brew's writeups

/brew's writeups 2026-03-09T05:54:31+00:00 bytebrew / Jekyll © 2026 bytebrew /assets/img/favicons/favicon.ico /assets/img/favicons/favicon-96x96.png Easy Shellcoding2025-11-18T00:00:00+00:00 2025-11-20T01:02:44+00:00 /posts/Easy-Shellcoding/ bytebrew

Overview The challenge itself is pretty small: #!/usr/bin/python3 from capstone import * from capstone.x86 import X86Op, X86_OP_IMM import os ALLOWED_MNEMONICS = ["jmp", "add", "mov", "sub", "inc", "dec", "cmp", "push", "pop", "int3"] shellcode = b"\xbc\x00\x70\x76\x06" + bytes.fromhex(input("shellcode: ")) + b"\xcc" if len(shellcode) > 0x1000: exit("too long") cs = Cs(CS_ARCH_X86, C...

ELF Capsule2025-07-28T00:00:00+00:00 2025-08-01T05:25:22+00:00 /posts/ELF-Capsule/ bytebrew

In this writeup I analyze a riscv64 kernel that contains a VM and a process executed in userland. This process utilizes invalid reads/writes in order to trigger the VM. I construct a disassembler and instruction logger, disassemble the userland program’s VM calls, decompile the checks to python, and transcribe them into z3 constraints. Kernel Analysis This is a riscv64 kernel that executes a...

Better Packet Filter2025-06-10T00:00:00+00:00 2025-08-01T05:50:02+00:00 /posts/Better-Packet-Filter/ bytebrew

Better Packet Filter is an arm64 kernel module that runs a custom VM with a user-supplied program to filter “packets” that are placed in a file. In this writeup, I analyze the VM and construct a program that leaks bits from /flag.txt. Overview We are tasked with reverse engineering a kernel module and leaking the flag (placed at /flag.txt). We are given shell access to an Alpine image as a u...

Is it data or data?2025-05-10T00:00:00+00:00 2025-08-01T05:22:11+00:00 /posts/Is-it-data-or-data/ bytebrew

This challenge requires a sequence of instructions that produces a target output. Initial Analysis This is an x86-64 ELF coded in C++. The main function contains a loop that prints the flag once the loop is broken. { char i; do { if (!set_7th_char_to_g()) { char j; do j = input_and_mut...

Sheriff Says2025-04-05T00:00:00+00:00 2025-08-01T05:27:45+00:00 /posts/Sheriff-Says/ bytebrew

This is a Golang LSP server that we have to reverse engineer in order to find commands that allow us to read the flag. Due to protections the flag can not be directly read, but a race condition can be used as a bypass. Overview The README.md says: Use Neovim `nvim -u ./init.lua <file.go>` After launching the binary and opening a file with nvim -u ./init.lua <file.go>, the serve...