MicroCorruption/14-Algiers/Algiers notes

50 lines
1.5 KiB
Plaintext

//[*prev][*next][size:15][final:1]
struct block {
block * prev:16;
block * next:16;
short len :15;
bool end :01;
};
If the username is "usernameusername" + prev + &password + '0001'
then the password can be a fake block w/ a next pointer to an
2408: 0824 1e24 2100 # Block
2408[0] 0824: 2408 == (prev pointer?)
2408[2] 1e24: 241e == next pointer
2408[4] 2100: 0021 == 2 * block_size + 1
2408[6] data[0..bs]
Heap (0 malloc)
2400: 0824 0010 0100 0000 0000 0000 0000 0000 .$..............
Word 1: 2408 == &(heap_start)
Word 2: 1000 == total heap BYTES
Word 3: 0001 == needs_initialize
Word 4: 0000 == ???
Heap (1 malloc)
2400: 0824 0010 0000 0000 0824 1e24 2100 0000 .$.......$.$!...
2410: 0000 0000 0000 0000 0000 0000 0000 0824 ...............$
2420: 0824 c81f 0000 0000 0000 0000 0000 0000 .$..............
2408: 0824 1e24 2100 # Block
2408[0] 0824: 2408 == (prev pointer?)
2408[2] 1e24: 241e == next pointer
2408[4] 2100: 0021 == 2 * block_size + 1 (AKA {size:15,status:1})
2408[6] data[0..bs]
241e: 0824 0824 c81f # End block
241e[0] 0824: prev pointer
241e[2] 0824: next pointer
241e[4] c81f: 1fc8 == 2*(size of free space)
241e[6] free space
Heap (2 malloc)
2400: 0824 0010 0000 0000 0824 1e24 2100 0000 .$.......$.$!...
2410: 0000 0000 0000 0000 0000 0000 0000 0824 ...............$
2420: 3424 2100 0000 0000 0000 0000 0000 0000 4$!.............
2430: 0000 0000 1e24 0824 9c1f 0000 0000 0000 .....$.$........