opus stream decoding

Categories Uncategorized

Step 1 install opus-tools

Step 2 extracting opus file from pcap file

Step 3 convert the opus file to .wav file, now you can enjoy the reconstructed audio ^_^

Note: the opusrtp tool may need some modification to work normally.


[1] http://www.giacomovacca.com/2017/01/analysing-opus-media-from-network-traces.html


[0ctf 2017] uploadcenter knote pwnable write-up

Categories CTF

0ctf is over for a week. We(NeSE) ranked 6th/908 at last. During the game, I looked at two pwnable challenges : knote and uploadcenter, I spent more than 16 hours on uploadcenter and 14 hours on knote. I found the info leak and race condition in knote and the info leak and mismatch in mmap/munmap size in uploadcenter. But I did not came up with the thread stack UAF exploit. So I wrote this article to write down what I thought most fun part of these challenges.

Continue reading “[0ctf 2017] uploadcenter knote pwnable write-up”

[NJCTF 2017] syscallhelper(pwn 600) write-up

Categories Uncategorized

This is the most valuable challenge in NJCTF(worth 600 points). It is a a good practice to write shellcode too. pwntools provide handy APIs to write shellcode.

The child process is chroot jailed, to get the flag outside of the jail, we have to use “ptrace” to attach and modify the parent process to escape the jail.

There are many ways to exploit the vulnerability and we choose the following one


  1. add a syscall with negative number of registers and hijack the vtable to a stack position.
  2. input shellcode using the leave notes function
  3. call the hijacked function pointer

Continue reading “[NJCTF 2017] syscallhelper(pwn 600) write-up”

[UCSB iCTF 2017] pokemon(type: pwn) write-ups

Categories CTF

This is an interesting challenge in UCSB iCTF 2017, we had a lot of fun. But when we finished the exploit, the game server including the scoreboard went down before the end.

This wp contains only a writeup local exploit. One of my teammate improved it to achive arbitrary file read to get the flag. It’s a pity we can not actually get a real flag in the game.

Continue reading “[UCSB iCTF 2017] pokemon(type: pwn) write-ups”

ISCC 2016 mobile 500 GREEN

Categories CTF



  1. Android .so调试[参考]
  2. Android 的 broadcast机制
  3. Anti-emulator 检查及绕过
  4. 简单的anti-debugging
  5. lzo 压缩算法识别
  6. crc32 校验算法识别
  7. 从循环化过的代码中提取方程组系数
  8. 线性方程组求解

Continue reading “ISCC 2016 mobile 500 GREEN”