From 9b2c5848fe97af7fe1a5dd7a7c40924ca64b6512 Mon Sep 17 00:00:00 2001
From: yellows8 <yellows8@users.noreply.github.com>
Date: Fri, 5 Jun 2015 23:04:05 -0400
Subject: [PATCH] Implemented pattern-type datacmp. Switched to using
 --patterndata for all patterndata input. Implemented --patterndatamask.

---
 ropgadget_patternfinder.c | 128 +++++++++++++++++++++++++++++---------
 1 file changed, 99 insertions(+), 29 deletions(-)

diff --git a/ropgadget_patternfinder.c b/ropgadget_patternfinder.c
index 66271b6..4057e32 100644
--- a/ropgadget_patternfinder.c
+++ b/ropgadget_patternfinder.c
@@ -99,15 +99,14 @@ int main(int argc, char **argv)
 	int argi;
 	int ret;
 	int patterntype = -1;
-	int hashpattern_set = 0;
-	unsigned int found, findtarget=1;
-	unsigned char *filebuf = NULL;
-	unsigned char inhash[0x20];
+	unsigned int found, found2, findtarget=1;
+	unsigned char *filebuf = NULL, *patterndata = NULL, *patternmask = NULL;
 	unsigned char calchash[0x20];
-	unsigned char *inhashptr;
-	size_t filebufsz=0, pos, hashblocksize=0;
+	size_t filebufsz=0, pos, i, hashblocksize=0;
+	size_t patterndata_size=0, patternmask_size=0;
 	unsigned int tmpsize=0;
 	unsigned int stride = 4;
+	unsigned int tmpval, tmpval2;
 	struct stat filestat;
 	FILE *fbin;
 
@@ -119,9 +118,10 @@ int main(int argc, char **argv)
 		printf("Usage:\n");
 		printf("ropgadget_patternfinder <binary path> <options>\n");
 		printf("Options:\n");
-		printf("--patterntype=<type> Selects the pattern-type, which must be one of the following(this option is required): sha256.\n");
-		printf("--patternsha256=<bindata> Hash every --patternsha256size bytes in the binary, for locating the target pattern. The input bindata(sha256 hash) size must be 0x20-bytes.\n");
-		printf("--patternsha256size=0x<hexval> See --patternsha256.\n");
+		printf("--patterntype=<type> Selects the pattern-type, which must be one of the following(this option is required): sha256 or datacmp. sha256: Hash every --patternsha256size bytes in the binary, for locating the target pattern. The input bindata(sha256 hash) size must be 0x20-bytes.\n");
+		printf("--patterndata=<bindata> Pattern data to use during searching the binary, see --patterntype.\n");
+		printf("--patterndatamask=<bindata> Mask data to use with pattern-type datacmp. The byte-size can be less than the size of patterndata as well. The data loaded from the filebuf is &= with this mask data.\n");
+		printf("--patternsha256size=0x<hexval> See --patterntype.\n");
 		printf("--stride=0x<hexval> In the search loop, this is the value that the pos is increased by at the end of each interation. By default this is 0x4.\n");
 		printf("--findtarget=0x<hexval> Stop searching once this number of matches were found, by default this is 0x1. When this is 0x0, this will not stop until the end of the binary is reached.\n");
 
@@ -138,6 +138,10 @@ int main(int argc, char **argv)
 			{
 				patterntype = 0;
 			}
+			else if(strncmp(&argv[argi][14], "datacmp", 7)==0)
+			{
+				patterntype = 1;
+			}
 			else
 			{
 				printf("Invalid pattern-type.\n");
@@ -145,20 +149,18 @@ int main(int argc, char **argv)
 			}
 		}
 
-		if(strncmp(argv[argi], "--patternsha256=", 16)==0)
+		if(strncmp(argv[argi], "--patterndata=", 14)==0)
 		{
-			if(strlen(&argv[argi][16]) != 0x20*2)
-			{
-				printf("Input sha256 hash size is invalid.\n");
-				ret = 5;
-			}
-			else
-			{
-				inhashptr = inhash;
-				tmpsize = 0x20;
-				ret = load_bindata(&argv[argi][16], &inhashptr, &tmpsize);
-				if(ret==0)hashpattern_set = 1;
-			}
+			tmpsize = 0;
+			ret = load_bindata(&argv[argi][14], &patterndata, &tmpsize);
+			patterndata_size = tmpsize;
+		}
+
+		if(strncmp(argv[argi], "--patterndatamask=", 18)==0)
+		{
+			tmpsize = 0;
+			ret = load_bindata(&argv[argi][18], &patternmask, &tmpsize);
+			patternmask_size = tmpsize;
 		}
 
 		if(strncmp(argv[argi], "--patternsha256size=", 20)==0)
@@ -185,18 +187,36 @@ int main(int argc, char **argv)
 	if(patterntype==-1)
 	{
 		printf("No pattern-type specified.\n");
-		return 5;
+		ret = 5;
 	}
 
-	if(patterntype==0 && (hashpattern_set && hashblocksize==0))
+	if(patterntype==0)
 	{
-		printf("--patternsha256size must be used when --patternsha256 is used.\n");
-		return 5;
+		if(patterndata_size==0)
+		{
+			printf("--patternsha256size must be used when pattern-type is sha256.\n");
+			ret = 5;
+		}
+
+		if(patterndata_size != 0x20)
+		{
+			printf("Input hash size is invalid.\n");
+			ret = 5;
+		}
+	}
+
+	if(ret!=0)
+	{
+		free(patterndata);
+		free(patternmask);
+		return ret;
 	}
 
 	if(stat(argv[1], &filestat)==-1)
 	{
 		printf("Failed to stat the input binary: %s.\n", argv[1]);
+		free(patterndata);
+		free(patternmask);
 		return 1;
 	}
 
@@ -205,6 +225,8 @@ int main(int argc, char **argv)
 	if(filebuf==NULL)
 	{
 		printf("Failed to alloc filebuf.\n");
+		free(patterndata);
+		free(patternmask);
 		return 2;
 	}
 
@@ -213,6 +235,8 @@ int main(int argc, char **argv)
 	{
 		printf("Failed to open the input binary.\n");
 		free(filebuf);
+		free(patterndata);
+		free(patternmask);
 		return 3;
 	}
 
@@ -220,6 +244,8 @@ int main(int argc, char **argv)
 	{
 		printf("Failed to read the input binary.\n");
 		free(filebuf);
+		free(patterndata);
+		free(patternmask);
 		fclose(fbin);
 		return 4;
 	}
@@ -231,10 +257,52 @@ int main(int argc, char **argv)
 
 	for(pos=0; pos<filebufsz; pos+=stride)
 	{
-		if(filebufsz - pos < hashblocksize)break;
+		tmpval = 0;
 
-		SHA256(&filebuf[pos], hashblocksize, calchash);
-		if(memcmp(inhash, calchash, 0x20)==0)
+		if(patterntype==0)
+		{
+			if(filebufsz - pos < hashblocksize)break;
+
+			SHA256(&filebuf[pos], hashblocksize, calchash);
+			if(memcmp(patterndata, calchash, 0x20)==0)
+			{
+				tmpval = 1;
+			}
+		}
+		else if(patterntype==1)
+		{
+			if(filebufsz - pos < patterndata_size)break;
+
+			
+
+			if(patternmask==NULL)
+			{
+				if(memcmp(patterndata, &filebuf[pos], patterndata_size)==0)
+				{
+					tmpval = 1;
+				}
+			}
+			else
+			{
+				found2 = 1;
+
+				for(i=0; i<patterndata_size; i++)
+				{
+					tmpval2 = filebuf[pos+i];
+					if(i<patternmask_size)tmpval2 &= patternmask[i];
+
+					if(tmpval2 != patterndata[i])
+					{
+						found2 = 0;
+						break;
+					}
+				}
+
+				if(found2)tmpval = 1;
+			}
+		}
+
+		if(tmpval)
 		{
 			printf("Found the pattern at 0x%x.\n", (unsigned int)pos);
 			found++;
@@ -253,6 +321,8 @@ int main(int argc, char **argv)
 	}
 
 	free(filebuf);
+	free(patterndata);
+	free(patternmask);
 
 	return ret;
 }