
Junior.Crypt 2026 Pwn + Reverse Writeup: 4 Challenges Solved (Cookie-Encoded Function Pointers, UAF Type Confusion, Heap Overflow with Reclassify, TCC-Injected VM)
Junior.Crypt 2026 (grodno flag prefix) shipped a pwn track with three challenges that each turn a small logic mistake into a controlled indirect call: Clockwork Vault gates its “hidden” slots behind a bounds check that forgets to reject negative indexes, and encodes function pointers with a per-process cookie that leaks through the same primitive; House of Mirage recycles expired session chunks into a sink freelist but leaves the session-table pointer dangling, creating a type-confusion window where a mirror import session profile write rebuilds a live sink’s vtable pointer against a fake vtable planted inside the object; Museum of Echoes reclassifies a small 0x50-byte “whisper” as a large 0xb0-byte “chorus” without reallocating, so the “chorus”-shaped rewrite handler writes 0x5f bytes past the end and stomps the next exhibit’s routine pointer. The reverse challenge, Write The “Кодэ”, ships a statically-linked modified TCC compiler that silently injects a hidden 5884-byte C source containing a 512-byte encrypted vm_blob and a relocation_key() function that derives its decryption key from the compiled binary’s ELF .rela.* entries; recovering the VM and inverting its per-byte state machine yields the flag. ...