id
type
5 (blog/news article)
status
21 (imported old-v2, waiting for another import)
review version
0
cleanup version
0
pending deletion
0 (-)
created at
2025-12-29 02:48:47
updated at
2025-12-29 02:48:47
pol page id
pol status
0
pol hosts ticketing
pol hosts ecommerce
pol hosts finance
pol hosts crypto
pol hosts leak
pol hosts devel
github.com
pol hosts ugc
pol hosts klim
pol hosts builders
pol hosts self subdomains
pol hosts other subdomains
pol hosts other domains
md5hashing.net
pol updated
1768056660
url
https://sec.vnpt.vn/2024/11/flareon-11-writeup-part-3/
url length
54
url crc
2100
url crc32
3386968116
location type
1 (url matches target location, page_location is empty)
canonical status
30 (canonical url is different, page_canonical_page_id points to it)
canonical page id
domain id
domain tld
704
domain parts
3
originating warc id
-
originating url
https://data.commoncrawl.org/crawl-data/CC-MAIN-2025-33/segments/1754151279656.25/warc/CC-MAIN-20250803103346-20250803133346-00184.warc.gz
source type
11 (CommonCrawl)
server ip
Publication date
2025-08-03 10:44:12
Fetch attempts
0
Original html size
591908
Normalized and saved size
45219
title
Flareon 11 Writeup Part 3
excerpt
content
Challenge 9 - serpentine Given a x64 executable. Run it, it's absolute Flag checker At main function First, it registers an ExceptionFilter but the handler is nothing but an simple error message and exit Key is copied into an hardcode address, then pass into a shellcode at lpAddress is called. Find reference to lpAddress, it is used in a TLS_Callback VirtualAlloc a memory range 0x800000 bytes with RXW permission, then copy the same byte from 0x140097AF0 into that address. Jump to where the shellcode locate, it's kinda weird. First instruction is "hlt", which is an previlege instruction, can only run in kernel mode. If run in userspace, it will generate an EXCEPTION_PRIV_INSTRUCTION As analyze before, the handler at main function just print out error message and exit, so it have to another mechanism to handle exception and it may enabled even before main function is called. IDA support to find EntryPoint, after the TLS_Callback, the main entrypoint will be called At s...
author
VNPT Cyber Immunity
updated
1768056660
block type
0
extracted fields
109
extracted bits
featured image
article author
title
full content
content was extracted heuristically
detected location
0
detected language
1 (English)
category id
-
index version
1
paywall score
0
spam phrases
0
text nonlatin
2
text cyrillic
0
text characters
14200
text words
3038
text unique words
840
text lines
1
text sentences
59
text paragraphs
1
text words per sentence
51
text matched phrases
0
text matched dictionaries
0
links self subdomains
0
links other subdomains
0
links other domains
1
links spam adult
0
links spam random
0
links spam expired
0
links ext activities
0
links ext ecommerce
0
links ext finance
0
links ext crypto
0
links ext booking
0
links ext news
0
links ext leaks
0
links ext ugc
2
links ext klim
0
links ext generic
0
image author
featured image