Clarify imul usage

qhdwight · Oct 26, 2021 · a1ecb48 · a1ecb48
1 parent 6982c07
commit a1ecb48
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/buckeye-ctf-2021/flattened/README.md b/buckeye-ctf-2021/flattened/README.md
@@ -41,7 +41,14 @@ Qiling: `rcx` = 0
 
 Unrolled: `rcx` = 1 (only `mov` is executed, `loop` is a branching instruction so it was not included in unrolled assembly)
 
-
+Now that we have this building block, what about altering `rax`, `rcx`, and `rdi`, thus changing the syscall? We can use `imul` with `ecx` to our advantage. For example consider:
+```
+mov     rax,58
+imul    rax,rcx
+syscall
+inc     rax
+```
+There are no branching instructions but convince yourself that `rax` will be 59 on the unrolled executable and 1 on the Qiling executable.
 
 ### Final Assembly (shellcode)