notes.md: Add book notes for Montevideo through Lagos

2025-10-29 10:39:14 +00:00 · 2023-03-15 20:13:34 -05:00
parent 5e23a963ec
commit 95e7776c8a
10 changed files with 368 additions and 0 deletions
--- a/14-Algiers/notes.md
+++ b/14-Algiers/notes.md
@@ -0,0 +1,31 @@
+`Taken verbatim from my notebook`
+# Page 1
+```
+Algiers     d.01
+    "LockIT Pro Account Manager"
+    Tentative TODO:
+        Authorizer? How to auth user
+    Interfaces with HSM1
+
+    I can overflow heap objects
+    uname&pass 0x30 long
+              >0x10 overflows
+    Can I craft a fake heap object?
+        username -> overwrite pass blk header?
+        password -> ???
+
+    Hypothesis: arb write in free()
+    Username
+        passwordpassword[addr]
+                        "d E "?
+    4398:
+      0000 4044 0000 ....   Unguarded
+    in free:                free() is arb
+      r15 = &this_block     write~!
+      r14 = &prev_block
+      r13 = {size:15,final:1}
+      r12 = {prev_size:5,final:1}
+      if prev is final:
+        skip last-block steps
+      else last-block steps
+```