Rating: 5.0

At the end of the assembler dump, you would notice a `memcpy`, to which the `code` address is passed.

```
0x000055555555527c <+263>: mov rax,QWORD PTR [rbp-0x18]
0x0000555555555280 <+267>: lea rsi,[rip+0x2dd9] # 0x555555558060
0x0000555555555287 <+274>: mov rdi,rax
0x000055555555528a <+277>: call 0x555555555050 <memcpy@plt>
0x000055555555528f <+282>: mov rax,QWORD PTR [rbp-0x18]
0x0000555555555293 <+286>: mov QWORD PTR [rbp-0x20],rax
0x0000555555555297 <+290>: mov rdx,QWORD PTR [rbp-0x20]
0x000055555555529b <+294>: mov eax,0x0
0x00005555555552a0 <+299>: call rdx
0x00005555555552a2 <+301>: mov eax,0x0
0x00005555555552a7 <+306>: leave
0x00005555555552a8 <+307>: ret
```

Set a break point at the `memcpy` and run the program. Then read the `code` variable.

```
b *0x000055555555528a
r
x/s 0x555555558060
0x555555558060 : "H\203\354dH\211\341I\270DUCTF{adI\271v4ncedEnI\272crypt3dSI\273hellCodeI\274}Can u fI\275ind the I\276flag? A\277\n"
```

You'd see a part of the flag inthe string: `DUCTF{adI\271v4ncedEnI\272crypt3dSI\273hellCodeI\274}`

Now, we can clean this up a bit.

```py
>>> x = 'DUCTF{adI\271v4ncedEnI\272crypt3dSI\273hellCodeI\274}'
>>> print(''.join([i for i in x if i.isalpha() or i in ['{', '}']]))
DUCTF{adIvncedEnI┬║cryptdSIhellCodeI}
```

You can just read the flag from here. `DUCTF{advancedEncryptedShellCode}`