Blog
Security research, reverse engineering, CTF writeups, and open-source tools.
VEILGATE (ROCSC Bootcamp 2026) — Android Native RE with Control Flow Flattening
NorthStar License Verifier — three layers of protection used in real commercial apps. RegisterNatives hides the JNI binding (no exported symbol), OLLVM-style control flow flattening turns the verification function into a 124-node state machine, and the AES-128-CBC key is split across two XOR'd arrays in .rodata. Deobfuscate with angr/deflat.py, extract the key material from Ghidra, and decrypt the embedded license.
iSCSI CHAP: Heap Buffer Overflow in the Linux Kernel
Heap buffer overflow in the iSCSI target CHAP authentication code, reachable before password validation. The BASE64 branch of chap_server_compute_hash() passes up to 127 attacker-controlled characters to chap_base64_decode() without a length check, writing 95 bytes into a 16 or 32-byte heap object. Attacker needs the CHAP username only. Confirmed with KASAN on linux-next, patch submitted to Martin K. Petersen with Fixes: 1e5733883421.
mac80211 EPCS: OOB Array Access in the Linux Kernel WiFi Stack
Out-of-bounds array access in ieee80211_ml_epcs() in the mainline mac80211 WiFi stack. A 4-bit link_id field extracted from a PRIO_ACCESS ML element can be 0–15, but sdata->link[] has only 15 entries. Index 15 reads into activate_links_work, bypasses the NULL check, and crashes the kernel via ieee80211_sta_wmm_params(). Triggerable by any rogue WiFi 7 AP. Accepted by Johannes Berg, backported to stable.
WRAITHSTEP (ROCSC Finals 2026) — Linux Implant Forensics
Three-stage Linux forensics challenge: trace a fileless dropper running from a memfd_create file descriptor back to a udev /dev/random persistence rule, reverse the RC4-obfuscated PAM backdoor that replaced pam_pkcs11.so, and decode base32-encoded credentials tunneled over DNS.
WINSENSOR (ROCSC Finals 2026) — Hidden IOCTL in a Windows Kernel Driver
Stripped x64 kernel driver with three IOCTL handlers — two documented, one hidden. The undocumented handler writes directly to the driver's auth variable with no privilege check. Find function code 0x8800001C, recover ADMIN_TOKEN = 0xC0FFEE1337DEAD01, and exploit the same diagnostic backdoor pattern behind real BYOVD attacks.
rtl8723bs — WiFi Heap Overflow in the Linux Kernel
Heap overflow in OnAuthClient() exploitable by any rogue AP within radio range — no auth required, any device affected via the auth algorithm toggle. Three patch series covering eight functions across the driver, including a separate one-byte WPA IE overflow reachable via nl80211. Driver has been in staging since 2017.
VLC — Three Bugs in One Audit
Three bugs found in a single audit of VLC 4.0-dev: a tautological guard in the Smooth Streaming parser that dereferences chunks.end(), a uint32_t overflow that freezes VLC permanently on a crafted ID3 tag, and a uint16_t underflow in the AMT IPv6 handler that moves a buffer pointer ~64 KB before its allocation.
libmspack — Salvage Mode Use-After-Free in Cabinet Parser
Crafted .cab file causes a circular singly-linked list in salvage mode when the second cabd_read_files() call fails without updating the file list pointer. ASAN-confirmed heap-use-after-free in cabd_close(). Fixed in commit c8336f2.
file/libmagic — OOB Read in ELF Core Note Parser
Missing bounds check in do_core_note()'s FreeBSD NT_PRPSINFO path: process name read at doff + argoff without verifying the offset is within the buffer. Fixed in commit 6bb1b445 by Christos Zoulas.
DWMShield — Kernel-Mode Window Capture Exclusion on Windows
Kernel driver that calls win32kfull!GreProtectSpriteContent directly to mark any window as excluded from screen capture — making it invisible to every user-mode recording API without touching SetWindowDisplayAffinity. Confirms that WDA_EXCLUDEFROMCAPTURE is enforced entirely inside the kernel, inside DWM's compositor path.
CourierDrop (OSC Regional 2026) — 4-Stage Android RE
Courier logistics app with four chained secrets: obfuscated dispatch code, JNI callback hiding the attestation, anti-debug bypass to unlock encrypted notes, and a local HMAC verifier for the final flag.
KernelBackdoor (UNBR Finals 2026) — Android + Hidden Kernel Module
An Android APK shipping a .ko in assets/. Load the module manually, reverse the XOR token from libnative.so, and hit ioctl(0x1337) on /dev/ctf to get the flag back.
RAM Vault Beacon (UNBR Quals 2026) — Linux Malware Forensics
Linux malware forking into an anti-analysis tree, storing encrypted flag bytes in an anonymous mmap region. Combine PCAP, memory dump, and disk image to reconstruct the SHA256 key chain and decrypt.
In Search of the Lost Note (ROCSC Quals 2026) — SQLite WAL Forensics
Flag hidden in an uncommitted WAL frame that normal SQLite won't show. Raw WAL parsing, native reverse engineering for the PBKDF2 pepper, then AES-GCM + MessagePack to pull it out.
git-secret-scanner — Three-Layer Secret Detection in Git History
Three-layer scanner for leaked credentials in git commit history: regex catches known formats (AWS keys, GitHub PATs, database connection strings, private keys), Shannon entropy scores each match, and an LLM verifies with full commit context — commit message, file path, surrounding diff lines — to filter out test data and placeholders.
Angry Birds (VianuCTF 2025) — Android HMAC Score Forgery
xdelta-patched Angry Birds APK with a hidden score-submission server. Decompile with JADX, find the hardcoded HMAC-SHA256 secret in GoogleConnectService, forge a 109 score, and get the flag.
llm-decompile-cleaner — Decompiler Output Cleanup with llm4decompile-22b-v2
Post-processor for Ghidra, IDA, and Binary Ninja C dumps that splits the output by function and pipes each one through llm4decompile-22b-v2 — a model trained specifically on decompiler output rather than general source code — then deduplicates prototype declarations and normalizes whitespace.
Arno (HackTheBox) — Android Unity IL2CPP
Unity IL2CPP APK, libil2cpp.so + global-metadata.dat,
Il2CppDumper, then AES-CBC decrypt in Python to recover the flag.