write-ups — memory regions // 0x00003000 permissions read execute
A 33 KB x86-64 ELF posing as a benign diagnostics tool, hiding its flag behind five sequenced layers: a hidden RWX PT_LOAD, a self-decompressing loader, a section-stripped inner ELF, an index-keyed-XOR bytecode interpreter, and a 2-bits-per-slot .rodata table — reduced to an end-to-end recovery in two commands.
A 26 KB stripped ELF posing as a “verification node” that demands an 8-digit hex auth key. The 32-bit key check is genuine — but solving it buys nothing: the flag lives in plaintext in .rodata and prints on every path, including the failure path. The test is psychological, not technical.
A stripped ELF64 hiding a 16-32-8-1 MLP whose dead-code path emits the flag. Conventional reversing finds nothing — solved by reasoning about L2 activations quantized to exact n/256 values and snapping FP rounding back to the build-time input.
A satellite Link Budget Processor ELF hiding its flag in a dead store. Three layers: an .init_array LCG Fisher-Yates shuffle, Doppler-themed FP arithmetic as a table index, and a stack value the printed output never reads.
A stripped ELF64 running a 99-opcode custom virtual machine against a 666-byte bytecode. Recovered the full ISA, disassembled the flag-check routine, and extracted the passphrase via symbolic execution of the KV-store logic.
RSA with e=3 and a predictably structured plaintext. Expressed the message as a linear polynomial in the unknown flag, made it monic via substitution, exploited the SDG{} format to shrink the unknown to 256 bits, and recovered the flag with SageMath small_roots() in ~10 seconds.