Cherry referring to my last name Forward and Reverse Engineering

Capture the Flag

I play and organize Capture the Flag competitions with hxp. Find my writeups on our blog.

hxp CTF 2022


Recover flag from captured encrypted network stream of successful remote exploitation of CVE-2022-3602 and CVE-2022-3786. [writeups 1 2]

hxp CTF 2021


Circumvent cheating protection to beat Arkanoid clone written for Nintendo 3DS to get the flag. [challenge] [writeup]


Circumvent Linux Address Space Layout Randomization by placing at most 10 single-byte writes relative to a calloc’d memory chunk. [challenge] [writeup]

caBalS puking

Extract flag from backup file taken from Signal messenger for Android without knowing the backup key. [challenge] [writeup]

hxp CTF 2020


Shellcoding exercise as a sequel to the noemoji challenge by borysp from Dragon CTF 2020 with slight modifications. [challenge]


(cf. 比べる to make a comparison): Recover license information for a file comparison tool written in Delphi/Pascal for Windows. [challenge]


Recover flag from branch-free checker algorithm compiled for x86-64 Linux. Inspired by Redford’s DeobfuscateMe challenge from CONFidence CTF Finals 2015. [challenge]

hxp CTF 2019


Recover preimage of a special triple MD5 implementation for x86-64 Linux. [challenge] [writeup]

hxp CTF 2018

cheatquest of hxpschr 1–4

Multiple challenges about reverse enginnering the Action Replay / Gameshark cheating device for Nintendo Gameboy Advance. The device modifies Pokemon Emerald to hide flags inside the game. [ challenge 1 2 3 4 ] [writeup 1 2 3 4 ]

pandora's box

Write an automated key extraction tool that recovers the keys from on-the-fly generated AES whitebox implementations. [challenge]


Write shellcode that extracts one byte of the flag at a time without requiring more than 9 bytes of space. [challenge]


Warmup challenge to be solved with angr symbolic execution engine. [challenge]

hxp CTF 2017


Flag checker written in Fortran 90 compiled for x86-64/Linux. [challenge]


Same idea as Zwiebel challenge from CTF in 2016 but harder. [challenge]


Exploit CVE-2017-13089 in wget to get code execution in wget client launched from a web frontend. [challenge]


Tiny pwnable that allows for arbitrary many writes relative to a calloc’d pointer in x86-64 Linux without an information leak. [challenge]

TUM CTF 2016


(cf. Zwiebel German word for onion): Extract the key from a multi-layered executable that checks one input bit in each layer and then proceeds to unpack the next layer. [challenge] [[LifeOverflow video 1 video 2 ]]


Find preimages for a home-brewn hash function. [challenge]


Run-forever-to-get-flag challenge that computes a (very large) combinatoric number. Find a shortcut by figuring out the math behind the permutation. [challenge]


Beat Kelloggs Mission Nutrition DOS game, or extract the flag from the game map files. [challenge [writeup]


Beat every level of Kelloggs Mission Nutrition DOS game, or extract the flag from the game meta data files. [challenge]

TUM CTF Teaser 2015


Extract flag from program self-patching and execve‘ing itself multiple times. [challenge]

whitebox crypto

Extract key from whitebox XTEA implementation for x86-64 Linux. [challenge]


Get flag from DOS program painting patterns on the screen. [challenge]