labs
Labs
Weekly hands-on lab. RE walkthroughs, exploits, original CTFs. Done in a sandbox.
`passcode`: the login check you never reach, because `scanf` already owns the GOT
— one missing ampersand, one captured flag
Same Source, Two ABIs: A Format-String Warm-Up Where the Stack Offset Is the Whole Story
— two ABIs, one printf, four bytes written
Buffer Overflow 1, the long way round: when `gets()` hands you RIP but NX and an empty toolbox push you into a syscall
— empty cupboard, so I built a syscall
Ret2win the long way: rebuilding picoCTF "buffer overflow 2" when the sandbox won't give you 32 bits
— two magic dwords, one ROP chain
`numb3r3_4r3nt_s4f3`: how `imul eax,eax,0x3e8` buys you a flag you can't afford
— the store paid me to shop
selfkey: the password that XORs to itself
— the key that keys itself
Evolving SBox: reversing 0xJam3z's 14 KB keyed hash, one Fisher-Yates shuffle at a time
— Eight rounds, one faithful model
CybersecGateway: the password is the binary of the XOR of your uppercased name, then base64 of that
— six stages, two real operations, twelve bytes
The 38 op-codes of choose-your-own-adventure: a ptrace-as-bytecode VM in 18 KB
— forked, traced, and well-behaved at last
The %n that wasn't there: a printf format-string warmup with glibc 2.42 in the way
— writable formats, irritable libc
Twenty-five bytes of /bin/sh: picoCTF 2019 "Handy Shellcode" the long way
— twenty-five bytes is plenty
FlipVM: a tiny ISA that pretends to forget everything between instructions
— machine forgets, we remember
Shake It, Baby — An Encoding That Isn't
— hex is not a disguise