Cherry referring to my last name kirschju.re Forward and Reverse Engineering

Capture the Flag

I play and organize Capture the Flag competitions with hxp. Find my writeups on our blog.

hxp CTF 2022

secure_flag_dispenser

Recover flag from captured encrypted network stream of successful remote exploitation of CVE-2022-3602 and CVE-2022-3786. [writeups 1 2]

hxp CTF 2021

hxp3drm

Circumvent cheating protection to beat Arkanoid clone written for Nintendo 3DS to get the flag. [challenge] [writeup]

zehn

Circumvent Linux Address Space Layout Randomization by placing at most 10 single-byte writes relative to a calloc’d memory chunk. [challenge] [writeup]

caBalS puking

Extract flag from backup file taken from Signal messenger for Android without knowing the backup key. [challenge] [writeup]

hxp CTF 2020

nemoji

Shellcoding exercise as a sequel to the noemoji challenge by borysp from Dragon CTF 2020 with slight modifications. [challenge]

kuraberu

(cf. 比べる to make a comparison): Recover license information for a file comparison tool written in Delphi/Pascal for Windows. [challenge]

nobranch7e4

Recover flag from branch-free checker algorithm compiled for x86-64 Linux. Inspired by Redford’s DeobfuscateMe challenge from CONFidence CTF Finals 2015. [challenge]

hxp CTF 2019

md15

Recover preimage of a special triple MD5 implementation for x86-64 Linux. [challenge] [writeup]

hxp CTF 2018

cheatquest of hxpschr 1–4

Multiple challenges about reverse enginnering the Action Replay / Gameshark cheating device for Nintendo Gameboy Advance. The device modifies Pokemon Emerald to hide flags inside the game. [ challenge 1 2 3 4 ] [writeup 1 2 3 4 ]

pandora's box

Write an automated key extraction tool that recovers the keys from on-the-fly generated AES whitebox implementations. [challenge]

yunospace

Write shellcode that extracts one byte of the flag at a time without requiring more than 9 bytes of space. [challenge]

angrme

Warmup challenge to be solved with angr symbolic execution engine. [challenge]

hxp CTF 2017

4TRUN

Flag checker written in Fortran 90 compiled for x86-64/Linux. [challenge]

revenge_of_the_zwiebel

Same idea as Zwiebel challenge from CTF in 2016 but harder. [challenge]

oldcurlyfries

Exploit CVE-2017-13089 in wget to get code execution in wget client launched from a web frontend. [challenge]

impossible

Tiny pwnable that allows for arbitrary many writes relative to a calloc’d pointer in x86-64 Linux without an information leak. [challenge]

TUM CTF 2016

zwiebel

(cf. Zwiebel German word for onion): Extract the key from a multi-layered executable that checks one input bit in each layer and then proceeds to unpack the next layer. [challenge] [[LifeOverflow video 1 video 2 ]]

hxphash

Find preimages for a home-brewn hash function. [challenge]

prmeuttiaon

Run-forever-to-get-flag challenge that computes a (very large) combinatoric number. Find a shortcut by figuring out the math behind the permutation. [challenge]

hack_or_play

Beat Kelloggs Mission Nutrition DOS game, or extract the flag from the game map files. [challenge [writeup]

hack_or_hack

Beat every level of Kelloggs Mission Nutrition DOS game, or extract the flag from the game meta data files. [challenge]

TUM CTF Teaser 2015

quine

Extract flag from program self-patching and execve‘ing itself multiple times. [challenge]

whitebox crypto

Extract key from whitebox XTEA implementation for x86-64 Linux. [challenge]

b0rked_screens4ver

Get flag from DOS program painting patterns on the screen. [challenge]