Forked from: github.com/burrowers/garble

golang binary build code-obfuscator obfuscation

You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

Go to file

Daniel Martí cdac2cd3d6 testdata: avoid fmt in the implement test script Like other tests, importing fmt results in quite a lot of extra work, due to the lack of build caching. In this particular test, we wanted fmt.Println so that T.String would be called in an indirect way, without defining or referencing Stringer interface in the main package. We can do that by rolling our own "tinyfmt" package in a dozen or so lines of code. Below is how 'go test -short -vet=off -run Script/implement' is affected, measured via benchcmd and benchstat: name old time/op new time/op delta GoTestScriptImplement 3.67s ± 9% 2.65s ±11% -27.68% (p=0.008 n=5+5) name old user-time/op new user-time/op delta GoTestScriptImplement 8.18s ± 4% 4.55s ± 9% -44.35% (p=0.008 n=5+5) name old sys-time/op new sys-time/op delta GoTestScriptImplement 1.27s ±12% 0.71s ±13% -44.07% (p=0.008 n=5+5) name old peak-RSS-bytes new peak-RSS-bytes delta GoTestScriptImplement 145MB ± 1% 145MB ± 2% ~ (p=1.000 n=5+5) All in all, we shave about one full second. It doesn't seem to affect the total 'go test -short' noticeably, but every little bit counts.		4 years ago
.github	always use the compiler's -dwarf=false flag (#96 )	4 years ago
internal	Remove xor from the name of literal obfuscators. (#91 )	4 years ago
testdata	testdata: avoid fmt in the implement test script	4 years ago
.gitattributes	…
.gitignore	skip literals used in constant expressions	4 years ago
CONTRIBUTING.md	PRs with one review and CI are now mandatory (#92 )	4 years ago
LICENSE	…
README.md	drop support for Go 1.13.x, test on 1.15.x	4 years ago
bench_test.go	add the first benchmark and CONTRIBUTING doc	4 years ago
go.mod	reuse a single 'go list -json -export -deps' call	4 years ago
go.sum	reuse a single 'go list -json -export -deps' call	4 years ago
gointernal.go	make selection of packages configurable via GOPRIVATE	4 years ago
main.go	always use the compiler's -dwarf=false flag (#96 )	4 years ago
main_test.go	properly skip non-build flags for 'go list'	4 years ago
runtime_api.go	move asthelper functions to separate package (#78 )	4 years ago

README.md

garble

GO111MODULE=on go get mvdan.cc/garble

Obfuscate a Go build. Requires Go 1.14 or later.

garble build [build flags] [packages]

See garble -h for up to date usage information.

Purpose

Produce a binary that works as well as a regular build, but that has as little information about the original source code as possible.

The tool is designed to be:

Coupled with cmd/go, to support both GOPATH and modules with ease
Deterministic and reproducible, given the same initial source code
Reversible given the original source, to un-garble panic stack traces

Mechanism

The tool wraps calls to the Go compiler and linker to transform the Go build, in order to:

Replace as many useful identifiers as possible with short base64 hashes
Remove all build and module information
Strip filenames and shuffle position information
Obfuscate literals, if the -literals flag is given
Strip debugging information and symbol tables
Expose additional functions in the runtime that can optionally hide information during execution

Options

By default, the tool garbles the packages under the current module. If not running in module mode, then only the main package is garbled. To specify what packages to garble, set GOPRIVATE, documented at go help module-private.

Caveats

Most of these can improve with time and effort. The purpose of this section is to document the current shortcomings of this tool.

Package import path names are never garbled, since we require the original paths for the build system to work. See #13 to investigate alternatives.
The -a flag for go build is required, since -toolexec doesn't work well with the build cache; see golang/go#27628.
Since no caching at all can take place right now (see the link above), fast incremental builds aren't possible. Large projects might be slow to build.
Deciding what method names to garble is always going to be difficult, due to interfaces that could be implemented up or down the package import tree. At the moment, exported methods are never garbled.
Similarly to methods, exported struct fields are difficult to garble, as the names might be relevant for reflection work like encoding/json. At the moment, exported methods are never garbled.
Functions implemented outside Go, such as assembly, aren't garbled since we currently only transform the input Go source.
Since garble forces -trimpath, plugins built with -garble must be loaded from Go programs built with -trimpath too.

Runtime API

The tool adds additional functions to the runtime that can optionally be used to hide information during execution. The functions added are:

// hideFatalErrors suppresses printing fatal error messages and
// fatal panics when hide is true. This behavior can be changed at 
// any time by calling hideFatalErrors again. All other behaviors of 
// panics remains the same.
func hideFatalErrors(hide bool)

These functions must be used with the linkname compiler directive, like so:

package main

import _ "unsafe"

//go:linkname hideFatalErrors runtime.hideFatalErrors
func hideFatalErrors(hide bool)

func init() { hideFatalErrors(true) }

func main() {
	panic("ya like jazz?")
}