Rewrite renaming logic for private names

5 years ago · df51481053
parent 0d182a3dbd
commit df51481053
3 changed files with 91 additions and 15 deletions
--- a/import_obfuscation.go
+++ b/import_obfuscation.go
@ -6,8 +6,12 @@ package main
 import (
 	"bufio"
 	"bytes"
+	"encoding/json"
+	"errors"
 	"fmt"
+	"io/ioutil"
 	"os"
+	"path/filepath"
 	"sort"
 	"strings"

@ -44,17 +48,42 @@ type privateImports struct {
 	privateNames []string
 }

-func obfuscateImports(objPath, importCfgPath string) (map[string]string, error) {
+func appendPrivateNameMap(nameMap map[string]string, pkg string, packageDirectory string) error {
+	mapFile := filepath.Join(packageDirectory, garbleMapFile)
+	data, err := ioutil.ReadFile(mapFile)
+	if errors.Is(err, os.ErrNotExist) {
+		return nil
+	}
+
+	if err != nil {
+		return err
+	}
+
+	var localMap map[string]string
+	err = json.Unmarshal(data, &localMap)
+	if err != nil {
+		return err
+	}
+
+	for oldName, newName := range localMap {
+		nameMap[pkg+"."+oldName] = newName
+	}
+
+	return nil
+}
+
+func obfuscateImports(objPath, importCfgPath string) (map[string]string, map[string]string, error) {
 	importCfg, err := goobj2.ParseImportCfg(importCfgPath)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 	mainPkg, err := goobj2.Parse(objPath, "main", importCfg)
 	if err != nil {
-		return nil, fmt.Errorf("error parsing main objfile: %v", err)
+		return nil, nil, fmt.Errorf("error parsing main objfile: %v", err)
 	}
 	pkgs := []pkgInfo{{mainPkg, objPath, true}}

+	nameMap := make(map[string]string)
 	// build list of imported packages that are private
 	for pkgPath, info := range importCfg {
 		// if the '-tiny' flag is passed, we will strip filename
@ -62,10 +91,16 @@ func obfuscateImports(objPath, importCfgPath string) (map[string]string, error)
 		if private := isPrivate(pkgPath); envGarbleTiny || private {
 			pkg, err := goobj2.Parse(info.Path, pkgPath, importCfg)
 			if err != nil {
-				return nil, fmt.Errorf("error parsing objfile %s at %s: %v", pkgPath, info.Path, err)
+				return nil, nil, fmt.Errorf("error parsing objfile %s at %s: %v", pkgPath, info.Path, err)
 			}

 			pkgs = append(pkgs, pkgInfo{pkg, info.Path, private})
+
+			packageDir := filepath.Dir(info.Path)
+			err = appendPrivateNameMap(nameMap, pkgPath, packageDir)
+			if err != nil {
+				return nil, nil, fmt.Errorf("error parsing name map %s at %s: %v", pkgPath, info.Path, err)
+			}
 		}
 	}

@ -147,16 +182,16 @@ func obfuscateImports(objPath, importCfgPath string) (map[string]string, error)
 		}

 		if err := p.pkg.Write(p.path); err != nil {
-			return nil, fmt.Errorf("error writing objfile %s at %s: %v", p.pkg.ImportPath, p.path, err)
+			return nil, nil, fmt.Errorf("error writing objfile %s at %s: %v", p.pkg.ImportPath, p.path, err)
 		}
 	}

 	// garble importcfg so the linker knows where to find garbled imports
 	if err := garbleImportCfg(importCfgPath, importCfg, garbledImports); err != nil {
-		return nil, err
+		return nil, nil, err
 	}

-	return garbledImports, nil
+	return garbledImports, nameMap, nil
 }

 // stripPCLinesAndNames removes all filename and position info
--- a/main.go
+++ b/main.go
@ -110,6 +110,8 @@ var (
 	envGarbleListPkgs = os.Getenv("GARBLE_LISTPKGS")

 	seed []byte
+
+	garbleMapFile = "garble.map"
 )

 func saveListedPackages(w io.Writer, flags, patterns []string) error {
@ -517,6 +519,8 @@ func transformCompile(args []string) ([]string, error) {
 		}
 	}

+	privateNameMap := make(map[string]string)
+
 	// TODO: randomize the order and names of the files
 	newPaths := make([]string, 0, len(files))
 	for i, file := range files {
@ -550,7 +554,7 @@ func transformCompile(args []string) ([]string, error) {
 			if !envGarbleTiny {
 				extraComments, file = transformLineInfo(file)
 			}
-			file = transformGo(file, info, blacklist)
+			file = transformGo(file, info, blacklist, privateNameMap)

 			// Uncomment for some quick debugging. Do not delete.
 			// fmt.Fprintf(os.Stderr, "\n-- %s/%s --\n", pkgPath, origName)
@ -594,6 +598,15 @@ func transformCompile(args []string) ([]string, error) {
 		newPaths = append(newPaths, tempFile.Name())
 	}

+	if len(privateNameMap) > 0 {
+		outputDirectory := filepath.Dir(flagValue(flags, "-o"))
+		data, _ := json.Marshal(privateNameMap)
+		err := ioutil.WriteFile(filepath.Join(outputDirectory, garbleMapFile), data, 0644)
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	return append(flags, newPaths...), nil
 }

@ -697,7 +710,7 @@ func buildidOf(path string) (string, error) {
 }

 func hashWith(salt, value string) string {
-	const length = 8
+	const length = 4

 	d := sha256.New()
 	io.WriteString(d, salt)
@ -711,6 +724,17 @@ func hashWith(salt, value string) string {
 	return "z" + sum[:length]
 }

+func encodeIntToName(i int) string {
+	const privateNameCharset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"
+	name := "z"
+	for i > 0 {
+		charIdx := i % len(privateNameCharset)
+		i -= charIdx + 1
+		name += string(privateNameCharset[charIdx])
+	}
+	return name
+}
+
 // buildBlacklist collects all the objects in a package which are known to be
 // used with reflect.TypeOf or reflect.ValueOf. Since we obfuscate one package
 // at a time, we only detect those if the type definition and the reflect usage
@ -776,7 +800,7 @@ func buildBlacklist(files []*ast.File, info *types.Info, pkg *types.Package) map
 }

 // transformGo garbles the provided Go syntax node.
-func transformGo(file *ast.File, info *types.Info, blacklist map[types.Object]struct{}) *ast.File {
+func transformGo(file *ast.File, info *types.Info, blacklist map[types.Object]struct{}, nameMap map[string]string) *ast.File {
 	// Shuffle top level declarations
 	mathrand.Shuffle(len(file.Decls), func(i, j int) {
 		decl1 := file.Decls[i]
@ -886,8 +910,22 @@ func transformGo(file *ast.File, info *types.Info, blacklist map[types.Object]st
 			}
 			buildID = id
 		}
+
+		if token.IsExported(node.Name) || !envGarbleTiny {
+			node.Name = hashWith(buildID, node.Name)
+			return true
+		}
+
+		if name, ok := nameMap[node.Name]; ok {
+			node.Name = name
+			return true
+		}
+
+		name := encodeIntToName(len(nameMap) + 1)
+
 		// orig := node.Name
-		node.Name = hashWith(buildID, node.Name)
+		nameMap[node.Name] = name
+		node.Name = name
 		// log.Printf("%q hashed with %q to %q", orig, buildID, node.Name)
 		return true
 	}
@ -947,7 +985,7 @@ func transformLink(args []string) ([]string, error) {
 	importCfgPath := flagValue(flags, "-importcfg")
 	// there should only ever be one archive/object file passed to the linker,
 	// the file for the main package or entrypoint
-	garbledImports, err := obfuscateImports(paths[0], importCfgPath)
+	garbledImports, nameMap, err := obfuscateImports(paths[0], importCfgPath)
 	if err != nil {
 		return nil, err
 	}
@ -976,9 +1014,12 @@ func transformLink(args []string) ([]string, error) {
 			pkgPath = buildInfo.firstImport
 		}
 		if id := buildInfo.imports[pkgPath].buildID; id != "" {
+			newName, ok := nameMap[pkgPath+"."+name]
+			if !ok {
+				newName = hashWith(id, name)
+			}
 			garbledPkg := garbledImports[pkg]
-			name = hashWith(id, name)
-			flags = append(flags, fmt.Sprintf("-X=%s.%s=%s", garbledPkg, name, str))
+			flags = append(flags, fmt.Sprintf("-X=%s.%s=%s", garbledPkg, newName, str))
 		}
 	})

--- a/testdata/scripts/ldflags.txt
+++ b/testdata/scripts/ldflags.txt
@ -1,7 +1,7 @@
 # Note the proper domain, since the dot adds an edge case.
 env GOPRIVATE=domain.test/main

-garble build -ldflags='-X=main.unexportedVersion=v1.0.0 -X=domain.test/main/imported.ExportedVar=replaced'
+garble -tiny build -ldflags='-X=main.unexportedVersion=v1.0.0 -X=domain.test/main/imported.ExportedVar=replaced'
 exec ./main
 cmp stderr main.stderr
 ! binsubstr main$exe 'unexportedVersion'