Hacker News new | ask | show | jobs
by differentials 3477 days ago
Everything get prefixed by the package namespace, so things pulled from github.com/group_name/package ends up looking like `github_com_group_name_package_class_funcname. This why why "rebuilding" the function names was a good way to quickly filter out the "known" code from the malicious functionality.
2 comments
ninov 3476 days ago
Is this really how the names are represented internally? if so, how can it tell apart e.g. "github.com/group_name/package" and "github.com/group/name_package"?
link
differentials 3476 days ago
Good question, I assume there is some way the compiler/runtime would dedupe these for the coder at compile time. However I don't honestly know enough about the Go internals... Honestly, I wrote more Go code during this blog post than I ever had, even though I had been reversing it for a while...
link
mappu 3476 days ago
So you can achieve smaller (/obfuscated) binaries by automatically renaming everything in $GOPATH to short unique strings? That would be a neat project.
link
differentials 3476 days ago
Yes, you could in theory rename everything prior to compilation for obfuscation/space saving - similar to how (some) Java protections worked.
link