Square CTF writeup — 6yte


Clearly, this challenge is not worthy 1000 points, it is actually pretty easy if you are familiar with x86 assembly.

Download the binary, and do a quick decompile, go through the main() function and read_flag() function, we can find out:

  1. The flag is read into the address passed to read_flag()
  2. After calling read_flag(), it jumps to the mmap() memory allocated for us and of course the shellcode we pass from cmdline is saved right inside it.

So, all we need to do in our shellcode is display the flag saved in v4. Since we have to write assembly code, now let’s take a look at the corresponding assembly code:

So the C variable v4 is actually eax register, and the flag is right at the address saved in eax. How can we show it?

My first thought is to call printf(), it is not hard at all to find a %2x string in this binary, however, it is hard to figure out the address of printf().

Then, the second thought is to call write() directly. Lookup the syscall table, I realize that this must be the right direction because eax and ebx are already set properly for us in the binary!! Look, eax is already 0x4 which the syscall number of sys_write(), ebx is 0x1 which is STDOUT… Hmm, so all we need to do is:

  1. Set ecx (aka buf pointer) to v4, which is now edi
  2. Set edx (aka, count) to a reasonable large value, otherwise it is merely 5
  3. Trigger the syscall with int 0x80

Therefore we get this:

Clearly this is longer than 6 bytes… As we can see there are some unnecessary 0’s, also note that edx was already set to 0x5, this means we only have to set dh instead of the whole edx!

So the final shellcode is:

Challenge solved!



Linux kernel and security stuffs

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store