ebubekirtrkr

Attached is some some never-before-seen assembly code routine that we pulled off a processor which is responsible for string decryption. An input string is put into TRX register, then the routine is run, which decrypts the string.

For example, when putting UL\x03d\x1c'G\x0b'l0kmm_ string in TRX and executing this code, the resulting string in TRX is decrypted as 'tenable.ctfd.io'.

A few things we know about this assembly:

There are only two registers, DRX and TRX. These are used to hold variables throughout the runtime.

Operand order is similar to the AT&T syntax ,which has destination operand first and source operand 2nd ie: MOV DRX, "dogs", puts the string "dogs" into DRX

ebubekirtrkr

It creates <filename>-raw <filename>-elf . Former is raw form of shellcode and latter is executable.

pwntools and nasm must be installed

to install:

pip install pwntools && sudo apt install nasm

Also I recommend you to create /flag in local machine and own it with user to make life more easier

ebubekirtrkr

İşlerimizi biraz kolaylaştımrak için şöyle bi script yazdım, s uzantılı dosyayı veriyoz bir de badchar kontrolü yapılacak bytei \xbb formatında veriyoz hallediyo, badchari vermezsek otomatik \x00 kontrol ediyor.

Çıktı olarak filename-raw, filename-elf üretiyor. -d verirseniz çıktıları siliy.

Örnek:

./runner.sh -f benimkucukshellcodeum.s

./runner.sh -f benimkucukshellcodeum.s -b '\x48'