Welcome to ihuomtia's blog ᕙ(⇀‸↼‶)ᕗ
Recovering a file from a core dump of a crashed program by dumping the heap memory regions, and then stitching the fragmented file contents back together.
Analysis of a Base64-encoded ELF execution service, bypassing restrictions, and reverse-engineering AMD microcode to recover the flag (unintended solution).
Exploiting Python object internals to hijack the __repr__ function pointer, redirecting execution to system("/bin/sh") for a shell, with adjustments for version-specific memory layouts.
Extracting data from a CAT24C64B EEPROM via custom ATmega328P I2C firmware, dumping its contents, discovering it’s a SWF file, and analyzing it to reveal the hidden flag.
Extracting and defeating a self-referential Python flag checker that uses version-specific marshal bytecode and anti-tampering keys by building a custom Python 3.10.12 interpreter with added debug prints to reveal the decrypted flag.
A stripped binary hides a flag behind complex modular arithmetic, requiring the discovery of six precise nine-digit integers to unlock it.
A seccomp-restricted binary forces the use of only safe syscalls—openat, preadv2, dup2, and writev—to craft shellcode that reads flag.txt and prints its contents despite strict syscall filtering.
Used a side channel attack to deduce the flag byte-by-byte.
Reverse a 64-bit ELF that reads a 10-char password from a tar.gz, then exploit a 0.5s-per-correct-char delay (timing side-channel) with a pwntools solver to recover the flag.
Exploitation of a Rust-based Wi-Fi management service by cracking a hardcoded MD5 password and leveraging an unrestricted command injection vulnerability to retrieve the flag through remote shell access and TCP redirection.
Exploited a 64-bit ELF with full RELRO, stack canary, and PIE protections.
Exploited a timing side-channel to leak libc base address and executed ROP to retrieve the flag.
Reverse-engineered a precision R-2R DAC; extracted the flag via analog-to-digital conversion and bitwise analysis.
Reverse engineering a custom ELF binary with a unique memory leak mechanism. The challenge involved identifying and exploiting a subtle memory leak to retrieve the flag.
Reverse-engineered a 64-bit ELF with no stack or LIBC leaks, bypassed seccomp, and exfiltrated the flag.
Analyzed a 64-bit stripped ELF, used Ghidra to dissect its dual-stage password checks (first_check, second_check), and unravelled the complex byte-wise logic checks to pass the “Congratulations!” gate.
Unpacked an Electron-based app’s app.asar from a .zip, extracted and decompiled the main.js, discovered an AES-256-CBC openssl-based flag decryption command gated on macOS—flag revealed.
A 64-bit Linux ELF with no canary or PIE—use heap allocations, overflow the code buffer pointer, and trigger a ret2win to call win() and retrieve the flag.
Reverse-engineer a Makeself self-extracting archive using binwalk to uncover hidden tar data—brief and technical.
Decoded a 16-byte flag from RAM using a custom Python script that emulates a Logisim XOR circuit, bypassing brute-force limitations.
Exploiting a 64-bit Linux binary with seccomp restrictions using the ORW (Open, Read, Write) technique. The challenge involves leaking addresses encoded as double-precision floats and constructing ROP chains to bypass security measures and retrieve the flag.
Exploit a hidden menu via stamina and weight tweaks, use format string overflow and ROP to leak canary, ELF base, write '/bin/sh', then execve shell to grab the flag.
a heap overflow in a 64-bit ELF (with partial RELRO, Canary, NX, no PIE) lets you corrupt metadata and force malloc to return a chunk containing “Ez W” to trigger flag leakage.
Reverse-engineering the Krusty Krab’s “free-delivery” APK: decompiled an Android app (patched by Plankton) with jadx, identified suspicious network traffic and shell command behavior.
Leveraged heap vulnerabilities like Use-After-Free and tcache poisoning to leak libc and stack addresses, then exploited arbitrary write to execute system('/bin/sh').
Leverage a format string vulnerability and buffer overflow to leak libc addresses, then use ROP and a second payload to read the flag from a file.