# Cache Me Outside

### Part 1 - The intials

We start by looking at the things we can see easily. 

![image.png](attachment:8f3e1d5b-969c-4804-9dc4-b19fa2018ac0.png)

Alright so allegedly we are allowed to edit one byte in the program, and we can pass it an address and value. So this is where we are at

> #### What we know
> * can provide at least 2 inputs to the program
    * one is allegedly an address
    * one is allegedly a value that gets placed at that address?
>
> #### What we mostly dont know
> * what is being done with the 2 inputs
    * assuming the inputs correspond to an address and value, how are they being translated/used 
    

Lets also look at the Makefile
```markdown
all:
	gcc -Xlinker -rpath=./ -Wall -m64 -pedantic -no-pie --std=gnu99 -o heapedit heapedit.c

clean:
	rm heapedit
```
soo not a lot going on here, but lets break down some of the flags that are used here

* -Xlinker -rpath=./ -- from reading https://flameeyes.blog/2010/06/20/the-why-and-how-of-rpath/ quickly and knowing the files that were provided for this challenge, it looks like this flag was introduced to allow symbols to be resolved to `libc.so.6`. 
* [-m64][1] -- 64 bit environment
* [-no-pie][2] -- Don't produce a dynamically linked position independent executable
    
[1]: https://linux.die.net/man/1/gcc
[2]: https://man7.org/linux/man-pages/man1/gcc.1.html


So update our list
> #### What we know
> * can provide at least 2 inputs to the program
>    * one is allegedly an address
>    * one is allegedly a value that gets placed at that address?
> * running on 64 bit system (probably)
> * because PIE is a precondition for ASLR, we know that the addresses should stay the same throughout executions of the program. this also makes sense within what is reasonable for this challenge 
> 
> #### What we mostly dont know
> * what is being done with the 2 inputs
>    * assuming the inputs correspond to an address and value, how are they being translated/used 


At this point, we have a few options that we can go with
1) try and throw random junk at the program. we know that we may be able to edit a byte, so eventually we might get back something
2) start looking into the `heapedit` or `libc.so.6` binaries that we were given

We are going to start off by looking at `heapedit` because it is the program that is running, and presumably `libc.so.6` contains the implementation for some function that `heapedit` is using. So we are going to look first at the main function in ghidra 

![image.png](attachment:316c0d23-4985-4976-91fd-65c99d8bedb2.png)![image.png](attachment:2083f6a8-560e-4215-abc1-a82716c9488d.png)![image.png](attachment:64ca77bb-7717-4129-a39e-887ddeec9597.png)

So of this code, my eye first looks to our input opportunites, which include `__isoc99_scanf(&DAT_00400b48,&local_a8);` and `__isoc99_scanf(&DAT_00400b53,&local_a9);`, which represent the inputs to the "Address" and "Value" arguments that the program asks us for. 

![image.png](attachment:58805567-dfb1-4584-b32c-be3de8862caa.png)

The first `scanf`'s format type is a `%d`, and the second's is a `%c`. So the first thing we pass to the program will be interpreted as a signed int, and the second as a character. then in `*(undefined *)((long)local_a8 + (long)local_a0) = local_a9;` the argument passed to the `%d` input will occupy `local_a8`, and the combination of that integer and some `local_a0` will be interpreted as a memory address and dereferenced, and the character we passed will be placed in that dereferenced location. 


### Remembering the objective
So as to not forget why we are here, we remember that the goal is to get some flag from the program. 

![image.png](attachment:4b35b249-7ea3-4239-b619-484fd5552b29.png)

Our objective can be seen here, where it looks like the flag is read from a `flag.txt` file and placed in variable `local_58`. 

We know that what we want is to get the contents of the variable `local_58`. Because the program doesn't just give us the flag we want, we have to figure out how to manipulate the program (via some form of interaction/input) to make it give us the contents of `local_58`. 

> A note on assumptions: So far, we have passumed that functions like `__isoc99_scanf` do what we expect them to do from reading standard C documentation (such as is defined https://man7.org/linux/man-pages/man3/scanf.3.html). However these expectations may be incorrect as the implementation is not explicit in the code we are reading through. We can have a high degree of certainty that code lines that perform operations such as variable assignments do what we expect them to do

For now, lets assume that everything works the way we expect (at a high level, that scanf just puts the user input into our variable location). 


So we are going to focus on our knowledge of 2 things right now

1. The program isnt giving us what we want by default
2. We can provide some input to the program


Lets say that at the point in which our program gives us an opportunity for input, we are are some state $S_{0}$. We then have an opportunity for input at `__isoc99_scanf(&DAT_00400b48,&local_a8);`, followed by `printf("Value: ");`, and then another opporunity for input `__isoc99_scanf(&DAT_00400b53,&local_a9);`.

We can envision that `__isoc99_scanf` is a function that transitions the state from $S_{0}$ to some new state $S_{1}$. So from a state perspective, we can look at `__isoc99_scanf(&DAT_00400b48,&local_a8);` as some transition between states $S_{0}$ and $S_{1}$. Practically speaking, we know that the state transition is going to take us from some pre-state to the state in which the contents of `local_a8` contains an integer that we provided, but speaking more generally it can be any random integer. 

> Note that `__isoc99_scanf(&DAT_00400b48,&local_a8);` also contains implied state. the `&DAT_00400b48` and `&local_a8` aguments passed to `__isoc99_scanf` are actually definitions of state that are done prior to the function `__isoc99_scanf`. Put another way, because of how arguments are passed to functions, the arguments are first put in a place (state is defined), and then a routine (function) is called to do some well defined "thing" on the state that existed at the time of the function's invocation. 

We can further refine our expectations of the state transition brought about by `__isoc99_scanf(&DAT_00400b48,&local_a8);` as a transition to the state in which `local_a8` will contain some (random) integer

$$ __isoc99_scanf(&DAT_00400b48,&local_a8): S_{0} -> S_{0} \bigcup $$

 
 
 **ASSUMING** that printf just prints a value and does not alter program state in a way we are about,
 

Knowing that `*(undefined *)((long)local_a8 + (long)local_a0) = local_a9;` is late in the program leads us to 

In [1]:
from pwn import *

In [2]:
io = remote("mercury.picoctf.net", 10097)

[x] Opening connection to mercury.picoctf.net on port 10097
[x] Opening connection to mercury.picoctf.net on port 10097: Trying 18.189.209.142
[+] Opening connection to mercury.picoctf.net on port 10097: Done


[*] Switching to interactive mode


Exception in thread Thread-8:
Traceback (most recent call last):
  File "/usr/lib/python3.8/threading.py", line 932, in _bootstrap_inner
    self.run()
  File "/usr/lib/python3.8/threading.py", line 870, in run
    self._target(*self._args, **self._kwargs)
  File "/home/bork/.local/lib/python3.8/site-packages/pwnlib/tubes/tube.py", line 867, in recv_thread
    stdout.write(cur)
  File "/home/bork/.local/lib/python3.8/site-packages/ipykernel/iostream.py", line 511, in write
    raise TypeError(
TypeError: write() argument must be str, not <class 'bytes'>


$\hat{Y}$

$S_{0}$