Add some options

CMakeLists.txt

@@ -2,7 +2,6 @@ cmake_minimum_required(VERSION 3.12)
 include(CMakeDependentOption)
 set(APP_BUILD_OPTIONS)
 set(APP_LINK_LIB)
-set(CLI_LINK_LIB)
 
 # Zig makes cross-compiling easier and ignores glibc version issue
 # target can be: x86_64-macos-none, x86_64-macos.11.0-none, x86_64-windows-gnu, mipsel-linux-musl, x86_64-linux-gnu.2.17, ...
@@ -32,7 +31,7 @@ if (ZIG_TARGET)
 endif ()
 
 if (CMAKE_BUILD_TYPE STREQUAL Debug)
-    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=address,undefined")
+    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=address,undefined")
     list(APPEND APP_BUILD_OPTIONS -DDEBUG)
 else ()
     # Remove prefix path in log for release build
@@ -45,7 +44,7 @@ set(CMAKE_CXX_EXTENSIONS ON)
 if (MINGW)
     set(CMAKE_EXE_LINKER_FLAGS "-static-libgcc -static-libstdc++ -static" CACHE STRING "" FORCE)
     add_compile_definitions(_Post_invalid_=) # Fix incompatibility with old npcap
-    list(APPEND CLI_LINK_LIB winmm)
+    list(APPEND APP_LINK_LIB winmm)
 endif ()
 
 if (USE_SYSTEM_PCAPPLUSPLUS)
@@ -61,7 +60,7 @@ else ()
         # Fix zig cross-compiling issue
         set(CMAKE_USE_PTHREADS_INIT ON)
         set(PPPWN_PCAP_DIRECTION OFF)
-    endif()
+    endif ()
     if (NOT USE_SYSTEM_PCAP)
         include(FetchContent)
         set(DISABLE_DBUS ON)
@@ -104,8 +103,30 @@ target_compile_options(${PROJECT_NAME}_static PUBLIC ${APP_BUILD_OPTIONS})
 target_include_directories(${PROJECT_NAME}_static PUBLIC include)
 
 if (BUILD_CLI)
-    add_executable(${PROJECT_NAME} src/main.cpp)
-    target_link_libraries(${PROJECT_NAME} PRIVATE ${PROJECT_NAME}_static ${CLI_LINK_LIB})
+    include(FetchContent)
+    FetchContent_Declare(clipp GIT_REPOSITORY https://github.com/muellan/clipp.git
+            GIT_TAG v1.2.3)
+    FetchContent_MakeAvailable(clipp)
+
+    FetchContent_Declare(mongoose GIT_REPOSITORY https://github.com/cesanta/mongoose.git
+            GIT_TAG 7.14)
+    FetchContent_MakeAvailable(mongoose)
+
+    add_library(mongoose STATIC ${mongoose_SOURCE_DIR}/mongoose.c)
+    target_compile_options(mongoose PUBLIC -DMG_ENABLE_PACKED_FS=1)
+    target_include_directories(mongoose PUBLIC ${mongoose_SOURCE_DIR})
+
+    add_custom_command(
+            OUTPUT ${CMAKE_BINARY_DIR}/static.c
+            WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}
+            COMMAND ${ZIG} cc -o ${CMAKE_BINARY_DIR}/pack ${mongoose_SOURCE_DIR}/test/pack.c
+            COMMAND ${CMAKE_BINARY_DIR}/pack web/*.html web/*.ttf > ${CMAKE_BINARY_DIR}/static.c
+            DEPENDS web/index.html
+    )
+
+    add_executable(${PROJECT_NAME} src/main.cpp src/web.cpp ${mongoose_SOURCE_DIR}/mongoose.c ${CMAKE_BINARY_DIR}/static.c)
+    target_include_directories(${PROJECT_NAME} PRIVATE ${clipp_SOURCE_DIR}/include ${mongoose_SOURCE_DIR})
+    target_link_libraries(${PROJECT_NAME} PRIVATE ${PROJECT_NAME}_static mongoose)
 endif ()
 
 if (BUILD_TEST)

README.md

@@ -7,34 +7,68 @@ This is the C++ rewrite of [PPPwn](https://github.com/TheOfficialFloW/PPPwn)
 - Smaller binary size
 - A wide range of CPU architectures and systems are supported
 - Run faster under Windows (more accurate sleep time)
-- Restart automatically when failing at stage1
+- Restart automatically when failing
 - Can be compiled as a library integrated into your application
 
 # Nightly build
 
 You can download the latest build from [nightly.link](https://nightly.link/xfangfang/PPPwn_cpp/workflows/ci.yaml/main?status=completed).
 
 For Windows users, you need to install [npcap](https://npcap.com) before run this program.
+There are lots of GUI wrapper for pppwn_cpp, it's better to use them if you are not familiar with command line.
 
-For macOS users, you need to run `sudo xattr -rd com.apple.quarantine <path-to-pppwn>` after download, and install [chmodbpf](https://formulae.brew.sh/cask/wireshark-chmodbpf) before run this program.
+For macOS users, you need to run `sudo xattr -rd com.apple.quarantine <path-to-pppwn>` after download.
 Please refer to [#10](https://github.com/xfangfang/PPPwn_cpp/issues/10) for more information.
 
+# Usage
+
+### show help
+
 ```shell
-# show help
 pppwn
+```
 
-# list interfaces
+### list interfaces
+
+```shell
 pppwn list
+```
+
+### run the exploit
 
-# run the exploit
-pppwn --interface en0 --fw 1100 --stage1 "stage1.bin" --stage2 "stage2.bin" --auto-retry
+```shell
+pppwn --interface en0 --fw 1100 --stage1 "stage1.bin" --stage2 "stage2.bin" --timeout 10 --auto-retry
 ```
 
+- `-i` `--interface`: the network interface which connected to ps4
+- `--fw`: the firmware version of the target ps4 (default: `1100`)
+- `-s1` `--stage1`: the path to the stage1 payload (default: `stage1/stage1.bin`)
+- `-s2` `--stage2`: the path to the stage2 payload (default: `stage2/stage2.bin`)
+- `-t` `--timeout`: the timeout in seconds for ps4 response, 0 means always wait (default: `0`)
+- `-wap` `--wait-after-pin`: the waiting time in seconds after first round CPU pinning (default: `1`)
+- `-gd` `--groom-delay`: wait for 1ms every `groom-delay` rounds during Heap grooming (default: `4`)
+- `-bs` `--buffer-size`: PCAP buffer size in bytes, less than 100 indicates default value (usually 2MB) (default: `0`)
+- `-a` `--auto-retry`: automatically retry when fails or timeout
+- `-nw` `--no-wait-padi`: don't wait one more [PADI](https://en.wikipedia.org/wiki/Point-to-Point_Protocol_over_Ethernet#Client_to_server:_Initiation_(PADI)) before starting the exploit
+- `-rs` `--real-sleep`: use CPU for more precise sleep time (Only used when execution speed is too slow)
+- `--web`: use the web interface
+- `--url`: the url of the web interface (default: `0.0.0.0:7796`)
+
+Supplement:
+
+1. For `--timeout`, waiting for `PADI` is not included, which allows you to start `pppwn_cpp` before the ps4 is launched.
+2. For `--no-wait-padi`, by default, `pppwn_cpp` will wait for two `PADI` request, according to [TheOfficialFloW/PPPwn/pull/48](https://github.com/TheOfficialFloW/PPPwn/pull/48) this helps to improve stability. You can turn off this feature with this parameter if you don't need it.
+3. For `--wait-after-pin`, according to [SiSTR0/PPPwn/pull/1](https://github.com/SiSTR0/PPPwn/pull/1) set this parameter to `20` helps to improve stability (not work for me).
+4. For `--groom-delay`, This is an empirical value. The Python version of pppwn does not set any wait at Heap grooming, but if the C++ version does not add some wait, there is a probability of kernel panic on my ps4. You can set any value within 1-4097 (4097 is equivalent to not doing any wait).
+5. For `--buffer-size`, When running on low-end devices, this value can be set to reduce memory usage. I tested that setting it to 10240 can run normally, and the memory usage is about 3MB. (Note: A value that is too small may cause some packets to not be captured properly)
+
 # Development
 
 This project depends on [pcap](https://github.com/the-tcpdump-group/libpcap), cmake will search for it in the system path by default.
 You can also add cmake option `-DUSE_SYSTEM_PCAP=OFF` to compile pcap from source (can be used when cross-compiling).
 
+Please refer to the workflow file [.github/workflows/ci.yaml](.github/workflows/ci.yaml) for more information.
+
 ```shell
 # native build (macOS, Linux)
 cmake -B build