1. Analysis of Go binary program
When analyzing some malicious programs compiled with GOlang language, because the program will package many referenced libraries when the program is packaged into a binary program, and the author de-symbolizes the binary program, resulting in Or there are too many functions in static analysis and it is not easy to track.
If the binary program compiled by GO is not de-symbolized, then the analysis in IDA is almost equivalent to looking at the source code. So as long as the symbol-removed program is symbol-recovered, it is very convenient to debug later.
You can use the ida py script IDAGolangHelper on Github , information about the recovery symbols of the Go program: [ https: //2016.zeronights . \ Ru / wp-content / uploads / 2016/12 / GO_Zaytsev.pdf] ( https: // 2016 .zeronights . ru / wp-content / uploads / 2016/12 / GO_Zaytsev.pdf), mainly to confirm the unique .gopclntabsegment position of the Go language program , Chinese can refer to the following https://www.freebuf.com/articles/others- articles / 176803.html .
You can also use Redress to analyze the package structure.
2. Encryption function
EnryptOAEP / DecryptOAEP
OAEP is parameterized by a hash function, which is used as a random predictor . The encryption and decryption of a given message must use the same hash function, sha256.New () is a reasonable choice.
Random parameters (if not zero) are used to hide private key operations and avoid timing side channel attacks. Blindness is limited to this function-random data does not need to match the data used in encryption.
The label parameters must match the values given during encryption.