0x555555603260:0x00007ff7dc0a42 0x00007ff7ff7dcdca0 The above is the value confirmed by heap after entering data B in Chunk. Why is the fd value 0x00007ff7dc0a42 instead of 0x00007ff7dcdc42??

Since main_arena is in __malloc_hook +0x10, I found information that libc_base = main_arena + 88 - libc.symbols ['__malloc_hook'] - 0x10 can also be obtained, so wouldn't it be necessary to do a library rig first?

When solving the problem, I solved it by using the fact that unsorted bin is related to a specific address in libc. How can I find out the details? Is there a place where these concepts are detailed?

I made a mistake while doing an exchange and ended up writing the sendafter (b': ', data) part as sendlineafter (b':', data). However, in this case, it didn't work. The same was true even though I added 0a, which means LINE FEED, just in case. What's the difference between these two functions, so they only work with sendafter?

In the lecture on this question, the custom_func function allocates chunks with a size of 0x100 bytes or more, and since chunks with a size of 0x410 or less are inserted into the tcache first, a chunk larger than this is inserted into the tcache first, and when the value is read by releasing a chunk larger than this, and then reallocating it to read the value, libc can calculate the mapped address.

If you just change the process part to remote in the code in the previous lesson, the problem will be solved... When I used a binary file in the previous lesson, I had to put the one_gadget I got myself instead of 0x10a41c in the og = lb + 0x10a41c section. However, you can't put the one_gadget you got yourself here. If so, 0x10a

! [image.png] (https://dreamhack-media.s3.amazonaws.com/attachments/a815c873ae97a5f4379ae5b221b4133e9ad0bec57177120e3ea70beafac19331.png) If I hit a command in an infinite loop like this, it will play an infinite loop, but what should I do...

Below is the code I wrote myself. At first, I wrote the code to get the shell, but since I didn't think I was able to get the library address, I only wrote the code to get the library address. I'll explain the code as shown in the picture below, but I'd appreciate it if you could explain where it went wrong or why the strange value appears. from pwn import* #p = remote ('hos

If all of the corresponding libc gadgets don't work for this type of problem, how can it be exploited?

Below is the code from the lecture... how do you get an address when there is no place to get the data by entering free idx in front of the part that receives the address in FD or BK? Also, after entering data, I designed additional code to receive that data when the data comes out, but I think I get the wrong value.. Please help From pwn imp