notes.md: Add book notes for Tutorial through Whitehorse

2024-11-23 14:25:58 +00:00 · 2023-03-15 20:44:18 -05:00 · 2023-03-15 20:44:18 -05:00 · a0d9829a4c
commit a0d9829a4c
parent 95e7776c8a
7 changed files with 109 additions and 0 deletions
--- a/1-Tutorial/notes.md
+++ b/1-Tutorial/notes.md
@ -0,0 +1,6 @@
 `Taken verbatim from my notebook`
 # Page 1
 ```
 ```
 Editor's note: no notes today
--- a/2-Norleans/notes.md
+++ b/2-Norleans/notes.md
@ -0,0 +1,6 @@
 `Taken verbatim from my notebook`
 # Page 1
 ```
 Norleans
    7d 2b 68 74 65 68 47 10
 ```
--- a/3-Sydney/notes.md
+++ b/3-Sydney/notes.md
@ -0,0 +1,12 @@
 `Taken verbatim from my notebook`
 # Page 1
 ```
 Sydney  ✓
    get_password: 0x64 ->
    6e504a742a5c2222  22222a5c4a746e50?
    n P J t * \ " "
    ENDIANNESS!
    506e744a5c2a2222
    P n t J * \ " "
 ```
--- a/4-Hanoi/notes.md
+++ b/4-Hanoi/notes.md
@ -0,0 +1,10 @@
 `Taken verbatim from my notebook`
 # Page 1
 ```
 Hanoi   ✓
    Passwords 8-16 char
     -> 2400(r15)
    A5 compared to 2410
    Buffer overrun
 ```
--- a/5-Cusco/notes.md
+++ b/5-Cusco/notes.md
@ -0,0 +1,12 @@
 `Taken verbatim from my notebook`
 # Page 1
 ```
 Cusco   ✓
    Gets 0x30 chars?
        Buffer on stack
        Return addr on stack
    "FD": unlock_door
    "Hello world!HARFD"
                    ^^
    Fun with return address on stack
 ```
--- a/6-Reykjafik/notes.md
+++ b/6-Reykjafik/notes.md
@ -0,0 +1,34 @@
 `Taken verbatim from my notebook`
 # Page 1
 ```
 Reykjavik   ✓
    4520(" E") looks interesting
        + int @ main
        => "What's the password?"
    Creates XOR keystream
    Decrypts block at
    decrypted function:
        Sets up new stack at 43da
          Note: 4482: jmp #436c
                110 away (ouch)
                4536: jmp #43fc
                -34 away (ouch)
        2420: ~~puts(char*)~~?
                function that takes input
            password[24] -> 466d
            36 char password?
            466d
            F m
        call 2464
        The password is Fm
                lol
    A program which might seem intimidating
    may become easier if you rake it
    one step at a time
    Security by obscurity is dogshit
    "Military grade" doesn't mean _shit_
 ```
--- a/7-Whitehorse/notes.md
+++ b/7-Whitehorse/notes.md
@ -0,0 +1,29 @@
 `Taken verbatim from my notebook`
 # Page 1
 ```
 Whitehorse
    Password 8-16 chars
        it takes 0x30 chars
    Jumps to chars 18..20 as addr
        ROP chains?
    Goal: Set sp to 7f
          Call INT
    ['A';16]32457f
        push    r14
        push    r15
        push    #7f
        call    INT
            mov sp+2, r14 <- prep for call
    [INT]00007f
    sp   sp
    Lesson:
    Control of the stack means
    control of params passed on
    the stack
 ```