NSA's Ghidra - Can It Do GO?

You won't find the solution to the challenge here. That is against root-me.org rules. We are simply looking at a ghidra analysis of the executable.

I decided to test Ghidra on another executable. This one is another find the flag challenge from root-me.org

The executable was written in the GO programming language. It has all the debug info in it and has not been stripped

$ file ch32.bin 
ch32.bin: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, Go BuildID=2cf6d44559551c6185a598406fb67318d5b2396eA, with debug_info, not stripped

Lets see how the initial analysis fares:


And it recognizes that it has some trouble.

GO locates the actual main program code in a function called main.main, so let's go there and look at the decompiled code.


And we can see that it is unable to assign the parameters to the Compare() function. This function takes to byte slices as parameters, see here:

https://golang.org/pkg/bytes/#Compare

event though the actual implementation may include more hidden parameters, at least those 2 should be passed in the pseudocode.

And the actual password check here is not very difficult to follow, the program simply XORs the input password with the 'rootme' string and compares that to a constant.

The call graph for that part is done correctly, as should be expected since it's using the assembly code and not the decompiled pseudocode.