--- tags: ctf, misc author: No_Ball GA: UA-208228992-1 --- [TOC] # Pwn - tool - https://defuse.ca/online-x86-assembler.htm ## syscall ### execve(PATH, PARA, ENV) - **RAX** = fd (0x3b) - **RDX** = parameter (NULL or ptr(NULL)) - **RSI** = env (NULL or ptr(NULL)) - **RDI** = ptr(path) - usualy ptr('/bin/sh\x00') ### write(fd, buffer, size) - **RDI** = fd (0x1) - **RSI** = ptr(buffer) - **RDX** = size ## int 0x80 ### execve(PATH, PARA, ENV) - **EAX** = fd (0xb) - **ECX** = parameter (NULL or ptr(NULL)) - **EDX** = env (NULL or ptr(NULL)) - **EBX** = ptr(path) - usualy ptr('/bin/sh\x00') #### shellcode `"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xb2\x00\xcd\x80"` ## strncmp - **RDI** = s1 - **RSI** = s2 - **RDX** = size ## scanf - **RDI** = ptr(format) - **RSI** = position ## printf - **RDI** = ptr(format) - **RSI** = vararg ### Format string - RSI = 0xa ## read ### x64 - **RDI** : fd (0) - **RSI** : write position - **RDX** : length ### x86 - **ESP+0** : fd (0) - **ESP+4** : write position - **ESP+8** : length ## gets ### x64 - **RDI** : write position ### x86 - **$ESP + 0** : write position - **$ESP + 4** : length - **$ESP + 8** : stdin - **$ESP +12** : IDK ## system ### x64 - **RDI** : ptr(PATH) - usualy ptr('/bin/sh\x00') ### x86 - **ESP + 0** : 0 - **ESP + 4** : ptr(PATH) ## libc version - https://libc.blukat.me/