111 lines
1.5 KiB
NASM
111 lines
1.5 KiB
NASM
|
format binary
|
||
|
use32
|
||
|
include 'std.inc'
|
||
|
|
||
|
; On entrance to each shellcode segment the ebx register will be a vtable of std funcs
|
||
|
; printf
|
||
|
; puts
|
||
|
; scanf
|
||
|
; sin
|
||
|
; cos
|
||
|
; tan
|
||
|
; asin
|
||
|
; acos
|
||
|
; atan
|
||
|
; malloc
|
||
|
; free
|
||
|
; esi contains the base address of the shellcode segment
|
||
|
; edi contains the address of the part of the flag that this segment fills
|
||
|
; edx contains the number of the block
|
||
|
|
||
|
jmp start
|
||
|
|
||
|
startup_text db 'What did you say?',0
|
||
|
|
||
|
start:
|
||
|
push edi
|
||
|
|
||
|
lea ecx, [esi+startup_text]
|
||
|
push ecx
|
||
|
lea eax, [ebx + 0x4]
|
||
|
mov eax, dword [eax]
|
||
|
call dword [eax]
|
||
|
pop ebp
|
||
|
|
||
|
xor eax, eax
|
||
|
push eax
|
||
|
push eax
|
||
|
mov eax, esp
|
||
|
push eax
|
||
|
|
||
|
lea eax, [ebx + 8]
|
||
|
mov eax, dword [eax]
|
||
|
lea ecx, [esi+scanf_text]
|
||
|
push ecx
|
||
|
call dword [eax]
|
||
|
add esp, 8
|
||
|
|
||
|
pop ecx
|
||
|
pop eax
|
||
|
pop edi
|
||
|
|
||
|
mov dword [edi], ecx
|
||
|
|
||
|
lea edx, [esi+to_match]
|
||
|
|
||
|
.check:
|
||
|
movzx ecx, byte [edi]
|
||
|
call check_char
|
||
|
cmp eax, 0
|
||
|
jz idiot
|
||
|
|
||
|
inc edi
|
||
|
inc edx
|
||
|
cmp byte [edx], 0
|
||
|
jnz .check
|
||
|
|
||
|
ret
|
||
|
|
||
|
scanf_text db '%4[^',ENDL,']'
|
||
|
|
||
|
; ecx = input'd char
|
||
|
; edx = ptr to char to match
|
||
|
check_char:
|
||
|
cmp ecx, CHAR_a ; 97
|
||
|
jl fail
|
||
|
cmp ecx, 126
|
||
|
jge fail
|
||
|
|
||
|
sub ecx, CHAR_a ; 97
|
||
|
add ecx, esi
|
||
|
lea ecx, [ecx + alphabet]
|
||
|
movzx eax, byte [ecx]
|
||
|
cmp byte [edx], al
|
||
|
jnz fail
|
||
|
|
||
|
mov eax, 1
|
||
|
ret
|
||
|
|
||
|
idiot_text db 'Wrong...', 0
|
||
|
|
||
|
fail:
|
||
|
mov eax, 0
|
||
|
ret
|
||
|
|
||
|
to_match db 'ezpr', 0
|
||
|
|
||
|
idiot:
|
||
|
lea ecx, [esi+idiot_text]
|
||
|
push ecx
|
||
|
lea eax, [ebx + 0x4]
|
||
|
mov eax, dword [eax]
|
||
|
call dword [eax]
|
||
|
pop ebp
|
||
|
dec esp
|
||
|
ret
|
||
|
|
||
|
alphabet db '{m}krzyjfwngpshteoialduqxvcb|', 0
|
||
|
; abcdefghijklmnopqrstuvwxyz{|}
|
||
|
; flag is "qfme"
|
||
|
resv_stuff 512-$
|