's a call to main there's a runtime jump and that leads us over - there's that runtime rt0 go and this is ends up being a relatively large function and then we see this really awesome thing down there that is just a pointer that the disassembler didn't understand what that's a pointer to or why that is that's actually being passed in there as a here's the address of my process and I want to start up a new process that goes to runtime main and so in runtime main you're gonna dig in here and we're gonna see that it actually has a call to main

main so that was really easy right like just that one line ends up exploding into these things that if you've never seen it you're just looking around where's my main function where's my main function this is how you would try and get it from the entry point which is start so start main runtime runtime new proc main main that's super easy right it's not super easy and it's a pain when people start hardening it and then again this is binary ninja this is what it looks like when you start digging into it a little bit deeper we have over 2000 or so methods in just a hollow worlds binary and this is all the runtime this

is all the things that go is injecting in there so that it can try and run efficiently this is what the normal main main function looks like we can see that we have a hello world being loaded in there and there's all these other magic things and there's this weird little runtime stack more context or runtime stack no context and then a jump back up to the front so none of this code was anything I wrote all I did was AC say print line hello world we got this whole thing in here now and then if we scrolled down to the bottom of that function that's that one function that I wrote and what I wanted so there's a lot

of things that are getting compiled in here so you could see how it might get kind of confusing if someone was potentially trying to hide things or if someone was you know actually writing something that's more than one line of code so here's an example of when someone tries to make it hard to reverse all they're doing is adding a strip flag so maybe you've seen this when someone writes a C code they strip it out this usually drops the the symbols table so then the compiler is like I don't really know the name of anything I don't really know what's going on but I know there's a function I don't know what it was called and essentially what

we see is now all those 2,000 methods on the left-hand side don't have names so if you didn't already know how to get there directly from the start stub which is you know going through all those runtime execs all that stuff we don't really know where any of these functions are what their names might be which is pretty common when you're trying to reverse you know a malicious payload or something like that we also see that at least binary ninja looks at this and it goes okay well it's some bytes I don't really know what's up with that so you'd actually have to go all the way find the main function and then tell it

it's a function because it couldn't figure that out on itself so when we force change it we now have that same exact method so we basically said this is a function I want you to display it as a function and start disassembling it and this is the same exact one we still don't see any cross references to any of the previous functions and so that's kind of worrisome so we're you know if we want to try and backtrack to the entry point or see if this code has ever used it might be a little difficult what we also see is the functions on the Left where before had all those names you know run time no context it doesn't know

what those are called so why should you care this is a friend over at ESET he basically spends his entire life looking at Linux binaries and you should follow him on Twitter and you can see lots of interesting things that he starts talking about and it's a pain yes he's been rebuilding these by hand a lot we did some work to automate some of that that's basically what this talk is about but basically he hates it and it's really annoying because people are just basically saying oh go has this awesome open-source community where people have done crypto miners that are efficient people have done you know SSH scanners that are efficient so all you need to do

is say get that package get that package and then we all run out of the building because there's a fire I'll try and keep going [Music] [Applause] [Music] it sounds like we got to evacuate so yeah essentially you know like I was saying I think I said it I'm not sure go ahead okay anyway it's really easy with only like maybe let's say 200 lines of code to throw something together which is going to be malicious it's going to start Auto scanning things and again it's platform-independent and you're efficient so not only can you infect someone's computer but you can be nice about it and have a low memory profile and everything is just going to

work so like I said go straight forward it's easy to use so that means it's easy for good guys and it's easy for bad guys to use over the past year and a half or so we've seen lots of different things pop up in the Linux arena where it was like Linux lady Rex agent DT because you know we don't like naming things interesting things anymore or we just see them too much there's also lots of proof of concepts out there on github so it's essentially lots of things saying like hey I thought it would be a great idea to basically write a DOS and then I'm open sourcing it because I'll get a better job offer I

don't recognize that as like a good idea but there are plenty of people who are doing it and you do you see this bundled into actual tack code there's also go mem cats so a lot of pen testers tend to be using go lang is what I've seen I don't personally work with pen testers but there was this interesting comment on reddit that I saw someone say it's basically he can write a quick little binary that drops down and since it's wrapped in all this runtime type stuff it gives it a virus vendors a hard time to actually figure out what's going on and then what this person was doing is they're basically like I'm just gonna make a call out to

my server which is generic I just spun it up and maybe digitalocean it's a new droplet there's no IP reputation around this and then they were just saying okay give me the code and then it executed the payload and they basically said no AV usually over I believe it because it's hard to pick up in a in the a/v world what normally happens is unless you're just doing straight white list or straight blacklist and doing hashes of every single thing which a white list can be protective it's interesting it means you have to verify every single thing and if it doesn't match a hash on my white list I'm not gonna let it run black list is a little different and it

has it's good sides but the bad thing is if I reconstruct something right now it's gonna have a new hash so if they haven't seen it they can't flag it right away the other way people do detections is you know with heuristics basically saying I'm looking for this sequence of bytes and this makes it hard for them so again we run go time has maybe you know two and a half thousand functions of code these change every once in a while through you know go revisions and then the malicious code again this might be like three lines of code and it's surrounded by go instrumentation and so if you're going to look for you're gonna be like okay

well maybe I'll choose a string because a string would never change it a piece of malware right and so you know if they're importing libraries you can't just say oh that thing someone pulled off github that is also used by good people and it's used by a bad person in this one instance I'm gonna label that as bad and this is exactly what we see if you search for a go malware here's a post from 2012 where someone's like what the hell semantics is flagging this and I love the status unfortunate is what it was changed to is that Sachs like wow and then we have you know one last year where Kaspersky started flagging things

and this happens a lot because if the analysts who are making these changes in the engine are basically like well I've never seen anything like this this is super advanced they're usually just looking at the go runtime and then when they dig into the code they're like oh man it has like it can do ask to stage brute-forcing it can do this you can do that again that was code pulled off from github so we got it wrong again so what we end up seeing is when someone strips the binary and if someone hasn't already figured out like how does the go runtime look what am I doing here you could use things like Bend if they provide some

interesting stuff but once they strip it you're basically hunting for that little tiny segment in that huge loaded binary so a lot of server side apps are also moving to go its memory safe like I said supposedly there have been memory issues that's an interesting thing that you might want to know for both looking at the source code and analyzing it with a disassembler I found like a lot of expensive bugs when I've been doing some contract work where people are like you can look at our source if you want some of them don't want you to look at the source but then that's shipping you this go binary and a lot of licensing stuff licensing code

uses this and so when you're digging into it you end up seeing like there's logic flaws that you wouldn't actually see when you're looking at the source code level but it's basically because the runtime might function in a certain manner but when it's compiled it's actually trying to do a little bit different of things so I think it's important for developers to understand what's going on under the hood and especially reverses and then this is back to Michael over at ISA basically I was tweeting I was like hey has anyone seen any more malware and he he was talking to me privately and basically said go looking virustotal you search for a golang string and everything's

gonna be malicious and it's pretty true if you go through virustotal there's probably like 10 gigs of going malware you know they're all similar strains they'll use their own little things a lot of spreaders are being used and there's some IOT malware out there but basically really easy to write it's really easy to cross compile and it just works so why wouldn't a malware author use it so this is a screenshot of Ida Pro and Ida Pro and binary ninja don't have the greatest support for go I understand why they're not like bad tools because they don't have the support but nobody's really been expressing interest in these things so I was looking at some malware and doing

some auditing of some binaries and essentially I ran into a lot of issues up at the top this is a colored version basically of saying like what does the binary look like orange basically means it's a defined function a red means it's an undefined function so it might be code it might not be code Ida couldn't figure it out and as we look on the left-hand side left bottom side we see that it only has about you know a thousand three hundred or so functions and we automatically know that that has to be wrong the go runtime has at least 2,000 2,500 so nobody's important to anything in here well you know you might not have

all the functions but you have some of them but probably ones you don't want to look at we also see that this is essentially what loading strings and go looks like and Ida Pro is like I don't know there's some values and some stuff but if you want to really quickly assess this and be like what's what's this doing I see flag in I see flag boo I see flag string why there are no strings and it sucks so basically we've we've identified a few things that we really want to actually start reversing we want to be able to say what are the functions I want to be able to define all the functions really fast because I want to

look for bad ones functions don't retain their name when they're stripped so is there any way that we can rebuild at least like the runtime and again I I tried this multiple ways because there's lots of weird strings in those binaries I was like alright what if I build something in that go version and then used AI foria or bin diff and then I'll just do a match would be like okay that match like this is the runtime match that's the runtime match and then you can kind of cobble it together like that it works but it was super slow string loads could be funky and the holy grail and AV industry sadly is if the binary

has strings that look malicious I'm usually going to say it's malicious and that's that's kind of like this the sniff test if it looks like it's a licensing server people will be like cool whatever so if you want to make good malware make it look good and don't put words in it like swears or cussing out AV people because people are always like oh yep that's malicious let's detect it I don't even know what it does and then again so the go version might be interesting for if we can actually identify which version of the runtime this was compiled with maybe we'll do that with different heuristics or something like that but if we can tell

what version of go was we can tell what runtime we might be looking at so we're gonna dig into this and essentially you know we want to automate all this work because we don't want to be sifting through it every single time a file comes in especially in the AV industry or the pen testing usually you're getting paid potentially hourly or by you know you must verify this many binary is at an AV place or if your pen testing you know if you don't get anything done in the first ten hours you kind of look bad to a client sometimes so tackling functions this is again that hello world example and what we're seeing right here is we

got the function start and I don't actually have all the the locations next to it because I want to show it in the pretty graph view but essentially what we're seeing is the main is the top the main main is the top with that first move and then actually at the bottom all the way at the bottom at the function we have that runtime more stack no context and a jump to main main so this is consistent to pretty much every single function that will ever be created and go and this is how they do the caching of the panics so if there's any errors in here or something happens that we're not sure about it's gonna basically

gonna catch into there and be like what was the context of this and if it was still okay or something bad didn't happen loop back up to the top of the function so this is kind of like a template for every single function that we want to reverse this is that same function and this is actually really interesting because go the the design of go was meant so that we can reproduce binaries bite for bite so that if you compile something on your machine and I give you a hash of that or you give me a hash of that I can then compile it over here and if I was using the same framework the binary should be identical

so this this provides us a really interesting way to basically say like okay if I mangle this binary in one way and I strip it and then I go over here and I have the one that has all my symbol still in it I can compare the two and be like okay so where that information go did it go here or here so this is the exact same binary it's just been stripped so we still see that you know there's the top of the function and the bottom of the function has that call we don't know the name of that function anymore but it's exactly the same context wrapping style and if we actually look at that function that was

I believe it was the run time no context if we look at that we see that that cross reference is every single function that we've seen so again this is how every function is going to look like so we know that if we could find that function we might actually be able to work backwards and basically say okay I know what this function will always look like because it's always compiled that way and then I can cross-reference back and start recursing and saying okay now I know all the other functions and I know all their sizes because that's the last function call and it has a loop up to the top so now all I need to do is

identify one function and if we dig into that we see that that one function branches into run time more stack and this is the entire function it is always like this you basically kind of need to profile so like there's go 1 6 7 8 8.3 sometimes this changes but essentially there's this one little call at the end the move D word that's the only time you will ever see this in a go binary is in this one function so it makes it really easy for us to identify this so essentially we find that as our hook and now we know like a pseudo solution where basically were going to find this we're gonna go

to the collection that called it and then we're gonna cross-reference every single function that calls that and we know that that's the second to last line of the function so we now know the end of the function in the beginning of the function so you can tell binary ninja or you can tell ayah pro or you know whatever kind of assemble disassembler you're using say like that's a function that's a function that's a function anything that references that type of code so what we end up seeing is again this goes back to you know it up at the top orange means it's defined red means it's not defined so if we write some code we already have a Python module

that I wrote that did this all we see is it's pretty nice so now there's only a couple things that are undefined that we probably don't care about maybe we do but at least there's only a few things in that stack that you need to look at say wait that thing that's undefined is that good or bad and then we also see the script output at the bottom we now have 200 2000 and almost 500 functions that we just found from that that were not known to be functions previously so that's pretty cool so that means that we don't have to dig in here and be like okay where are those functions where those data

structures what is this we automatically now know where every function exists so that was the first step so the next one we're going to do is can we rebuild the actual names of the functions so if you start digging into the binary and you did like maybe just the strings on the final this is actually what a lot of people had been reporting I was like hey this this binary is malicious because when I ran strings I saw it's a main run DDoS and so I was like okay it's probably gonna do with DDoS even though I didn't figure out where that function is or how it does it so a lot of people were just posting

screenshots of look at this new malware here's a string table and I saw this string and you know that doesn't really pass my sniff test so you're probably right but that that just doesn't sit right with me so we see the strip binder on the left and we see the normal binary on the right so basically we do see that the the function names are very nice when we have a normal binary but the stripped one's a pain so we want to be able to start seeing if we can migrate from a strip binary into a normal one maybe rebuild the strip the symbol table or something not really sure an interesting bit in the strings table or

excuse me for the string load right I did pick up that there was a string load but it also thinks of that string is huge and so if you went into that part in memory you go okay what is this there's a huge blob of strings with no null blights in there so it's not a normal C type string where it's a null terminated string so when we start digging we find that there was this weird segment in the actual binary and it says go PC Ln tab and so if you dig into the source it's pretty interesting this is something that doesn't get stripped out when you say you want to strip the binary and it's actually used

by the go to the go runtime so it uses this so that can use some reflection and essentially what happens is they keep this so that the go framework understands what's going on so if you hit a panic and you had that stack trace sort of like Java you basically go oh okay I know what function that was from and what around what line it was and so this is some extra data that's in every single stripped binary and essentially there's a header there's a function count and then each function is essentially it's an address to the function and then it's an offset to the function name in a string table so this is awesome for us because this means we

can basically rebuild those binaries really fast and hopefully in an automated fashion and so we're hoping we can do is we take all these unknown functions and we're gonna actually be able to rename it to what the the binary actually knows they are and this is what happens when we run our little script it really easy essentially all you do is you look into the source of go and you're like oh that's the structure now let me just write a little code that goes in there and says how many functions my supposed to look at par is each structure in there and then you can basically say oh that's the start of the function let me

rename it and this is good for pretty much any binary I've never seen anyone strip out that section because again go does rely on it for some functionality so people are still chatting on like can we can we mutate it some way can we remove it will that mean that the binary might crash more no one's really solved it and clearly the go developers are not trying to help people basically create really hard destructive binaries so basically we're able to rebuild the binary so far so this was a stripped binary and we're able to now have easy to read function names and we also found more functions than we previously already saw and we have about 7,000 and

500 functions and this was for a really simple DDoS spreader so it's basically something that was looking for weak passwords and it was getting into different devices and then it was just ddossing on commands and this had this someone had stripped this and now we're able to rename it so it's really easy to figure out what we're doing and this is important again because there's so many functions of this binary we see that there is over 11,000 and none of them had names before and now we look at it and we can see that there is a main in it func 1 func 2 and then there's a main main function and there's the slave

server and the get external IP that's the only code that the malicious author wrote all other 11,000 and 500 functions are completely useless to us when we're looking at this so if you weren't able to rebuild that you're going to be like oh gosh where am I looking at this is going to take so long and then you're probably gonna quit your job and go do something maybe a little easier or I would cool so essentially we've now figured out that we can rename every single function and we've actually been able to map out where all the functions are so for string loads it got a little interesting because honestly I had no idea how any this was working and I

actually did this before I'd ever written any go code so this is this tends to happen when when someone's pulling in vendor code from a different package you end up seeing the funk name's looking similar to this where it's someone on github had posted this and the function name ends up being github.com slash this slash that and then it's actually the file that it's referencing so this helps a lot when you're reversing because you don't actually have to reverse any of those functions unless you assume someone's trying to give you a false flag so you can just go to the github page and you just look and see what the code is doing and so if we looked at this one very

specifically this was just something to help someone do some blogging and so the login would be easier for them and we see what the actual arguments are for this and what's being passed in so I gave you this example because we know it's going to be taking a string because it's a logging statement but this is the function and I don't see a string because nothing's identified a string but we do see that weird little pointer that's getting loaded into EAX and if you were to look into the binary we notice that okay it found that there's a reference here and then there's this string and if you look there's no null bytes but we do notice that there's a

weird thing where - two lines below the load we see hex one zero and then we notice that it looks like maybe a string that's that long we're not really sure and then if we dig into an a hex editor we do see okay yeah that that looks a little easier it's easier to read it's not vertical and this is just a blob of strings and this is essentially how go has a string table so if you've ever done reversing in Android type things it's it's interesting because I'm not sure if they like talk to each other or this is just a good programming language way to like group things but essentially they have a string table and they're

grouped the strings by the length so all the strings that are one character are together all the ones at two three four all the way up and it's just this huge blob so what often happens is this assembler see this and they're like cool that's a string and all strings are terminated by null except they're not so you end up having this huge huge huge huge string and it's like yeah it's loading this string and you're like no it's it's not loading like a 9,000 character string it's much shorter than that but now we're able to basically say okay so we see something loading a pointer and then we also saw that it gave its length and that's because the

strings are sure of the data and the length of that data that it represents and so if we look at that example what we see is if we went to that offset and then we create a string of exactly o x10 bytes we get a good string that's actually there you could verify this by actually dynamically stepping through this and then here's another malware that we saw and basically you're stepping through and you see the strings loading because we're doing this dynamically and we're like oh okay it can use different registers it kind of looks different sometimes but all the all the string loads it always has a pointer to the location and then it also

knows what the size of the string it wanted was so we're able to automate this and basically look through heuristic alee and we're basically going to go okay I want to find where there's a pointer being loaded into a couple different registers you know for different platforms you might like if it's 64-bit verse 32 bit you might have to whitelist certain registers and certain patterns but you end up making these sets of heuristics to go through and you look for both the pointer and what's getting put in there and then also looking for like a length check and what we're able to do is we can just automate all this work which just makes our life a lot easier because now we're

not trying to go through and look at you know just do a strings command to be like okay maybe that's used here or I don't really know you don't have to do this manually with again 11,000 functions potentially so this this ends up bringing us the last point that we were looking for was these heuristics changed based on the version of the runtime you know there's still binaries out there that gets submitted to virustotal or getting dropped and there go one point two so the heuristics that you might want for 1.2 to try and load all the strings end up being different than the ones from 1.83 they're getting a lot more efficient in their usages of loading so

sometimes now you might see actual strings being loaded in a branch where it's you know to switch statement it's like okay load this offset and then everything all comes down to this one little bundle and then there's about like forty other switches that are doing the same exact thing so you can't look for these simple heuristics so we want to be able to fingerprint the actual binary and see what version it is and what heuristics I should apply to that and this also helps when you're trying to do let's just say a Windows PE file verse a Mac OS Mac o file and so like I said here a6 can break so we want to

look for different ways that they're actually doing so we want to have good heuristics that they can be a little brittle inside the version but we want to actually be basically typing what version of the runtime we're going to be looking at and there was this one function that we noticed was doing this and it's runtime sched in it and honestly I don't know what any of this code does but I do know that when you looked in the source it was saying what's my build version and if we look towards the bottom of this we do see that there is runtime underscore build version string and dot length essentially if you actually look at the

code for the go runtime there's a bunch of comments that say we should never not know our own runtime so this code will never be used but this is a check to see was it actually set and if it wasn't set they'll drop in unknown but what we end up doing is we follow that structure of a string again and we end up seeing this is the structure of a string and it's saying I've already loaded this in at a runtime for a runtime build version string there's an offset and there's a number which is actually the length of that string so if we were to go to where that offset is pointing to again this is

one of those strings that's dropped in a huge vat of strings basically with no no bytes in between and now what we're able to see is that okay that says go one dot one dot excuse me 1.8 dot 1 so now we can programmatically figure out which version of this and then we can run different heuristics based on that so this ends up being interesting for us in multiple ways so now we've fixed all our tools so that we can basically drop in a go binary where you run these and we basically know every single function name we already know every function that we might want to step into and we have all the string loads and we know the

version of go that was used and going back to the AV industry often you want to try and profile your attackers so even if maybe they changed all the strings you might see a certain you know region always pushes binaries with a specific runtime this is a way you can start profiling actors so you know this is a little flimsy but this is kind of along those lines of what you might be thinking if you want to say like Oh like who's an apt who's not if you want to use that dumb word so issues are all handled the codes up there I need to push some actual new jurist extort us talk but this is up there and this is essentially

a this is a loader for Ida so once you open up a binary in Ida this is going to go through and it basically implements all those pseudo code that we're just talking about I also have one for Benja binary ninja and I'll be releasing that shortly if you don't already have a license for Ida and you don't want to steal it from all the AV vendors who leaked it out to people which thank you for them that's how I learned when I was a kid but Benja is really cheap and it's a great tool and if you're just trying to tool around and figure out what's going on you should pay for that it's like fifty

bucks if you message the guys they're really nice they're actually around Def Con probably they'll give you a free license if you're like hey I'm a student and I can't afford fifty dollars if they don't wanna give it to you message me I'll buy one for you people should be able to you know use these tools and I know it is very expensive so that's why we're really seeing the tool for Benja as well so now that we've fix all our tooling this is my most favorite part is often that we get to just break everything again so you know when we were working with malicious binaries a lot you know people are like why are you

going to invent bad ways and to you know break your own toolset and honestly I always tell people this is kind of like doing recon and also trying to force final bad people or even good people in a certain direction if there's no way to break a tool today someone will pay someone to do it but if we say oh you can break things this way and you know you do these things you can develop your tooling to actually look for those signals so you'll end up seeing like oh kiddies you're using that toolkit we dropped but you know there was a more advanced way to do it we just didn't figure that out yet so you'll see more

advanced actors are like oh yeah okay that's how you break stuff I'll go a step further and if you have your tooling looking for that kind of stuff you DEP seeing oh that's a really advanced person who's doing a method that I was hinting towards but I never released code for so you end up seeing these things trip in your environments a lot earlier and it ends up being for interesting stuff and you know you never know maybe you'll call them fancy bear or polish bear or something or judo chop bear so there's a friend of mine who wrote it's called OG OGG I don't even know how you would pronounce it it's under the

MIT license and essentially it pre processes your go code prior to you compiling it so if you know a lot about let's just say the Java environment this is where ProGuard would come in to so you have your source program changes things and then you compile it and as a developer what you end up having is you'll have like this mapping file where it basically says you know that was my main function but now it's transformed to this and you know if it crashes on my customers device you can get a stack trace back and that stack trace is meaningless to anyone else because it's like a dot b who did this and then Chinese symbol plus that did that and

you know if you were tacker and you got that sack trace you'd be like I don't know what's going on I know the chain of events that occurred I don't know what any of them are but you was a developer end up having this little mapping that you're like okay I know exactly what method that was because you know this Chinese symbol was main this one did that this one did that so this guy I wrote the preprocessor which basically is just a set of AST parsers and it goes through and you can basically do anything for it he developed it so that he could write like Oh instead of wrapping the code like this I just want

to write the word try and the brackets and so then trying brackets would always be mutated out to the actual go code that was necessary to do that was trying we rewrote it so it's at basically an obfuscator much like ProGuard or dexguard so this is a sample and essentially this was a back door that I had found in a binary that someone was distributing as a poker server I don't know why like they were basically saying hey you guys should run your poker server on a production server in the cloud because I don't know they don't like GUI and they want to play poker a lot I guess I don't know it was really

strange but they did have some infections we actually were able to take over the situ but this is essentially what the code look like when you reversed it so we basically see it's just you know it has a backdoor port everything and then it branches out to a handle connection to actually do any work so now if we ran this through the obfuscator or go guard is which what we are releasing is it just gets changed down to this you still understand what's going on you still see what it is but essentially from a reversing standpoint what we see is you know this is what it looked like before we obfuscated it before we ran it

through go guard we see all the function names on the left yes we could have stripped it but as we just shoot showed we're able to rebuild all that stuff so when you run it through the go guard what essentially does you lose the ability to rebuild everything to a nice name because you've changed all the nice names - annoying names and there's countless ways you could change the mapping where there's known bugs where Chinese characters are not fully accepted and lots of versions of IDA so that breaks all the free ones that people are the free versions of IDA that people have downloaded to try out with someone else's license so you know this

is a great way that we can actually just break all the binaries and we can break all the tools that people are currently using that we just had fixed so there's an easy way to solve this and there's an easy way to map back and people have done that for Android countless ways there's really interesting academic papers are out about this but we're not going to touch that in this one I leave it as an exercise to you guys to write the next post come up here do a talk that kind of stuff but so again there's the go reversing primer that we've already posted it will help you doing some reversing just both generically and

go specifically the go laying loader assist is open sourced already and I do have to push some more heuristics for that for go runtime 1.8 and above because they did change some different things but I would say please go to that and you know help commit to that I leave a lot of the easy bugs to people because I think it's a great way to start getting into you know the open source community and start giving back and then also you know you can build a little bit of reputation if you'd like to do that and then the binary ninja version of that script is also going to be released when I get internet access this

week Gill guard is also going to be released and that again should be able to help people in hardening their binaries nobody's really doing any hardening other than the stripping which we just showed is pretty much useless so good luck hunting thank you for coming to the talk thank you for staying for the talk you've been through a fire alarm that's commitment thank you I'll buy you all a drink these are some good people you can actually follow they have really interesting stuff and a lot of them work at AVS or you know bounty programs and there's there's really interesting stuff so if you guys have any questions I can take those now or we can chat later or

something like that but thank you for coming and also please donate to some of the NPOs that are out there BFF is very important to everyone in this room and especially in this country and interesting times that we're at there's also a really cool booth out there hack for kids go donate the fact that you can come to this conference means we are all very privileged donate 5 bucks donate 10 bucks donate 20 bucks it's a tax write-off you can you can get all the write offs that the president gets to so like just go donate and you know donate to an organization and like let's all just do some good things today so thank you

[Applause]