SGN - Encoder Ported Into Go With Several Improvements

ID KITPLOIT:6458159002345904480
Type kitploit
Reporter KitPloit
Modified 2020-06-18T12:30:12


SGN is a polymorphic binary encoder for offensive security purposes such as generating statically undetecable binary payloads. It uses a additive feedback loop to encode given binary instructions similar to LSFR . This project is the reimplementation of the original Shikata ga nai in golang with many improvements.

How? & Why?
For offensive security community, the original implementation of shikata ga nai encoder is considered to be the best shellcode encoder(until now). But over the years security researchers found several pitfalls for statically detecing the encoder(related work FireEye article ). The main motive for this project was to create a better encoder that encodes the given binary to the point it is identical with totally random data and not possible to detect the presence of a decoder. With the help of keystone assembler library following improvments are implemented.

  • 64 bit support. Finally properly encoded x64 [ shellcodes ](<> "shellcodes" ) !
  • New smaller decoder stub. LFSR key reduced to 1 byte
  • Encoded stub with pseudo random schema. Decoder stub is also encoded with a psudo random schema
  • No visible loop condition Stub decodes itself WITHOUT using any loop conditions !!
  • Decoder stub obfuscation. Random garbage instruction [ generator ](<> "generator" ) added with keystone
  • Safe register option. Non of the registers are clobbered (optional preable, may reduce polimorphism)

Only dependencies required is keystone and capstone libraries. For easily installing capstone libarary check the table;
OS | Install Command
Ubuntu/Debian | sudo apt-get install libcapstone-dev
Mac | brew install capstone
FreeBSD | pkg install capstone
OpenBSD | sudo pkg_add capstone
Windows/All Other... | CHECK HERE
Installation of keystone library can be little tricky in some cases. Check here for keystone library installation guides.
Then just go get it ツ

go get

-h is pretty self explanatory use -v if you want to see what's going on behind the scenes ( ͡° ͜ʖ ͡°)_/¯

       __   _ __        __                               _ 
  ___ / /  (_) /_____ _/ /____ _  ___ ____ _  ___  ___ _(_)
 (_-</ _ \/ /  '_/ _ `/ __/ _ `/ / _ `/ _ `/ / _ \/ _ `/ / 
/___/_//_/_/_/\_\\_,_/\__/\_,_/  \_, /\_,_/ /_//_/\_,_/_/  
    ┻━┻ ︵ヽ(`Д´)ノ︵ ┻━┻           (ノ ゜Д゜)ノ ︵ 仕方がない

Usage: sgn [OPTIONS] <FILE>
  -a int
     Binary architecture (32/64) (default 32)
     Generates a full ASCI printable payload (takes very long time to bruteforce)
  -badchars string
     Don't use specified bad characters given in hex format (\x00\x01\x02...)
  -c int
     Number of times to encode the binary (increases overall size) (default 1)
  -h Print help
  -max int
     Maximum    number of bytes for [obfuscation](<> "obfuscation" ) (default 50)
  -o string
     Encoded output binary name
     Do not encode the decoder stub
     Do not modify and register values
  -v More verbose output

Using As Library
Warning !! SGN package is still under development for better performance and several improvements. Most of the functions are subject to change.

package main

import (

 sgn ""

func main() {
 // First open some file
 file, err := ioutil.ReadFile("myfile.bin")
 if err != nil { // check error
 // Create a new SGN encoder
 encoder := sgn.NewEncoder()
 // Set the proper architecture
 // Encode the binary
 encodedBinary, err := encoder.Encode(file)
 if err != nil {
 // Print out the hex dump of the encoded binary


Execution Flow
The following image is a basic workflow diagram for the encoder. But keep in mind that the sizes, locations and orders will change for garbage instructions, decoders and schema decoders on each iteration.

LFSR itself is pretty powerful in terms of probability space. For even more polimorphism garbage instructions are appended at the begining of the unencoded raw payload. Below image shows the the companion matrix of the characteristic polynomial of the LFSR and denoting the seed as a column vector, the state of the register in Fibonacci configuration after k steps.

Download Sgn