# candl: inclass1 lab instruction
First, fetch the inclass1 to your home directory.
```bash
$fetch inclass1
```
## Writing and building shellcode
We prepared shellcode template (shellcode.S) and build script (Makefile) under `shellcode_template`.
```bash=
inclass1/shellcode-template $ ls -trl
total 0
lrwxrwxrwx 1 kjee kjee 55 Feb 10 12:22 shellcode.S.tmpl -> /home/labs/inclass1/shellcode-template/shellcode.S.tmpl
lrwxrwxrwx 1 kjee kjee 47 Feb 10 12:22 Makefile -> /home/labs/inclass1/shellcode-template/Makefile
```
* Let's make a copy of `shellcode.S.tmpl` and add an instruction.
```bash=
inclass1/shellcode-template $ cp shellcode.S.tmpl shellcode.S
inclass1/shellcode-template $ echo "mov 0x1, %eax" >> shellcode.S
```
* You can build either 32-bit or 64-bit shellode by specifying targets for
`make` command.
```bash=
inclass1/shellcode-template $ make 32
gcc -m32 -c -o shellcode.o shellcode.S
gcc -o shellcode shellcode.o -m32
objcopy -S -O binary -j .text shellcode.o shellcode.bin
inclass1/shellcode-template $ make 64
gcc -m64 -c -o shellcode.o shellcode.S
gcc -o shellcode shellcode.o -m64
objcopy -S -O binary -j .text shellcode.o shellcode.bin
```
The build script (Makefile) takes assembly file (shellcode.S) as an input and first produces object file (*shellcode.o*). You can see the contents of the object file by running `objdump` command.
```bash=
inclass1/shellcode-template $ objdump -d shellcode.o
shellcode.o: file format elf32-i386
Disassembly of section .text:
00000000 <main>:
0: a1 01 00 00 00 mov 0x1,%eax
```
Then it runs objcopy command to extract shellcode (*shellcode.bin*). You can check the hex representation of the shellcode.
```bash=
inclass1/shellcode-template $ xxd shellcode.bin
00000000: a101 0000 00
```
Or get a help from *pwntools* to dissassemble it. Please note that *pwntools* only support Intel syntax. Please don't get confused by it.
```python=
from pwn import *
import sys
context.arch = 'amd64' # or 'i386'
sc = sys.argv[1]
with open(sc, "rb") as f:
print(disasm(f.read()))
```
Then, you will get
```bash
0: a1 01 00 00 00 mov eax, ds:0x1
```
## shellcode challenges
While you can use the provided shellcode template and build script to solve challenges, each inclass challenge also contains code for loading shellcode and it filtering rules. For instance, you will find `short-shellcode.c` under `inclass1/short-shellcode-32`.
```c
...
74 void check_non_zero(char *ptr, size_t size) {
75 for(int i=0; i<size; ++i) {
76 if(ptr[i] == '\0') {
77 printf("You have a zero character at position %d, char %d\n", \
78 i, ptr[i] & 0xff);
79 exit(-1);
80 }
81 }
82 }
83
84 int main() {
...
104 check_non_zero(ptr, s_read);
105 ((void(*)())ptr)();
```
For each challenge, you need to extend the template shellcode to pass the filter rules and get a privilged shell.
Have fun!
###### tags: `candl`,`assembly`,`inclass`