Blog
Security research, reverse engineering, CTF writeups, and open-source tools.
rtl8723bs — WiFi Heap Overflow in the Linux Kernel
Heap overflow in OnAuthClient() exploitable by any rogue AP within radio range — no auth required, any device affected via the auth algorithm toggle. Three patch series covering eight functions across the driver, including a separate one-byte WPA IE overflow reachable via nl80211. Driver has been in staging since 2015.
VLC — Three Bugs in One Audit
Three bugs found in a single audit of VLC 4.0-dev: a tautological guard in the Smooth Streaming parser that dereferences chunks.end(), a uint32_t overflow that freezes VLC permanently on a crafted ID3 tag, and a uint16_t underflow in the AMT IPv6 handler that moves a buffer pointer ~64 KB before its allocation.
libmspack — Salvage Mode Use-After-Free in Cabinet Parser
Crafted .cab file causes a circular singly-linked list in salvage mode when the second cabd_read_files() call fails without updating the file list pointer. ASAN-confirmed heap-use-after-free in cabd_close(). Fixed in commit c8336f2.
file/libmagic — OOB Read in ELF Core Note Parser
Missing bounds check in do_core_note()'s FreeBSD NT_PRPSINFO path: process name read at doff + argoff without verifying the offset is within the buffer. Fixed in commit 6bb1b445 by Christos Zoulas.
DWMShield — Kernel-Mode Window Capture Exclusion on Windows
Kernel driver that calls win32kfull!GreProtectSpriteContent directly to mark any window as excluded from screen capture — making it invisible to every user-mode recording API without touching SetWindowDisplayAffinity. Confirms that WDA_EXCLUDEFROMCAPTURE is enforced entirely inside the kernel, inside DWM's compositor path.
CourierDrop (OSC Regional 2026) — 4-Stage Android RE
Courier logistics app with four chained secrets: obfuscated dispatch code, JNI callback hiding the attestation, anti-debug bypass to unlock encrypted notes, and a local HMAC verifier for the final flag.
KernelBackdoor (UNBR Finals 2026) — Android + Hidden Kernel Module
An Android APK shipping a .ko in assets/. Load the module manually, reverse the XOR token from libnative.so, and hit ioctl(0x1337) on /dev/ctf to get the flag back.
RAM Vault Beacon (UNBR Quals 2026) — Linux Malware Forensics
Linux malware forking into an anti-analysis tree, storing encrypted flag bytes in an anonymous mmap region. Combine PCAP, memory dump, and disk image to reconstruct the SHA256 key chain and decrypt.
In Search of the Lost Note (ROCSC Quals 2026) — SQLite WAL Forensics
Flag hidden in an uncommitted WAL frame that normal SQLite won't show. Raw WAL parsing, native reverse engineering for the PBKDF2 pepper, then AES-GCM + MessagePack to pull it out.
git-secret-scanner — Three-Layer Secret Detection in Git History
Three-layer scanner for leaked credentials in git commit history: regex catches known formats (AWS keys, GitHub PATs, database connection strings, private keys), Shannon entropy scores each match, and an LLM verifies with full commit context — commit message, file path, surrounding diff lines — to filter out test data and placeholders.
Angry Birds (VianuCTF 2025) — Android HMAC Score Forgery
xdelta-patched Angry Birds APK with a hidden score-submission server. Decompile with JADX, find the hardcoded HMAC-SHA256 secret in GoogleConnectService, forge a 109 score, and get the flag.
llm-decompile-cleaner — Decompiler Output Cleanup with llm4decompile-22b-v2
Post-processor for Ghidra, IDA, and Binary Ninja C dumps that splits the output by function and pipes each one through llm4decompile-22b-v2 — a model trained specifically on decompiler output rather than general source code — then deduplicates prototype declarations and normalizes whitespace.
Arno (HackTheBox) — Android Unity IL2CPP
Unity IL2CPP APK, libil2cpp.so + global-metadata.dat,
Il2CppDumper, then AES-CBC decrypt in Python to recover the flag.