# Thread Handoff - Thread: hidden-orbit-5892 - UUID: 83fe4c5b-cce2-4f5b-8d54-34d05968ceb0 - CTF: midnight-sun-ctf-2026-quals - Challenge: cmachine - Runtime: codex - Model: gpt-5.5 - Status: completed ## Transcript - **Assistant:** I’ll inspect the local challenge files first, then interact with the remote service once I know what kind of protocol or binary we’re dealing with. I’ll keep notes concise and avoid making assumptions until the challenge shape is clear. - **User:** do not scan. network unstable. - **Assistant:** Understood. I won’t scan the host or ports; I’ll only make targeted connections to the provided `nc` endpoint when needed. Local files are minimal, so the remote behavior will likely be the main signal. - **Assistant:** The local challenge is just a placeholder (``), so there’s no bundled binary to reverse. I’m going to do a single targeted connection to the supplied service and capture the initial prompt/output. - **User:** CTF progress: found that the REPL stores Latin-1 character codepoints directly into VM memory, so valid UTF-8 input can write bytes above 0x7f. Codepoints above 0xff close the session. No flag yet; investigating whether the 512-byte login terminator or binary memory control can be turned into an auth bypass. - **Assistant:** DNS resolution failed in the sandbox, which looks like the restricted network path rather than a challenge result. I’ll retry the same targeted connection outside the sandbox; no scanning. - **Assistant:** ▄▄████████▄ ▄███▄ ▄▄███ ▄▄████████▄ ▄▄█████████ ████▀▀▀████ ██████▄██████ ████▀▀▀████ ████▀▀▀▀▀▀▀ ████ ▀▀▀▀ ████▀███▀████ ████▄▄▄████ ████▄▄▄▄▄▄ ████ ▄▄▄▄ ████ ▀▀▀ ████ ████▀▀▀████ ▀▀▀▀▀▀▀████ ████▄▄▄████ ████ ████ ████ ████ ▄▄▄▄▄▄▄████ ▀█████████▀ ████ ████ ████ ████ ██████████▀ ▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▄███ ▄███ ▄█████████ ▄███ ▄███ ▄▄█████████ ████ ████ ▀▀▀████▀▀▀ █████▄ ████ ████▀▀▀▀▀▀▀ ████▄▄▄████ ████ ███████████ ████▄▄▄ ████▀▀▀████ ████ ████▀▀█████ ████▀▀▀ ████ ████ ▄▄▄████▄▄▄ ████ ▀████ ████▄▄▄▄▄▄▄ ████ ████ ██████████ ████ ████ ▀██████████ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ Welcome to the Complex Machine. Type help or ? to list operations. #> - **Assistant:** The service is a REPL named “Complex Machine” and waits at `#>`. I’m going to query its built-in help and then script interactions so we can test hypotheses without relying on a fragile manual session. - **Assistant:** ▄▄████████▄ ▄███▄ ▄▄███ ▄▄████████▄ ▄▄█████████ ████▀▀▀████ ██████▄██████ ████▀▀▀████ ████▀▀▀▀▀▀▀ ████ ▀▀▀▀ ████▀███▀████ ████▄▄▄████ ████▄▄▄▄▄▄ ████ ▄▄▄▄ ████ ▀▀▀ ████ ████▀▀▀████ ▀▀▀▀▀▀▀████ ████▄▄▄████ ████ ████ ████ ████ ▄▄▄▄▄▄▄████ ▀█████████▀ ████ ████ ████ ████ ██████████▀ ▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▄███ ▄███ ▄█████████ ▄███ ▄███ ▄▄█████████ ████ ████ ▀▀▀████▀▀▀ █████▄ ████ ████▀▀▀▀▀▀▀ ████▄▄▄████ ████ ███████████ ████▄▄▄ ████▀▀▀████ ████ ████▀▀█████ ████▀▀▀ ████ ████ ▄▄▄████▄▄▄ ████ ▀████ ████▄▄▄▄▄▄▄ ████ ████ ██████████ ████ ████ ▀██████████ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ Welcome to the Complex Machine. Type help or ? to list operations. #> Documented commands (type help ): ======================================== EOF and functions load mem or regs sub add call help login mul readstr store xor #> - **Assistant:** Help lists VM-like commands: arithmetic/logical ops, memory/register inspection, `readstr`, `store`, `load`, `call`, `functions`, and `login`. I’m going to pull command-specific help next; this should reveal the VM state model and any intended auth path. - **Assistant:** ▄▄████████▄ ▄███▄ ▄▄███ ▄▄████████▄ ▄▄█████████ ████▀▀▀████ ██████▄██████ ████▀▀▀████ ████▀▀▀▀▀▀▀ ████ ▀▀▀▀ ████▀███▀████ ████▄▄▄████ ████▄▄▄▄▄▄ ████ ▄▄▄▄ ████ ▀▀▀ ████ ████▀▀▀████ ▀▀▀▀▀▀▀████ ████▄▄▄████ ████ ████ ████ ████ ▄▄▄▄▄▄▄████ ▀█████████▀ ████ ████ ████ ████ ██████████▀ ▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▄███ ▄███ ▄█████████ ▄███ ▄███ ▄▄█████████ ████ ████ ▀▀▀████▀▀▀ █████▄ ████ ████▀▀▀▀▀▀▀ ████▄▄▄████ ████ ███████████ ████▄▄▄ ████▀▀▀████ ████ ████▀▀█████ ████▀▀▀ ████ ████ ▄▄▄████▄▄▄ ████ ▀████ ████▄▄▄▄▄▄▄ ████ ████ ██████████ ████ ████ ▀██████████ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ Welcome to the Complex Machine. Type help or ? to list operations. #> show registers. #> dump memory #> store immediate from register to memory, e.g store x0 0x10 #> load immediate from memory to register, e.g load x0 0x10 #> read a string to address #> login #> list the available functions #> perform a function call #> add value to register, e.g add x0 1 | add x0 x1. #> xor value to register, e.g xor x0 1 | xor x0 x1. #> - **Assistant:** ▄▄████████▄ ▄███▄ ▄▄███ ▄▄████████▄ ▄▄█████████ ████▀▀▀████ ██████▄██████ ████▀▀▀████ ████▀▀▀▀▀▀▀ ████ ▀▀▀▀ ████▀███▀████ ████▄▄▄████ ████▄▄▄▄▄▄ ████ ▄▄▄▄ ████ ▀▀▀ ████ ████▀▀▀████ ▀▀▀▀▀▀▀████ ████▄▄▄████ ████ ████ ████ ████ ▄▄▄▄▄▄▄████ ▀█████████▀ ████ ████ ████ ████ ██████████▀ ▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▄███ ▄███ ▄█████████ ▄███ ▄███ ▄▄█████████ ████ ████ ▀▀▀████▀▀▀ █████▄ ████ ████▀▀▀▀▀▀▀ ████▄▄▄████ ████ ███████████ ████▄▄▄ ████▀▀▀████ ████ ████▀▀█████ ████▀▀▀ ████ ████ ▄▄▄████▄▄▄ ████ ▀████ ████▄▄▄▄▄▄▄ ████ ████ ██████████ ████ ████ ▀██████████ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ Welcome to the Complex Machine. Type help or ? to list operations. #> x0 = 0x0000 x1 = 0x0000 x2 = 0x0000 x3 = 0x0000 x4 = 0x0000 x5 = 0x0000 x6 = 0x0000 x7 = 0x0000 x8 = 0x0000 x9 = 0x0000 #> 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000100: 65 63 68 6F 00 00 00 00 00 00 00 00 00 00 00 00 echo............ 00000110: 73 74 72 72 65 76 65 72 73 65 00 00 00 00 00 00 strreverse...... 00000120: 72 61 6E 64 73 74 72 69 6E 67 00 00 00 00 00 00 randstring...... 00000130: 73 74 72 74 6F 68 65 78 00 00 00 00 00 00 00 00 strtohex........ 00000140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ #> Available Functions: echo strreverse randstring strtohex #> - **Assistant:** Memory is 512 bytes. The function table starts at `0x100` with 16-byte names: `echo`, `strreverse`, `randstring`, `strtohex`. That placement matters because a 512-byte string write from low memory can overwrite the function table. - **Assistant:** ▄▄████████▄ ▄███▄ ▄▄███ ▄▄████████▄ ▄▄█████████ ████▀▀▀████ ██████▄██████ ████▀▀▀████ ████▀▀▀▀▀▀▀ ████ ▀▀▀▀ ████▀███▀████ ████▄▄▄████ ████▄▄▄▄▄▄ ████ ▄▄▄▄ ████ ▀▀▀ ████ ████▀▀▀████ ▀▀▀▀▀▀▀████ ████▄▄▄████ ████ ████ ████ ████ ▄▄▄▄▄▄▄████ ▀█████████▀ ████ ████ ████ ████ ██████████▀ ▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▄███ ▄███ ▄█████████ ▄███ ▄███ ▄▄█████████ ████ ████ ▀▀▀████▀▀▀ █████▄ ████ ████▀▀▀▀▀▀▀ ████▄▄▄████ ████ ███████████ ████▄▄▄ ████▀▀▀████ ████ ████▀▀█████ ████▀▀▀ ████ ████ ▄▄▄████▄▄▄ ████ ▀████ ████▄▄▄▄▄▄▄ ████ ████ ██████████ ████ ████ ▀██████████ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ Welcome to the Complex Machine. Type help or ? to list operations. #> readstr: Invalid Syntax, readstr . #> *** Unknown syntax: ABCDEF #> 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000100: 65 63 68 6F 00 00 00 00 00 00 00 00 00 00 00 00 echo............ 00000110: 73 74 72 72 65 76 65 72 73 65 00 00 00 00 00 00 strreverse...... 00000120: 72 61 6E 64 73 74 72 69 6E 67 00 00 00 00 00 00 randstring...... 00000130: 73 74 72 74 6F 68 65 78 00 00 00 00 00 00 00 00 strtohex........ 00000140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ #> - **Assistant:** ▄▄████████▄ ▄███▄ ▄▄███ ▄▄████████▄ ▄▄█████████ ████▀▀▀████ ██████▄██████ ████▀▀▀████ ████▀▀▀▀▀▀▀ ████ ▀▀▀▀ ████▀███▀████ ████▄▄▄████ ████▄▄▄▄▄▄ ████ ▄▄▄▄ ████ ▀▀▀ ████ ████▀▀▀████ ▀▀▀▀▀▀▀████ ████▄▄▄████ ████ ████ ████ ████ ▄▄▄▄▄▄▄████ ▀█████████▀ ████ ████ ████ ████ ██████████▀ ▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▄███ ▄███ ▄█████████ ▄███ ▄███ ▄▄█████████ ████ ████ ▀▀▀████▀▀▀ █████▄ ████ ████▀▀▀▀▀▀▀ ████▄▄▄████ ████ ███████████ ████▄▄▄ ████▀▀▀████ ████ ████▀▀█████ ████▀▀▀ ████ ████ ▄▄▄████▄▄▄ ████ ▀████ ████▄▄▄▄▄▄▄ ████ ████ ██████████ ████ ████ ▀██████████ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ Welcome to the Complex Machine. Type help or ? to list operations. #> Invalid Syntax #> 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000100: 65 63 68 6F 00 00 00 00 00 00 00 00 00 00 00 00 echo............ 00000110: 73 74 72 72 65 76 65 72 73 65 00 00 00 00 00 00 strreverse...... 00000120: 72 61 6E 64 73 74 72 69 6E 67 00 00 00 00 00 00 randstring...... 00000130: 73 74 72 74 6F 68 65 78 00 00 00 00 00 00 00 00 strtohex........ 00000140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ #> - **Assistant:** ▄▄████████▄ ▄███▄ ▄▄███ ▄▄████████▄ ▄▄█████████ ████▀▀▀████ ██████▄██████ ████▀▀▀████ ████▀▀▀▀▀▀▀ ████ ▀▀▀▀ ████▀███▀████ ████▄▄▄████ ████▄▄▄▄▄▄ ████ ▄▄▄▄ ████ ▀▀▀ ████ ████▀▀▀████ ▀▀▀▀▀▀▀████ ████▄▄▄████ ████ ████ ████ ████ ▄▄▄▄▄▄▄████ ▀█████████▀ ████ ████ ████ ████ ██████████▀ ▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▄███ ▄███ ▄█████████ ▄███ ▄███ ▄▄█████████ ████ ████ ▀▀▀████▀▀▀ █████▄ ████ ████▀▀▀▀▀▀▀ ████▄▄▄████ ████ ███████████ ████▄▄▄ ████▀▀▀████ ████ ████▀▀█████ ████▀▀▀ ████ ████ ▄▄▄████▄▄▄ ████ ▀████ ████▄▄▄▄▄▄▄ ████ ████ ██████████ ████ ████ ▀██████████ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ Welcome to the Complex Machine. Type help or ? to list operations. #> #> 00000000: 41 42 43 44 45 46 00 00 00 00 00 00 00 00 00 00 ABCDEF.......... 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000100: 65 63 68 6F 00 00 00 00 00 00 00 00 00 00 00 00 echo............ 00000110: 73 74 72 72 65 76 65 72 73 65 00 00 00 00 00 00 strreverse...... 00000120: 72 61 6E 64 73 74 72 69 6E 67 00 00 00 00 00 00 randstring...... 00000130: 73 74 72 74 6F 68 65 78 00 00 00 00 00 00 00 00 strtohex........ 00000140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ #> - **Assistant:** ▄▄████████▄ ▄███▄ ▄▄███ ▄▄████████▄ ▄▄█████████ ████▀▀▀████ ██████▄██████ ████▀▀▀████ ████▀▀▀▀▀▀▀ ████ ▀▀▀▀ ████▀███▀████ ████▄▄▄████ ████▄▄▄▄▄▄ ████ ▄▄▄▄ ████ ▀▀▀ ████ ████▀▀▀████ ▀▀▀▀▀▀▀████ ████▄▄▄████ ████ ████ ████ ████ ▄▄▄▄▄▄▄████ ▀█████████▀ ████ ████ ████ ████ ██████████▀ ▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▄███ ▄███ ▄█████████ ▄███ ▄███ ▄▄█████████ ████ ████ ▀▀▀████▀▀▀ █████▄ ████ ████▀▀▀▀▀▀▀ ████▄▄▄████ ████ ███████████ ████▄▄▄ ████▀▀▀████ ████ ████▀▀█████ ████▀▀▀ ████ ████ ▄▄▄████▄▄▄ ████ ▀████ ████▄▄▄▄▄▄▄ ████ ████ ██████████ ████ ████ ▀██████████ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ Welcome to the Complex Machine. Type help or ? to list operations. #> #> call: Invalid Syntax, call . #> call: Invalid Syntax, call . #> call: Invalid Syntax, call . #> call: Invalid Syntax, call . #> - **Assistant:** ▄▄████████▄ ▄███▄ ▄▄███ ▄▄████████▄ ▄▄█████████ ████▀▀▀████ ██████▄██████ ████▀▀▀████ ████▀▀▀▀▀▀▀ ████ ▀▀▀▀ ████▀███▀████ ████▄▄▄████ ████▄▄▄▄▄▄ ████ ▄▄▄▄ ████ ▀▀▀ ████ ████▀▀▀████ ▀▀▀▀▀▀▀████ ████▄▄▄████ ████ ████ ████ ████ ▄▄▄▄▄▄▄████ ▀█████████▀ ████ ████ ████ ████ ██████████▀ ▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▄███ ▄███ ▄█████████ ▄███ ▄███ ▄▄█████████ ████ ████ ▀▀▀████▀▀▀ █████▄ ████ ████▀▀▀▀▀▀▀ ████▄▄▄████ ████ ███████████ ████▄▄▄ ████▀▀▀████ ████ ████▀▀█████ ████▀▀▀ ████ ████ ▄▄▄████▄▄▄ ████ ▀████ ████▄▄▄▄▄▄▄ ████ ████ ██████████ ████ ████ ▀██████████ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ Welcome to the Complex Machine. Type help or ? to list operations. #> #> #> hello #> olleh #> 68656c6c6f #> lehol #> 00000000: 68 65 6C 6C 6F 00 00 00 00 00 00 00 00 00 00 00 hello........... 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000100: 65 63 68 6F 00 00 00 00 00 00 00 00 00 00 00 00 echo............ 00000110: 73 74 72 72 65 76 65 72 73 65 00 00 00 00 00 00 strreverse...... 00000120: 72 61 6E 64 73 74 72 69 6E 67 00 00 00 00 00 00 randstring...... 00000130: 73 74 72 74 6F 68 65 78 00 00 00 00 00 00 00 00 strtohex........ 00000140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ #> x0 = 0x0000 x1 = 0x0000 x2 = 0x0000 x3 = 0x0000 x4 = 0x0000 x5 = 0x0000 x6 = 0x0000 x7 = 0x0000 x8 = 0x0000 x9 = 0x0000 #> - **Assistant:** ▄▄████████▄ ▄███▄ ▄▄███ ▄▄████████▄ ▄▄█████████ ████▀▀▀████ ██████▄██████ ████▀▀▀████ ████▀▀▀▀▀▀▀ ████ ▀▀▀▀ ████▀███▀████ ████▄▄▄████ ████▄▄▄▄▄▄ ████ ▄▄▄▄ ████ ▀▀▀ ████ ████▀▀▀████ ▀▀▀▀▀▀▀████ ████▄▄▄████ ████ ████ ████ ████ ▄▄▄▄▄▄▄████ ▀█████████▀ ████ ████ ████ ████ ██████████▀ ▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▄███ ▄███ ▄█████████ ▄███ ▄███ ▄▄█████████ ████ ████ ▀▀▀████▀▀▀ █████▄ ████ ████▀▀▀▀▀▀▀ ████▄▄▄████ ████ ███████████ ████▄▄▄ ████▀▀▀████ ████ ████▀▀█████ ████▀▀▀ ████ ████ ▄▄▄████▄▄▄ ████ ▀████ ████▄▄▄▄▄▄▄ ████ ████ ██████████ ████ ████ ▀██████████ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ Welcome to the Complex Machine. Type help or ? to list operations. #> login: Invalid Syntax, login #> #> login: Invalid Syntax, login #> #> login: Invalid Syntax, login #> - **Assistant:** The REPL confirmed `login ` as syntax, but the last couple of short login probes returned no banner before timeout, which matches the unstable network note. I’ll shift to fewer, higher-value probes and make each one carry useful state checks. - **Assistant:** Current working model: this is not about finding the password directly. The exposed memory includes the callable-function names, and `readstr` can write arbitrary-ish bytes into that memory using Latin-1/UTF-8 behavior, so the likely exploit surface is corrupting VM metadata or the `login` command’s internal state. - **Assistant:** Traceback (most recent call last): File "", line 1, in TimeoutError: timed out - **Assistant:** A likely high-value probe, once the endpoint responds again, is to write a fifth function-table entry at `0x140` and call it. If `call` dispatches by table index without a separate bounds check, index 4 may hit a hidden native function or adjacent function pointer. - **Assistant:** ▄▄████████▄ ▄███▄ ▄▄███ ▄▄████████▄ ▄▄█████████ ████▀▀▀████ ██████▄██████ ████▀▀▀████ ████▀▀▀▀▀▀▀ ████ ▀▀▀▀ ████▀███▀████ ████▄▄▄████ ████▄▄▄▄▄▄ ████ ▄▄▄▄ ████ ▀▀▀ ████ ████▀▀▀████ ▀▀▀▀▀▀▀████ ████▄▄▄████ ████ ████ ████ ████ ▄▄▄▄▄▄▄████ ▀█████████▀ ████ ████ ████ ████ ██████████▀ ▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▄███ ▄███ ▄█████████ ▄███ ▄███ ▄▄█████████ ████ ████ ▀▀▀████▀▀▀ █████▄ ████ ████▀▀▀▀▀▀▀ ████▄▄▄████ ████ ███████████ ████▄▄▄ ████▀▀▀████ ████ ████▀▀█████ ████▀▀▀ ████ ████ ▄▄▄████▄▄▄ ████ ▀████ ████▄▄▄▄▄▄▄ ████ ████ ██████████ ████ ████ ▀██████████ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ Welcome to the Complex Machine. Type help or ? to list operations. #> Documented commands (type help ): ======================================== EOF and functions load mem or regs sub add call help login mul readstr store xor #> - **Assistant:** ▄▄████████▄ ▄███▄ ▄▄███ ▄▄████████▄ ▄▄█████████ ████▀▀▀████ ██████▄██████ ████▀▀▀████ ████▀▀▀▀▀▀▀ ████ ▀▀▀▀ ████▀███▀████ ████▄▄▄████ ████▄▄▄▄▄▄ ████ ▄▄▄▄ ████ ▀▀▀ ████ ████▀▀▀████ ▀▀▀▀▀▀▀████ ████▄▄▄████ ████ ████ ████ ████ ▄▄▄▄▄▄▄████ ▀█████████▀ ████ ████ ████ ████ ██████████▀ ▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▄███ ▄███ ▄█████████ ▄███ ▄███ ▄▄█████████ ████ ████ ▀▀▀████▀▀▀ █████▄ ████ ████▀▀▀▀▀▀▀ ████▄▄▄████ ████ ███████████ ████▄▄▄ ████▀▀▀████ ████ ████▀▀█████ ████▀▀▀ ████ ████ ▄▄▄████▄▄▄ ████ ▀████ ████▄▄▄▄▄▄▄ ████ ████ ██████████ ████ ████ ▀██████████ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ Welcome to the Complex Machine. Type help or ? to list operations. #> Out of Bounds Access ! #> Available Functions: echo strreverse randstring strtohex #> #> - **User:** CTF progress: found that the REPL stores Latin-1 character codepoints directly into VM memory, so valid UTF-8 input can write bytes above 0x7f. Codepoints above 0xff close the session. No flag yet; investigating whether the 512-byte login terminator or binary memory control can be turned into an auth bypass. - **Assistant:** Confirmed one important bound: `readstr` refuses addresses at and above `256`, so it cannot directly write the function table at `0x100`. Next I’m checking whether `store` has the same bound; if not, registers give two-byte writes into the metadata area. - **Assistant:** ▄▄████████▄ ▄███▄ ▄▄███ ▄▄████████▄ ▄▄█████████ ████▀▀▀████ ██████▄██████ ████▀▀▀████ ████▀▀▀▀▀▀▀ ████ ▀▀▀▀ ████▀███▀████ ████▄▄▄████ ████▄▄▄▄▄▄ ████ ▄▄▄▄ ████ ▀▀▀ ████ ████▀▀▀████ ▀▀▀▀▀▀▀████ ████▄▄▄████ ████ ████ ████ ████ ▄▄▄▄▄▄▄████ ▀█████████▀ ████ ████ ████ ████ ██████████▀ ▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▄███ ▄███ ▄█████████ ▄███ ▄███ ▄▄█████████ ████ ████ ▀▀▀████▀▀▀ █████▄ ████ ████▀▀▀▀▀▀▀ ████▄▄▄████ ████ ███████████ ████▄▄▄ ████▀▀▀████ ████ ████▀▀█████ ████▀▀▀ ████ ████ ▄▄▄████▄▄▄ ████ ▀████ ████▄▄▄▄▄▄▄ ████ ████ ██████████ ████ ████ ▀██████████ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ Welcome to the Complex Machine. Type help or ? to list operations. #> Invalid Syntax #> Invalid Syntax #> 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000100: 65 63 68 6F 00 00 00 00 00 00 00 00 00 00 00 00 echo............ 00000110: 73 74 72 72 65 76 65 72 73 65 00 00 00 00 00 00 strreverse...... 00000120: 72 61 6E 64 73 74 72 69 6E 67 00 00 00 00 00 00 randstring...... 00000130: 73 74 72 74 6F 68 65 78 00 00 00 00 00 00 00 00 strtohex........ 00000140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ #> Available Functions: echo strreverse randstring strtohex #> - **Assistant:** ▄▄████████▄ ▄███▄ ▄▄███ ▄▄████████▄ ▄▄█████████ ████▀▀▀████ ██████▄██████ ████▀▀▀████ ████▀▀▀▀▀▀▀ ████ ▀▀▀▀ ████▀███▀████ ████▄▄▄████ ████▄▄▄▄▄▄ ████ ▄▄▄▄ ████ ▀▀▀ ████ ████▀▀▀████ ▀▀▀▀▀▀▀████ ████▄▄▄████ ████ ████ ████ ████ ▄▄▄▄▄▄▄████ ▀█████████▀ ████ ████ ████ ████ ██████████▀ ▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▄███ ▄███ ▄█████████ ▄███ ▄███ ▄▄█████████ ████ ████ ▀▀▀████▀▀▀ █████▄ ████ ████▀▀▀▀▀▀▀ ████▄▄▄████ ████ ███████████ ████▄▄▄ ████▀▀▀████ ████ ████▀▀█████ ████▀▀▀ ████ ████ ▄▄▄████▄▄▄ ████ ▀████ ████▄▄▄▄▄▄▄ ████ ████ ██████████ ████ ████ ▀██████████ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ Welcome to the Complex Machine. Type help or ? to list operations. #> #> #> 00000000: 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 A............... 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000100: 65 63 68 6F 00 00 00 00 00 00 00 00 00 00 00 00 echo............ 00000110: 73 74 72 72 65 76 65 72 73 65 00 00 00 00 00 00 strreverse...... 00000120: 72 61 6E 64 73 74 72 69 6E 67 00 00 00 00 00 00 randstring...... 00000130: 73 74 72 74 6F 68 65 78 00 00 00 00 00 00 00 00 strtohex........ 00000140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ #> x0 = 0x0041 x1 = 0x0000 x2 = 0x0000 x3 = 0x0000 x4 = 0x0000 x5 = 0x0000 x6 = 0x0000 x7 = 0x0000 x8 = 0x0000 x9 = 0x0000 #> #> x0 = 0x0041 x1 = 0x0041 x2 = 0x0000 x3 = 0x0000 x4 = 0x0000 x5 = 0x0000 x6 = 0x0000 x7 = 0x0000 x8 = 0x0000 x9 = 0x0000 #> - **Assistant:** `store` works on ordinary memory and writes one byte from the low byte of the register; `load` reads one byte. The previous `store 256` probe didn’t get a usable response, so I’m treating that as network noise until it repeats. - **Assistant:** ▄▄████████▄ ▄███▄ ▄▄███ ▄▄████████▄ ▄▄█████████ ████▀▀▀████ ██████▄██████ ████▀▀▀████ ████▀▀▀▀▀▀▀ ████ ▀▀▀▀ ████▀███▀████ ████▄▄▄████ ████▄▄▄▄▄▄ ████ ▄▄▄▄ ████ ▀▀▀ ████ ████▀▀▀████ ▀▀▀▀▀▀▀████ ████▄▄▄████ ████ ████ ████ ████ ▄▄▄▄▄▄▄████ ▀█████████▀ ████ ████ ████ ████ ██████████▀ ▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▄███ ▄███ ▄█████████ ▄███ ▄███ ▄▄█████████ ████ ████ ▀▀▀████▀▀▀ █████▄ ████ ████▀▀▀▀▀▀▀ ████▄▄▄████ ████ ███████████ ████▄▄▄ ████▀▀▀████ ████ ████▀▀█████ ████▀▀▀ ████ ████ ▄▄▄████▄▄▄ ████ ▀████ ████▄▄▄▄▄▄▄ ████ ████ ██████████ ████ ████ ▀██████████ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ Welcome to the Complex Machine. Type help or ? to list operations. #> #> Out of Bounds Access ! #> 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000100: 65 63 68 6F 00 00 00 00 00 00 00 00 00 00 00 00 echo............ 00000110: 73 74 72 72 65 76 65 72 73 65 00 00 00 00 00 00 strreverse...... 00000120: 72 61 6E 64 73 74 72 - **Assistant:** 69 6E 67 00 00 00 00 00 00 randstring...... 00000130: 73 74 72 74 6F 68 65 78 00 00 00 00 00 00 00 00 strtohex........ 00000140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ #> Available Functions: echo strreverse randstring strtohex #> - **Assistant:** ▄▄████████▄ ▄███▄ ▄▄███ ▄▄████████▄ ▄▄█████████ ████▀▀▀████ ██████▄██████ ████▀▀▀████ ████▀▀▀▀▀▀▀ ████ ▀▀▀▀ ████▀███▀████ ████▄▄▄████ ████▄▄▄▄▄▄ ████ ▄▄▄▄ ████ ▀▀▀ ████ ████▀▀▀████ ▀▀▀▀▀▀▀████ ████▄▄▄████ ████ ████ ████ ████ ▄▄▄▄▄▄▄████ ▀█████████▀ ████ ████ ████ ████ ██████████▀ ▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▄███ ▄███ ▄█████████ ▄███ ▄███ ▄▄█████████ ████ ████ ▀▀▀████▀▀▀ █████▄ ████ ████▀▀▀▀▀▀▀ ████▄▄▄████ ████ ███████████ ████▄▄▄ ████▀▀▀████ ████ ████▀▀█████ ████▀▀▀ ████ ████ ▄▄▄████▄▄▄ ████ ▀████ ████▄▄▄▄▄▄▄ ████ ████ ██████████ ████ ████ ▀██████████ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ Welcome to the Complex Machine. Type help or ? to list operations. #> Invalid Address ! #> 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000100: 65 63 68 6F 00 00 00 00 00 00 00 00 00 00 00 00 echo............ 00000110: 73 74 72 72 65 76 65 72 73 65 00 00 00 00 00 00 strreverse...... 00000120: 72 61 6E 64 73 74 72 69 6E 67 00 00 00 00 00 00 randstring...... 00000130: 73 74 72 74 6F 68 65 78 00 00 00 00 00 00 00 00 strtohex........ 00000140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ #> Available Functions: echo strreverse randstring strtohex #> - **Assistant:** 96 88 .......... ... 00000a20: e2 96 88 e2 96 88 e2 96 88 1b 5b 30 6d 20 1b 5b ..........[0m .[ 00000a30: 33 38 3b 35 3b 31 34 6d e2 96 84 e2 96 84 e2 96 38;5;14m........ 00000a40: 84 e2 96 88 e2 96 88 e2 96 88 e2 96 88 e2 96 84 ................ 00000a50: e2 96 84 e2 96 84 1b 5b 30 6d 20 1b 5b 33 38 3b .......[0m .[38; 00000a60: 35 3b 31 34 6d e2 96 88 e2 96 88 e2 96 88 e2 96 5;14m........... 00000a70: 88 20 20 1b 5b 30 6d 1b 5b 33 38 3b 35 3b 31 39 . .[0m.[38;5;19 00000a80: 6d e2 96 80 1b 5b 33 38 3b 35 3b 31 34 6d e2 96 m....[38;5;14m.. 00000a90: 88 e2 96 88 e2 96 88 e2 96 88 1b 5b 30 6d 20 1b ...........[0m . 00000aa0: 5b 33 38 3b 35 3b 31 34 6d e2 96 88 e2 96 88 e2 [38;5;14m....... 00000ab0: 96 88 e2 96 88 e2 96 84 e2 96 84 e2 96 84 e2 96 ................ 00000ac0: 84 e2 96 84 e2 96 84 e2 96 84 1b 5b 30 6d 0a 20 ...........[0m. 00000ad0: 20 20 1b 5b 33 38 3b 35 3b 31 34 6d e2 96 88 e2 .[38;5;14m.... 00000ae0: 96 88 e2 96 88 e2 96 88 20 20 20 e2 96 88 e2 96 ........ ..... 00000af0: 88 e2 96 88 e2 96 88 1b 5b 30 6d 20 1b 5b 33 38 ........[0m .[38 00000b00: 3b 35 3b 31 34 6d e2 96 88 e2 96 88 e2 96 88 e2 ;5;14m.......... 00000b10: 96 88 e2 96 88 e2 96 88 e2 96 88 e2 96 88 e2 96 ................ 00000b20: 88 e2 96 88 1b 5b 30 6d 20 1b 5b 33 38 3b 35 3b .....[0m .[38;5; 00000b30: 31 34 6d e2 96 88 e2 96 88 e2 96 88 e2 96 88 20 14m............ 00000b40: 20 20 e2 96 88 e2 96 88 e2 96 88 e2 96 88 1b 5b .............[ 00000b50: 30 6d 20 1b 5b 33 38 3b 35 3b 31 34 6d 1b 5b 34 0m .[38;5;14m.[4 00000b60: 38 3b 35 3b 31 39 6d e2 96 80 e2 96 88 e2 96 88 8;5;19m......... 00000b70: e2 96 88 e2 96 88 e2 96 88 e2 96 88 e2 96 88 e2 ................ 00000b80: 96 88 e2 96 88 e2 96 88 1b 5b 30 6d 0a 20 20 20 .........[0m. 00000b90: 1b 5b 33 38 3b 35 3b 31 39 6d e2 96 80 e2 96 80 .[38;5;19m...... 00000ba0: e2 96 80 e2 96 80 20 20 20 e2 96 80 e2 96 80 e2 ...... ....... 00000bb0: 96 80 e2 96 80 1b 5b 30 6d 20 1b 5b 33 38 3b 35 ......[0m .[38;5 00000bc0: 3b 31 39 6d e2 96 80 e2 96 80 e2 96 80 e2 96 80 ;19m............ 00000bd0: e2 96 80 e2 96 80 e2 96 80 e2 96 80 e2 96 80 e2 ................ 00000be0: 96 80 1b 5b 30 6d 20 1b 5b 33 38 3b 35 3b 31 39 ...[0m .[38;5;19 00000bf0: 6d e2 96 80 e2 96 80 e2 96 80 e2 96 80 20 20 20 m............ 00000c00: e2 96 80 e2 96 80 e2 96 80 e2 96 80 1b 5b 30 6d .............[0m 00000c10: 20 20 1b 5b 33 38 3b 35 3b 31 39 6d e2 96 80 e2 .[38;5;19m.... 00000c20: 96 80 e2 96 80 e2 96 80 e2 96 80 e2 96 80 e2 96 ................ 00000c30: 80 e2 96 80 e2 96 80 e2 96 80 1b 5b 30 6d 0a 0a ...........[0m.. 00000c40: 20 57 65 6c 63 6f 6d 65 20 74 6f 20 74 68 65 20 Welcome to the 00000c50: 43 6f 6d 70 6c 65 78 20 4d 61 63 68 69 6e 65 2e Complex Machine. 00000c60: 20 54 79 70 65 20 68 65 6c 70 20 6f 72 20 3f 20 Type help or ? 00000c70: 74 6f 20 6c 69 73 74 20 6f 70 65 72 61 74 69 6f to list operatio 00000c80: 6e 73 2e 0a 0a 0a 23 3e 20 49 6e 76 61 6c 69 64 ns....#> Invalid 00000c90: 20 70 61 73 73 77 6f 72 64 3a 20 61 00 20 21 0a password: a. !. 00000ca0: 23 3e 20 49 6e 76 61 6c 69 64 20 70 61 73 73 77 #> Invalid passw 00000cb0: 6f 72 64 3a 20 61 61 20 21 0a 23 3e 20 49 6e 76 ord: aa !.#> Inv 00000cc0: 61 6c 69 64 20 70 61 73 73 77 6f 72 64 3a 20 61 alid password: a 00000cd0: 61 61 00 20 21 0a 23 3e 20 49 6e 76 61 6c 69 64 aa. !.#> Invalid 00000ce0: 20 70 61 73 73 77 6f 72 64 3a 20 61 61 61 61 20 password: aaaa 00000cf0: 21 0a 23 3e 20 49 6e 76 61 6c 69 64 20 70 61 73 !.#> Invalid pas 00000d00: 73 77 6f 72 64 3a 20 61 61 61 61 61 00 20 21 0a sword: aaaaa. !. 00000d10: 23 3e 20 49 6e 76 61 6c 69 64 20 70 61 73 73 77 #> Invalid passw 00000d20: 6f 72 64 3a 20 61 61 61 61 61 61 20 21 0a 23 3e ord: aaaaaa !.#> 00000d30: 20 49 6e 76 61 6c 69 64 20 70 61 73 73 77 6f 72 Invalid passwor 00000d40: 64 3a 20 61 64 6d 69 6e 00 20 21 0a 23 3e 20 d: admin. !.#> - **Assistant:** The `login` echo leaks a formatting quirk: odd-length passwords are printed with an embedded `NUL` before ` !`, even lengths are not. That suggests `login` is packing or terminating the supplied text in two-byte units, so the boundary case around the fixed buffer is worth testing carefully. - **Assistant:** The writable VM data window is effectively `0x00..0xff`; `readstr` rejects writes that would place its terminator past `0xff`. I’m now checking signed-address behavior, because a missed lower-bound check would be a cleaner path to metadata corruption than the upper boundary. - **Assistant:** The documented `0x...` examples don’t actually parse; addresses and immediates are decimal only. Since the direct memory operations are bounded, I’m checking the native functions next: they consume `x0` as a pointer, and they may not enforce the same `0..255` user-memory boundary. - **Assistant:** Native `call` functions accept `x0` up to `0x1ff`, so they can read the metadata half of the 512-byte VM memory even though `readstr/store/load` can’t write it. They reject `x0 = 0x200`, so the leak is confined to the VM memory dump range we already see. - **Assistant:** Key finding: `login <512 chars>` copies the attempted password into the entire 512-byte VM memory before rejecting it. That overwrites the function table too. So the path is: use `login` as a 512-byte arbitrary memory write, then invoke VM functions through controlled function-table names. - **Assistant:** ▄▄████████▄ ▄███▄ ▄▄███ ▄▄████████▄ ▄▄█████████ ████▀▀▀████ ██████▄██████ ████▀▀▀████ ████▀▀▀▀▀▀▀ ████ ▀▀▀▀ ████▀███▀████ ████▄▄▄████ ████▄▄▄▄▄▄ ████ ▄▄▄▄ ████ ▀▀▀ ████ ████▀▀▀████ ▀▀▀▀▀▀▀████ ████▄▄▄████ ████ ████ ████ ████ ▄▄▄▄▄▄▄████ ▀█████████▀ ████ ████ ████ ████ ██████████▀ ▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▄███ ▄███ ▄█████████ ▄███ ▄███ ▄▄█████████ ████ ████ ▀▀▀████▀▀▀ █████▄ ████ ████▀▀▀▀▀▀▀ ████▄▄▄████ ████ ███████████ ████▄▄▄ ████▀▀▀████ ████ ████▀▀█████ ████▀▀▀ ████ ████ ▄▄▄████▄▄▄ ████ ▀████ ████▄▄▄▄▄▄▄ ████ ████ ██████████ ████ ████ ▀██████████ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ Welcome to the Complex Machine. Type help or ? to list operations. #> - **Assistant:** The useful consequence of the 512-byte login write is that we can remove every `NUL` byte from the VM buffer. If a native string function scans for `NUL` without checking the `0x200` end, calling `strtohex` from a pointer after the function-name terminator should leak adjacent memory past the VM buffer. - **Assistant:** The string functions stop at the `0x200` VM boundary, so the over-read idea is out. I’m testing whether the function table is only a name table for fixed indices, or whether `call` resolves the overwritten names dynamically; if it resolves dynamically, names like `system` or `printflag` become interesting. - **Assistant:** ▄▄████████▄ ▄███▄ ▄▄███ ▄▄████████▄ ▄▄█████████ ████▀▀▀████ ██████▄██████ ████▀▀▀████ ████▀▀▀▀▀▀▀ ████ ▀▀▀▀ ████▀███▀████ ████▄▄▄████ ████▄▄▄▄▄▄ ████ ▄▄▄▄ ████ ▀▀▀ ████ ████▀▀▀████ ▀▀▀▀▀▀▀████ ████▄▄▄████ ████ ████ ████ ████ ▄▄▄▄▄▄▄████ ▀█████████▀ ████ ████ ████ ████ ██████████▀ ▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▄███ ▄███ ▄█████████ ▄███ ▄███ ▄▄█████████ ████ ████ ▀▀▀████▀▀▀ █████▄ ████ ████▀▀▀▀▀▀▀ ████▄▄▄████ ████ ███████████ ████▄▄▄ ████▀▀▀████ ████ ████▀▀█████ ████▀▀▀ ████ ████ ▄▄▄████▄▄▄ ████ ▀████ ████▄▄▄▄▄▄▄ ████ ████ ██████████ ████ ████ ▀██████████ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ Welcome to the Complex Machine. Type help or ? to list operations. #> Invalid password: HELLOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAsystemprintflaggetflagwinAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ! #> Available Functions: system printflag getflag win #> Unknown Function: system #> Unknown Function: printflag #> Unknown Function: getflag #> FLAG: midnight{700_b1G_f0r_th3_m4ch1ne} - **Assistant:** Solved. The function table is an allowlist, not just labels for fixed function indices: after `login` overwrites all 512 bytes, replacing the fourth allowed function name with `win` makes `call win` dispatch the hidden flag routine. - **Assistant:** Solved. Flag: ```text midnight{700_b1G_f0r_th3_m4ch1ne} ``` The bug is in `login`: a 512-byte password attempt is copied into the full VM memory before rejection. That includes the function allowlist at `0x100`. The service normally allows: ```text echo strreverse randstring strtohex ``` After overwriting the table with a 512-byte `login` payload, I replaced the fourth function entry with: ```text win ``` Then: ```text call win ``` printed: ```text FLAG: midnight{700_b1G_f0r_th3_m4ch1ne} ``` - **System:** Thread completed