GoStringUngarbler: Deobfuscating Strings in Garbled Binaries
30 comments
·March 5, 2025jeffbee
I wish Google did not have 47 separate domains it uses for blogging.
crazygringo
You want Google Search, Google Docs, Chrome, Android, and Google Cloud to all share the same blog? Not to mention lesser-known areas like Google Education and so forth...?
jeffbee
Even their security research group has, at least, six different outlets. They are "blogging the org chart".
googleprojectzero.blogspot.com, security.googleblog.com, cloud.google.com/blog/topics/threat-intelligence, bughunters.google.com/blog, blog.google/technology/safety-security
crazygringo
That tells me there isn't a single security research group, but at least six of them. Which doesn't surprise me.
Shouldn't they be blogging the org chart? When I want to follow updates, it's generally from a particular part of the org. Each group has its own separate mission and its own audience.
KyleSanderson
We're also introducing GoStringUngarbler, a command-line tool written in Python that automatically decrypts strings found in garble-obfuscated Go binaries.
fdasdffda
[flagged]
johnthuss
garble actually sounds like an excellent utility to add some protection around things like keys/secrets in a binary. Is there anything like this for Swift binaries?
jayd16
How can you read an article on automatic DEobfuscation and think "hey I can store secrets in that"?
cmeacham98
Obfuscation tools like these only slow down attackers, they can never stop them. Even the best in the game, where there are strong financial incentives on the line, fall to attackers typically in a matter of months.
As such, you should never use them to protect data that needs to stay secret indefinitely (or for a long time), such as keys.
Cthulhu_
That was my reasoning as well, I used to work for a company that really wanted code to be obfuscated because they were terrified of corporate espionage. Even though the one I was working on was just a configuration interface, and the configuration was plain text files, and the application didn't do anything special, just complicated (mobile network routing / protocols, lots of domain specific knowledge but as far as I know nothing secret or difficult to reproduce with enough resources).
saagarjha
People are somehow really convinced their thing is uniquely special and worth stealing.
johnthuss
There are occasions where you just want to make it a little harder to impersonate an official client where it can be useful to store a secret in the binary. It's still vulnerable but requires intention and actual effort.
jillyboel
Sure, and those occasions are when you should realize that what you want is a bad idea, and then not do that.
gibibit
Might have the opposite effect. Like a Streissand effect... hacker sees that the app is mysteriously hiding a secret? Makes you want to hack it just for the challenge, even if you had no intention before.
kokada
Probably a much better solution would be to store those as environment variables. I can't think any sane way where adding secrets to a binary would be useful unless you want to do something malicious with it.
meindnoch
Please, anyone reading this: don't do it.
We did some similar work back in 2020: https://www.kryptoslogic.com/blog/2020/12/automated-string-d... I've always wanted to revisit it and add support for garble but I guess that's no longer necessary :)