Rating:

A whole lot of the work is already setup to point into a particular direction. Where eax is set to 4, executing an int 0x80 will result in a sys_write. Where ebx is set to 1, it then holds the file descriptor to standard output. What’s left is to set ecx to the flag’s pointer in edi, and change the size in edx to be something much greater than 5.

Starting off with getting the flag pointer out of edi and into ecx, I simply swapped them with xchg ecx, edi;, followed by the syscall. That worked out, but only printed a few bytes of a much larger flag. I spent a little time thinking of what safe value I could load in there that wasn’t so large I’d cause a segfault, but could still fit in the two remaining bytes I had.

The cs register just so happened to have a consistently usable value for me in local debugging, so I just moved it into edx by doing push cs; pop edx.

Original writeup (https://ntropy-unc.github.io/jekyll/update/post/square/ctf/shellcoding/2017/10/14/Square-Writeup.html#6yte).