Recently I had a need in which I had to take a payload from a network trace captured in a .pcap file and prepare it for being compiled into a binary file for debugging. In the past when dealing with payloads from a .pcap file I had manually modified the payload to my needs, this was time consuming and painful to troubleshoot if I had made an error. Usually when I modify the payloads I am working in a Windows environment and open the .pcap files in Wireshark, I select the bytes of the payload I want to work with and copy the bytes (Hex Stream) to notepad++. At the current stage as describe I have now got a hex dump of the payload, to compile the payload I need to add “\x” to specify that the next to bytes following are hexadecimal, like I stated before I did this manually at first.
The good thing about notepad++ is the macro feature where I am able to record and play my own macros that I created. This blogpost I will write about how I was able to create a macro which would add the “\x” before the following hex bytes.
As you can see from the video I made above, it is quite a simple and easy macro to make but is very useful. Simply copy the bytes you want to work with to notepad and move to the start of the line. Once at the start of the line start recording the macro and then enter “\x” and then move to the next hex byte and then stop recording. Now when ever the macro runs it’ll enter “\x” and then move two characters to the right and then stops which is the beginning point for the next time it runs.