Skip to content

Instantly share code, notes, and snippets.

View pzread's full-sized avatar

Jerry Wu pzread

127 followers · 6 following
View GitHub Profile
@pzread
pzread / package.md
Last active August 29, 2015 14:05
Judge Sketch

Compress

The package is compressed in tar.xz format without top directory.

meta.json

{
  pkgid string      //Add by add_pkg API
  apiid string      //Add by add_pkg API, owner id

when int64 //Add by add_pkg API

@pzread
pzread / upload.js
Last active August 29, 2015 14:06
$.ajax({
'url':'/judge/api/' + api_key + '/add_pkg',
'type':'POST',
'data':pkg,
'cache':false,
'processData':false,
'contentType':false,
'xhr':function(){
var xhr = new XMLHttpRequest();
xhr.upload.addEventListener('progress',function(e){
@pzread
pzread / somethingwrong.c
Created September 13, 2013 01:54
#include<stdio.h>
#include<stdlib.h>
int loop(int x){
unsigned long a;
unsigned long *ptr;
ptr = &a;
if(x == 0){
return 0;
@pzread
pzread / getcdinfo.py
Created March 7, 2016 21:45
import re
import requests
from bs4 import BeautifulSoup
def to_bom_utf8(name):
data = open(name, 'rb').read().decode('utf-8')
open(name, 'wb').write(data.encode('utf-8-sig'))
@pzread
pzread / check.cpp
Last active July 1, 2016 07:49
#include<stdio.h>
#include<stdlib.h>
#include<string.h>
int main() {
char str[100];
char ans[100];
FILE *ansf = fdopen(2, "r");
while(fgets(str, sizeof(str), stdin) != NULL) {
if(fgets(ans, sizeof(ans), ansf) == NULL) {
@pzread
pzread / userscript.js
Last active April 21, 2017 17:39
Mastodon Blocked Contents Loader
// ==UserScript==
// @name Mastodon Blocked Contents Loader
// @namespace http://tampermonkey.net/
// @version 0.1
// @description shows how to use babel compiler
// @author PZ Read
// @require https://cdnjs.cloudflare.com/ajax/libs/babel-standalone/6.18.2/babel.js
// @require https://cdnjs.cloudflare.com/ajax/libs/babel-polyfill/6.16.0/polyfill.js
// @match https://*/*
// ==/UserScript==
@pzread
pzread / test2.js
Created April 25, 2017 13:40
var objs = [];
var bases = [];
let oris = [];
let payloads = [];
for (let i = 0; i < 2; i++) {
objs.push([0x00010000]);
bases.push([0, 1]);
oris.push([100, 100, 100]);
payloads.push([0]);
@pzread
pzread / unsafe.rs
Last active June 6, 2017 10:23
use std::collections::HashMap;
use std::mem;
struct Link {
pub value: String,
next: *const Link,
}
impl Link {
fn new(value: String, next: *const Self) -> Self {
@pzread
pzread / init.vim
Created September 18, 2017 01:44
set ai
set backspace=2
set cin
set et
set hidden
set mouse=
set nocompatible
set nu
set shiftwidth=2
set softtabstop=2
@pzread
pzread / gctf-2022-d8-writeup.md
Last active July 27, 2022 02:47

Google CTF 2022 Pwn d8 Author's Write-up

This year I made the pwn challenge "d8" in Google CTF 2022. d8 allows you to upload and run a piece of v8 code cache. The goal is crafting the code cache to achieve arbitrary code execution.

v8 code cache is a format to serialize the v8 heap and can be deserialized back to the v8 heap. This improves the JS loading time when the same piece of code is reused.

The format of v8 code cache is quite interesting. It doesn't directly serialize the v8 objects in the heap, but uses a bytecode to describe how to reconstruct those v8 objects. There is a series of blog posts by PT SWARM about how it works and it's definitely worth to read.

When studying the v8 code cache, I realized there is neither the boundary check in the deserializer, nor a validator to verify if the constructed v8 objects are legal, which