https://vmpr0be.com/Recent posts on vmpr0be's blogHugo -- gohugo.ioen-ushttps://vmpr0be.com/post/hxp_orakel/Mon, 29 Dec 2025 00:00:00 +0000https://vmpr0be.com/post/hxp_orakel/Overview orakel-von-hxp challenge banner As you can see, the challenge author decided to include a hint: The flag is continuously input on UART1, which will be useful later. This is an embedded device challenge, the microcontroller used is lm3s6965 which uses an ARM Cortex-M3 CPU (ARM architecture). Within the downloaded tarball file we find most importantly: The source code of the firmware located in src/src. Compilation and emulation script at src/start.https://vmpr0be.com/post/buckeye_printful/Mon, 10 Nov 2025 00:00:00 +0000https://vmpr0be.com/post/buckeye_printful/This write-up won the BuckeyeCTF 2025 Write-up contest. Overview This challenge is essentially a black-box: the remote application’s source code and binary are not provided, so I must discover its behavior and find the vulnerability by interacting with it remotely. All we’re given is the IP address and port. Exploring Discovering the vulnerability My methodology for black-box challenges is to gather as much information about the application as possible. The challenge name is called “printful”, which made me think of the C library function printf, which made me suspect a format string vulnerability.https://vmpr0be.com/post/securinets_ppp/Sun, 05 Oct 2025 00:00:00 +0000https://vmpr0be.com/post/securinets_ppp/Overview We’re given a Python script that takes base64 input and decodes it, expecting x86_64 assembly code to execute. ... from capstone import Cs, CS_ARCH_X86, CS_MODE_64 from capstone import CS_OP_REG ... def check(code: bytes): if len(code) > 0x2000: return False md = Cs(CS_ARCH_X86, CS_MODE_64) md.detail = True for insn in md.disasm(code, 0): name = insn.insn_name() if name!="pop" and name!="push" : if name=="int3" : continue return False if insn.operands[0].type!=CS_OP_REG: return False return True def run(code: bytes): # Runs the code .https://vmpr0be.com/post/sunshinectf_pegasus_2/Mon, 29 Sep 2025 00:00:00 +0000https://vmpr0be.com/post/sunshinectf_pegasus_2/Overview We are given 6 files: runpeg: an interpreter and debugger for the Pegasus bytecode. libear.so/libeardbg.so: libraries used by runpeg. AccessCode.peg: the executable to be interpreted in Pegasus format. EAR_EAR_v3.md/PEGASUS.md: documentation for the bytecode and the Pegasus format. To start interpreting the AccessCode.peg executable, run: runpeg <file.peg> [--debug] [--verbose] [--trace] Reversing We’ll run the executable to gather information about its behavior. ./runpeg AccessCode.peg Input security access code: > supersecret Invalid access code, please try again.https://vmpr0be.com/post/crewctf_smm1/Sun, 21 Sep 2025 00:00:00 +0000https://vmpr0be.com/post/crewctf_smm1/Vocabulary SMM: System Management Mode, a highly privileged CPU mode. SMRAM: A special region of memory that is only accessible from SMM. SMI: An interrupt that halts current execution and switches the CPU to SMM. SMBASE: The base of the memory region used for SMM components (e.g., the SMI handler and saved execution state). The default SMBASE is 0x30000. Overview " You know what else OVMF does with SMM? CPU hotplugging.