Crip.c is a utility for ripping out a c-declaration of binary data (like shellcode) and converting it to binary.
a63c9f4d2960f672e07b9bbd29d3d87d4a43463fb6e89cd83c72d12adb1619b0
/*
* [crip.c - written by PoWeR_PoRK of netric (http://www.netric.org)]
*
* Another utility to use for shellcode creation. Works a bit like
* cdump but instead of converting to c-declaration this rips the
* declaration from a c-source and converts it back to binary.
* This might be handy for re-encoding or reverse enginering
* third party shellcode.
*
*/
#include <stdio.h>
#include <math.h>
#define CH_OK -1
#define CH_BAD 1
#define STR_NOT_FOUND 0xFFFFFFFF
#define CHAR_FSLASH 0x2F // "\"
#define CHAR_BSLASH 0x5C
#define CHAR_STAR 0x2A
#define CHAR_SO 0x22
void * getstdin(unsigned long * cc);
unsigned char h2c(char * hchars);
unsigned int findstring(char * buffer, char * key, int start);
int main(int argc, char **argv[])
{
unsigned long stdinsize;
unsigned int cbuf=0, c=0, c2=0, oldc=0, tmpfstr=0;
char hexb[2];
char usage[]=
"Usage: crip [<char[] identifier>]\n"
"pipe driven utility for ripping a c declaration of a char array\n"
"in hex notation, converting it to binary and write it back to stdout.\n"
"\n"
"<char[] identifier> The name of the identifier associated with\n"
" the char array that has to be ripped.\n"
"\n"
"Example: cat exploit.c | crip shellcode[] | swipher -c 00 | cdump\n"
"This will rip shellcode[] from exploit, pipe the binary from it to\n"
"swipher and this will remove any 0-bytes in the shellcode before\n"
"feeding it to cdump making it into a c-declaration once again.\n"
"\n"
"[crip was written by PoWeR_PoRK of netric]\n"
" contact: powerpork@zonnet.nl || powerpork@netric.org\n"
" site: http://www.netric.org\n";
if(strlen((char *)&argv[1])==0){
printf("%s", &usage);
exit(0);
}
(void *)cbuf = getstdin(&stdinsize);
((char*)cbuf)[stdinsize]=0;
tmpfstr=findstring(((char*)cbuf), (char*)argv[1], 0);
if(tmpfstr==STR_NOT_FOUND){
printf("error: name of buffer not found\n");
exit(0);
}
tmpfstr=findstring(((char*)cbuf), "\"", tmpfstr);
tmpfstr++;
c2=findstring((char*)cbuf, ";", tmpfstr);
for(c=tmpfstr;c<c2;c++){
switch(((char*)cbuf)[c])
{
case CHAR_FSLASH:
if(((char*)cbuf)[c+1]==CHAR_FSLASH){
while(((char*)cbuf)[c]!=0xA){c++;}
}else if(((char*)cbuf)[c+1]==CHAR_STAR){
while(!( ( ((char*)cbuf)[c] == CHAR_STAR ) && ( ((char*)cbuf)[c+1] == CHAR_FSLASH ) )){c++;}
c++;
}
break;
case CHAR_SO:
c++;
while(((char*)cbuf)[c]!=CHAR_SO){c++;}
break;
case CHAR_BSLASH:
hexb[0]=((char*)cbuf)[c+2];
hexb[1]=((char*)cbuf)[c+3];
printf("%c", h2c((char*)&hexb));
c=c+3;
break;
}
}
tmpfstr=findstring(((char*)cbuf), "\"", tmpfstr);
return 0;
}
void * getstdin(unsigned long * cc)
{
int pbuf=0, fs=0;
*cc = 0;
(void *)pbuf = malloc(2048);
while(feof(stdin)==0){
fs = fread((void *)(pbuf+*cc), 1, 1024, stdin);
(void *)(pbuf) = realloc(pbuf, (*cc+2048));
*cc = *cc+fs;
}
return (void *)pbuf;
}
unsigned char h2c(char * hchars)
{
unsigned char conv=0;
int c=0;
for(c=0;c<2;c++){
if (47<hchars[1-c] && hchars[1-c]<58){
conv = conv + ((hchars[1-c]-48)*(pow(16,c)));
}else if(96<hchars[1-c] && hchars[1-c]<103){
conv = conv + ((hchars[1-c]-87)*(pow(16,c)));
}else if(64<hchars[1-c] && hchars[1-c]<71){
conv = conv + ((hchars[1-c]-55)*(pow(16,c)));
}else{
return 0;
}
}
return conv;
}
unsigned int findstring(char * buffer, char * key, int start)
{
int indexcounter=0;
for(indexcounter=start;(indexcounter)<(strlen(buffer));indexcounter++){
if(strncmp((((char*)buffer)+indexcounter), key, strlen(key))==0){
return indexcounter;
}
}
return STR_NOT_FOUND;
}