notes (1127B)
1attack load state file functionality (use invalid state for unintended behavior) 2 3see Gearboy/src/GearboyCore.cpp GearBoy::LoadState: 4- control memory, process, video, input, audio 5 6- OOP on Memory::GetWRAM1 using m_iCurrentWRAMBank 7 8- try negative offset binary search until it doesnt crash 9 => should give start of program code (test with docker upload & gui for testing) 10 11- overwrite pointer in got to free with one gadget for libc 12 13- can overwrite pointer in opcode CPG function table from Processor class 14 15... lots of time spent trying to find way of leaking both base and libc ... 16 17- we can try calling emu_save_ram on the wrapper python script location! 18 19... because of heavy optimization and headless patch those functions cant be called ... 20 21- if the arguments are still loaded in the right registers we could just jump 22there anyways! 23 24.. nope, only control rdi and we need the memory read from to still be correct ... 25 26.. first run in docker has same behavior, can abuse for heap offsets ! .. 27 28.. remember that tagged images dont refresh, so pull them to be up-to-date 29with remote or even better try to match tags ..