Thanks for the video. Can't believe I didn't even think about abusing the name! Instead I found a pointer to a writable area at 0x3fe410 and played with negative message numbers etc... overthought this again :-D Really enjoyed this box btw
Bro (In your writeup for Overgraph), How did you perform the csrf attack with XMLHttpRequest as it is cross-domain and there is no CORS misconfiguration present