Binary

Reverse a static XOR encryption: subtract flag bytes from key bytes position-by-position to recover the plaintext.

Model a cyclic windowed hash as a system of linear equations over integer variables and solve it with Z3 to recover the flag.

Each flag character satisfies an independent quadratic equation in integer form; Z3 solves all 20 simultaneously to recover the flag.

The IBAN input field copies 28 bytes into a buffer with room for 49. Appending the control byte 0x03 after the valid IBAN data overflows into an adjacent flag variable and unlocks the ransomware payment path.

Overflow the IBAN field to leak the binary’s own password via puts, then re-login as ADMIN using the leaked credential and repeat the overflow to reach the flag path.

Write /bin/sh into a known writable address, then build a ROP chain that sets rax=59, rdi=/bin/sh, rsi=0, rdx=0 using dedicated pop gadgets and a syscall instruction to get a shell.

Use a format string %n write to overwrite a target variable at a known address and unlock the flag path.

The binary leaks a runtime stack address disguised as a ‘random number’. Add 6 to land inside the shellcode region, then spray that address 800 times to cover the return target and get a shell.

Overflow the name buffer to corrupt the internal number variable, then feed back the overflowed value as a decimal integer to satisfy the equality check.

Build a ROP chain that calls gets twice to plant arbitrary data in the GOT, redirect strcspn to a shellcode stub, then trigger the win print path.