mirror of
https://git.soft.fish/val/MicroCorruption.git
synced 2024-11-22 18:25:58 +00:00
51 lines
1.4 KiB
Plaintext
51 lines
1.4 KiB
Plaintext
|
|
||
|
//[*prev][*next][size:15][final:1]
|
||
|
|
||
|
struct block {
|
||
|
block * prev:16;
|
||
|
block * next:16;
|
||
|
short len :15;
|
||
|
bool end :01;
|
||
|
};
|
||
|
|
||
|
If the username is "usernameusername" + prev + &password + '0001'
|
||
|
then the password can be a fake block w/ a next pointer to an
|
||
|
|
||
|
2408: 0824 1e24 2100 # Block
|
||
|
2408[0] 0824: 2408 == (prev pointer?)
|
||
|
2408[2] 1e24: 241e == next pointer
|
||
|
2408[4] 2100: 0021 == 2 * block_size + 1
|
||
|
2408[6] data[0..bs]
|
||
|
|
||
|
Heap (0 malloc)
|
||
|
2400: 0824 0010 0100 0000 0000 0000 0000 0000 .$..............
|
||
|
Word 1: 2408 == &(heap_start)
|
||
|
Word 2: 1000 == total heap BYTES
|
||
|
Word 3: 0001 == needs_initialize
|
||
|
Word 4: 0000 == ???
|
||
|
|
||
|
|
||
|
Heap (1 malloc)
|
||
|
2400: 0824 0010 0000 0000 0824 1e24 2100 0000 .$.......$.$!...
|
||
|
2410: 0000 0000 0000 0000 0000 0000 0000 0824 ...............$
|
||
|
2420: 0824 c81f 0000 0000 0000 0000 0000 0000 .$..............
|
||
|
|
||
|
2408: 0824 1e24 2100 # Block
|
||
|
2408[0] 0824: 2408 == (prev pointer?)
|
||
|
2408[2] 1e24: 241e == next pointer
|
||
|
2408[4] 2100: 0021 == 2 * block_size + 1
|
||
|
2408[6] data[0..bs]
|
||
|
|
||
|
241e: 0824 0824 c81f # End block
|
||
|
241e[0] 0824: prev pointer
|
||
|
241e[2] 0824: next pointer
|
||
|
241e[4] c81f: 1fc8 == 2*(size of free space)
|
||
|
241e[6] free space
|
||
|
|
||
|
Heap (2 malloc)
|
||
|
2400: 0824 0010 0000 0000 0824 1e24 2100 0000 .$.......$.$!...
|
||
|
2410: 0000 0000 0000 0000 0000 0000 0000 0824 ...............$
|
||
|
2420: 3424 2100 0000 0000 0000 0000 0000 0000 4$!.............
|
||
|
2430: 0000 0000 1e24 0824 9c1f 0000 0000 0000 .....$.$........
|
||
|
|