tl;dr

• Implemented two SEH and two VEH Exception Handlers
• Two stage malware challenge with process injection technique
• CPP binary where logic is wrapped in classes and their member functions

tl;dr

• Giving custom array size of NaN, passes checks while allowing OOB r/w
• Use OOB r/w to get libc, stack (environ) addresses
• Craft fake chunk on array and overwrite fastbin fd
• Reset machine to allocate register context on fake chunk
• Overwrite VM sp with real stack
• Push ropchain onto stack and halt VM to execute ropchain

tl;dr

• Giving size > 48 causes heap OOB r/w of 16 bytes
• Use OOB r/w get leaks and overwrite objects for rip control

tl;dr

• Simple typer bug, range of BitAnd opcode is assumed to be [1, operand] when in reality it is [0, operand].
• Use range assumptions to create unchecked integer underflow.
• Bypass array bounds checks and obtain OOB write, overwrite size of array to get overlap.
• Use double & object array overlap to create addrOf & fakeObj primitives.
• Create overlapping fake array using StructureID leak to obtain arbitrary R/W.