Merge pull request #131 from dothidden/114-fix-typos-again-in-unr24

refactor: fix typos in UBR24 writeups
dothidden · May 11, 2024 · 91bde28 · 91bde28
2 parents cee54ac + 45b8921
commit 91bde28
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 3 deletions.
diff --git a/content/unbreakable_2024/harder-assembly.md b/content/unbreakable_2024/harder-assembly.md
@@ -83,7 +83,7 @@ Usually, when you're limited in your "moves" in pwn challenges, the first step y
 004012b2 0f 05           SYSCALL
 ```
 
-We can see that the only functions called after our shellcode are *munmap* and *__stack_chk_fail*. We can't trigger the stack fail, as there is not buffer overflow, so we choose to overwrite *munmap* with the address for *main*. And ta-da, we have infinite[^inf] 15 bytes shellcodes to run by returning to main in a closed loop. We overwrite munmap like so:
+We can see that the only functions called after our shellcode are *munmap* and *__stack_chk_fail*. We can't trigger the stack fail, as there is no buffer overflow, so we choose to overwrite *munmap* with the address for *main*. And ta-da, we have infinite[^inf] 15 bytes shellcodes to run by returning to main in a closed loop. We overwrite munmap like so:
 
 ```asm
 mov edi, 0x00404038 ; move the GOT location for munmap in rdi

diff --git a/content/unbreakable_2024/not-allowed.md b/content/unbreakable_2024/not-allowed.md
@@ -40,7 +40,7 @@ Since the stack is NX, our remaining option is to ROP. Sadly we don't have a lot
 0x00000000004011cc : syscall
 ```
 
-We have control over RAX, RDI and we also have a syscall gadget. Sadly however, the imported libc functions do not let us print anythign! So we cannot leak libc and jump to *system* or *execve*. We can, however, do SROP! We can craft a signal return frame on the stack and then trigger it using a sigreturn syscall. But how do we get an address for ``/bin/sh``? The *wish* function has everything prepared for us:
+We have control over RAX, RDI and we also have a syscall gadget. Sadly however, the imported libc functions do not let us print anything! So we cannot leak libc and jump to *system* or *execve*. We can, however, do SROP! We can craft a signal return frame on the stack and then trigger it using a sigreturn syscall. But how do we get an address for ``/bin/sh``? The *wish* function has everything prepared for us:
 
 ```c
 void wish(void)

diff --git a/content/unbreakable_2024/sat1sf1.md b/content/unbreakable_2024/sat1sf1.md
@@ -49,7 +49,7 @@ brute-forcing the crib's position enables us to recover the flag.
 On a closer inspection, we notice that we're dealing with a logical formula
 where the unknown terms are the characters of the flag. If it's satisfiable,
 the model for this formula should be unique, and should correspond to our flag.
-After an upsolvig session and some discord hints, we came up with a simpler
+After an upsolving session and some discord hints, we came up with a simpler
 solution based on the Z3 SMT solver [^z3]. We build the formula in the z3
 format and then find a model for it. A partial solution can be checked out
 below.