Tags: shellcode rev gdb
Rating: 4.0
# shellcode-ception (rev)
Writeup by: [xlr8or](https://ctftime.org/team/235001)
As part of this challenge we get a stripped binary ELF file.
The file can be opened in Ghidra, and from there we can get to the main function as follows:
1. Locate the `entry` function
2. First argument passed to `__libc_start_main` is our main function
In the `main` function we see that it is relatively simple:
```c
code *__dest;
int local_c;
__dest = (code *)valloc(0x98);
memcpy(__dest,&DAT_00102020,0x134);
for (local_c = 0; local_c < 0x134; local_c = local_c + 1) {
__dest[local_c] = (code)((byte)__dest[local_c] ^ 0x69);
}
mprotect(__dest,0x98,7);
(*__dest)();
return 0;
```
It allocates some memory, copies some blob from the binary to it, while decoding it with xor (key = `0x69`).
Finally `mprotect` is used to make the memory region executable, and then we call the injected code.
Because of the name of the challenge I was worried that there would be multiple such extractions, so I have decided to continue with dynamic analysis.
To begin let's set a breakpoint on the `call RDX` instruction, that is going to jump to the injected code.
Next some values get put on the stack, I suspect this will be decoded to give us the flag, or the new shellcode
```
0x55555555a004 movabs rax, 0x2a2275313a131202
0x55555555a00e movabs rdx, 0x72222f701e262f28
0x55555555a018 mov qword ptr [rbp - 0x30], rax
0x55555555a01c mov qword ptr [rbp - 0x28], rdx
0x55555555a020 movabs rax, 0x75221e2f71703531
0x55555555a02a movabs rdx, 0x2f2f751e24231e2f
0x55555555a034 mov qword ptr [rbp - 0x20], rax
0x55555555a038 mov qword ptr [rbp - 0x18], rdx
0x55555555a03c mov dword ptr [rbp - 0x10], 0x2f70382e
```
Next we see some instructions which which signal the existence of a loop:
```
0x55555555a04d mov dword ptr [rbp - 4], 0
0x55555555a054 jmp 0x55555555a072 <0x55555555a072>
...
0x55555555a072 cmp dword ptr [rbp - 4], 0x25
0x55555555a076 jle 0x55555555a056 <0x55555555a056>
```
The body of the loop looks as follows:
```
0x55555555a056 mov eax, dword ptr [rbp - 4]
0x55555555a059 cdqe
0x55555555a05b movzx eax, byte ptr [rbp + rax - 0x30]
0x55555555a060 xor eax, 0x41
0x55555555a063 mov edx, eax
0x55555555a065 mov eax, dword ptr [rbp - 4]
0x55555555a068 cdqe
0x55555555a06a mov byte ptr [rbp + rax - 0x30], dl
0x55555555a06e add dword ptr [rbp - 4], 1
```
Here we see that we load some data, xor it with `0x41` and then put it back. It is clear that this is a decoding loop acting on the data that was put on the stack at the start of this section.
The base of this data is `rbp-0x30`, since `rax` gets the value of the loop iterator and is used as an offset from this location.
We can just set a breakpoint to when the loop finishes and `x/xs $rbp-0x30` to get the flag.