-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathsigger.cpp
More file actions
236 lines (212 loc) · 7.95 KB
/
sigger.cpp
File metadata and controls
236 lines (212 loc) · 7.95 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
// sigger v2.0, full revamp.
// more arch detection + concurrent multi threading so it is even faster. >:)
/*
Written on an android in termux...
Ragekill3377
Alternative-To-IDA-Sig-Maker-And-Sigga
I present to you, سگر / Sigger
*/
#include <capstone/capstone.h>
#include <fstream>
#include <vector>
#include <string>
#include <chrono>
#include <iostream>
#include <mutex> // I/O shit
#include <filesystem> // more I/O shit
#include <thread> //ill need this for huge binaries
#include <sstream>
#include <iomanip>
#include <cstdint>
#include <cstdlib>
#include <pthread.h>
#include <atomic>
class iSig {
private:
const std::string clr_err = "\033[31m";//red
const std::string clr_ok = "\033[32m";//green
const std::string clr_hdr = "\033[34m";
const std::string clr_alt = "\033[33m";
const std::string clr_rst = "\033[0m";
std::mutex lock;
void fatal(const std::string& msg) {
std::lock_guard<std::mutex> lk(lock);
std::cerr << clr_err << "[ERR] " << msg << clr_rst << std::endl;
std::exit(1); // is terminate better? whatever it gets the job done
}
std::vector<uint8_t> bin_load(const std::string& path) {
std::ifstream file(path, std::ios::binary);
if (!file) fatal("can't open file, do you even have r/o permissions?");
return {std::istreambuf_iterator<char>(file), {}};
}
std::string bin_hex(const std::vector<uint8_t>& buf) {
std::stringstream ss;
for (uint8_t ch : buf)
ss << std::hex << std::setw(2) << std::setfill('0') << static_cast<int>(ch) << ' ';
return ss.str();
}
std::vector<uint8_t> sig_parse(const std::string& s) {
std::istringstream stream(s);
std::string token;
std::vector<uint8_t> out;
while (stream >> token)
out.push_back((token == "??" || token == "?" || token == "ff") ? 0xFF : std::stoul(token, nullptr, 16));
return out;
}
void gettargetarch(cs_arch& arch, cs_mode& mode, const std::vector<uint8_t>& dat) {
uint16_t eid; // eid mubarak
if (dat.size() < 20 || dat[0] != 0x7f || dat[1] != 'E') fatal("bad binary");
eid = dat[18] | (dat[19] << 8);
// deps on header of target
if (eid == 0x3E) { // PE (usually) or ELF
arch = CS_ARCH_X86;
mode = CS_MODE_64;
} else if (eid == 0x03) { // x86 32-bit ELF
arch = CS_ARCH_X86;
mode = CS_MODE_32;
} else if (eid == 0x28) { // ARM 32-bit
arch = CS_ARCH_ARM;
mode = CS_MODE_ARM;
} else if (eid == 0xB7) { // Mach O (usually) or ARM64
arch = CS_ARCH_ARM64;
mode = CS_MODE_ARM;
} else if (eid == 0x08) { // MIPS 32
arch = CS_ARCH_MIPS;
mode = CS_MODE_MIPS32;
} else {
fatal("unknown arch");
}
}
std::vector<uint8_t> bin_disasm(const std::vector<uint8_t>& blob, size_t off, size_t lim) {
cs_arch arc;
cs_mode mod;
csh eng;
cs_insn* inst;
const uint8_t* ptr;
size_t len, i, lll;
std::vector<uint8_t> out;
gettargetarch(arc, mod, blob);
if (cs_open(arc, mod, &eng) != CS_ERR_OK) fatal("capstone fail");
cs_option(eng, CS_OPT_DETAIL, CS_OPT_ON);
ptr = blob.data() + off;
len = blob.size() - off;
size_t cnt = cs_disasm(eng, ptr, len, 0, lim, &inst);
if (cnt == 0) fatal("disasm fail");
out.reserve(cnt * 16);
for (i = 0; i < cnt; i++)
for (lll = 0; lll < inst[i].size; lll++)
out.push_back(inst[i].bytes[lll]);
cs_free(inst, cnt);
cs_close(&eng);
return out;
}
struct ThreadData {
const std::vector<uint8_t>* hay;
const std::vector<uint8_t>* pat;
size_t start;
size_t end;
std::mutex* lock;
std::atomic<bool>* found;
const std::string* clr_ok;
const std::string* clr_rst;
};
static void* sig_worker(void* arg) {
ThreadData* td = (ThreadData*)arg;
for (size_t i = td->start; i + td->pat->size() <= td->end; i++) {
if (td->found->load()) return nullptr; // early exit
bool same = true;
for (size_t j = 0; j < td->pat->size(); j++) {
if ((*td->pat)[j] != 0xFF && (*td->pat)[j] != (*td->hay)[i + j]) {
same = false;
break;
}
}
if (same) {
td->found->store(true);
std::lock_guard<std::mutex> lk(*td->lock);
std::cout << *td->clr_ok << "[+] match @ 0x" << std::hex << i << *td->clr_rst << std::endl;
return nullptr;
}
}
return nullptr;
}
bool sig_match(const std::vector<uint8_t>& hay, const std::vector<uint8_t>& pat) {
size_t num_threads = std::thread::hardware_concurrency();
if (num_threads == 0) num_threads = 4; // fallback
size_t chunk = hay.size() / num_threads;
std::vector<pthread_t> threads(num_threads);
std::vector<ThreadData> tdata(num_threads);
std::atomic<bool> found(false);
for (size_t t = 0; t < num_threads; t++) {
tdata[t].hay = &hay;
tdata[t].pat = &pat;
tdata[t].start = t * chunk;
tdata[t].end = (t == num_threads - 1) ? hay.size() : (t + 1) * chunk;
tdata[t].lock = &lock;
tdata[t].found = &found;
tdata[t].clr_ok = &clr_ok;
tdata[t].clr_rst = &clr_rst;
pthread_create(&threads[t], nullptr, sig_worker, &tdata[t]);
}
for (auto& th : threads) pthread_join(th, nullptr);
return found.load();
}
void helpme() {
std::cout << clr_hdr << "usage:\n" << clr_rst;
std::cout << clr_alt << " ./sig bin --addr-to-sig 0xFFFF\n";
std::cout << " ./sig bin --sig-to-addr " << clr_ok << "AA BB ?? CC" << clr_rst << std::endl;
}
public:
void run(int ac, char** av) {
std::string pth, flg, arg;
std::vector<uint8_t> buf, sig;
std::stringstream ss;
size_t ofs;
std::chrono::steady_clock::time_point t0, t1;
pthread_t th;
if (ac < 2 || std::string(av[1]) == "--help") {
helpme();
return;
}
pth = av[1];
if (!std::filesystem::exists(pth)) fatal("no such file");
buf = bin_load(pth);
if (ac >= 4) {
flg = av[2];
if (flg == "--addr-to-sig") {
ofs = std::stoul(av[3], nullptr, 16);
if (ofs >= buf.size()) fatal("offset out of range");
t0 = std::chrono::steady_clock::now();
sig = bin_disasm(buf, ofs, 5);
t1 = std::chrono::steady_clock::now();
std::lock_guard<std::mutex> lk(lock);
std::cout << clr_ok << "sig:" << clr_rst << "\n" << bin_hex(sig) << "\n";
std::cout << clr_hdr << "time: " << std::chrono::duration_cast<std::chrono::milliseconds>(t1 - t0).count() << "ms" << clr_rst << std::endl;
} else if (flg == "--sig-to-addr") {
for (int i = 3; i < ac; i++) ss << av[i] << ' ';
sig = sig_parse(ss.str());
ThreadData td;
td.hay = &buf;
td.pat = &sig;
td.start = 0;
td.end = buf.size();
td.lock = &lock;
td.found = new std::atomic<bool>(false);
td.clr_ok = &clr_ok;
td.clr_rst = &clr_rst;
sig_match(buf, sig);
} else {
fatal("bad flag");
}
} else {
fatal("not enough args");
}
}
};
int main(int argc, char** argv) {
iSig disasmtargetdshit;
disasmtargetdshit.run(argc, argv);
return 0;
}
/* Thank you, capstone-engine. */
/* Fast as fuck. I'm acting like this is something huge but it outputs really fast and is pretty accurate. */