MicroCorruption/14-Algiers/notes.md

`Taken verbatim from my notebook`
# Page 1
```
Algiers     d.01
    "LockIT Pro Account Manager"
    Tentative TODO:
        Authorizer? How to auth user
    Interfaces with HSM1

    I can overflow heap objects
    uname&pass 0x30 long
              >0x10 overflows
    Can I craft a fake heap object?
        username -> overwrite pass blk header?
        password -> ???

    Hypothesis: arb write in free()
    Username
        passwordpassword[addr]
                        "d E "?
    4398:
      0000 4044 0000 ....   Unguarded
    in free:                free() is arb
      r15 = &this_block     write~!
      r14 = &prev_block
      r13 = {size:15,final:1}
      r12 = {prev_size:5,final:1}
      if prev is final:
        skip last-block steps
      else last-block steps
```
notes.md: Add book notes for Montevideo through Lagos 2023-03-16 01:13:34 +00:00			`Taken verbatim from my notebook`
			`# Page 1`
			```
			`Algiers d.01`
			`"LockIT Pro Account Manager"`
			`Tentative TODO:`
			`Authorizer? How to auth user`
			`Interfaces with HSM1`

			`I can overflow heap objects`
			`uname&pass 0x30 long`
			`>0x10 overflows`
			`Can I craft a fake heap object?`
			`username -> overwrite pass blk header?`
			`password -> ???`

			`Hypothesis: arb write in free()`
			`Username`
			`passwordpassword[addr]`
			`"d E "?`
			`4398:`
			`0000 4044 0000 .... Unguarded`
			`in free: free() is arb`
			`r15 = &this_block write~!`
			`r14 = &prev_block`
			`r13 = {size:15,final:1}`
			`r12 = {prev_size:5,final:1}`
			`if prev is final:`
			`skip last-block steps`
			`else last-block steps`
			```