In this writeup I analyze a riscv64 kernel that contains a VM and a process executed in userland. This process utilizes invalid reads/writes in order to trigger the VM. I construct a disassembler a...

Better Packet Filter is an arm64 kernel module that runs a custom VM with a user-supplied program to filter “packets” that are placed in a file. In this writeup, I analyze the VM and construct a pr...

This challenge requires a sequence of instructions that produces a target output. Initial Analysis This is an x86-64 ELF coded in C++. The main function contains a loop that prints the flag once...

This is a Golang LSP server that we have to reverse engineer in order to find commands that allow us to read the flag. Due to protections the flag can not be directly read, but a race condition can...

This challenge is a classic VM with an anti-debug feature. In this writeup I manually disassemble bytecode and analyze it. Initial Overview VM exe coded in C, takes an arg which is a 32 bit inte...

Gateway is a binary with complex obfuscation, including Heaven’s Gate for Linux. Real analysis is avoided by utilizing a side channel. Initial Analysis C (most likely), 32 bit, elf, no known pac...

This challenge is a simple return to stack challenge with ASLR but no PIE. The input size is very restrictive, so a relative jump is required to jump to a larger user controlled buffer. Initial ...

In this challenge, I analyze a custom compiler/interpreter coded in Golang with a hidden instruction that is used to obtain the flag under specific conditions. Triage The binary is stripped, but...

In this challenge, there is a SQL injection via raw md5 hashes, using the leaked keys, our ticket is forged, and the flag is obtained. First looks When pressing the “I’m a Passenger” button, we g...

In this writeup I analyze an ELF with modifications at runtime. The key is derived through a combination of static and dynamic analysis. Background SquirelCTF challenge, called “bin fun”. Stati...