Month: December 2025

GDB Usage

  • Haco
  • December 22, 2025
  • 7 min read

Check memory layout To check the memory layout of a binary in GDB, you can use different commands depending on whether the program is currently running or if you are just inspecting the static binary file. 1. If the Program is Running The best command to see the virtual memory mappings (including the heap, stack, and loaded libraries) is: info proc mappings What it shows: Start/End Addr: The virtual address range. Size: The size of the mapped region. Offset: Offset into the file (if file-backed). Objfile: The specific…

The difference of overflow and underflow

  • Haco
  • December 22, 2025
  • 3 min read

In computer science—and specifically in fuzzing and exploitation—the terms Overflow and Underflow mean different things depending on whether you are talking about Numbers (Arithmetic) or Memory (Buffers). Here is the breakdown of the differences. 1. Arithmetic (Integer) Context This refers to the value of a number going beyond what the variable type can hold. Integer Overflow (Too Big) Occurs when you try to store a value larger than the maximum limit. The value "wraps around" to the minimum. Analogy: A car odometer at 999,999 rolling over to 000,000.…

Memory Layout(global data, code, stack, heap, etc) with TLS

  • Haco
  • December 22, 2025
  • 6 min read

On AArch64 (ARM64), the memory layout for Thread Local Storage (TLS) follows TLS Variant 1. This is distinct from x86_64 (which uses Variant 2). The key difference is the location of the TLS data relative to the thread pointer. 1. The High-Level View (Process Memory) For a standard Linux process on AArch64, the memory is laid out as follows (from Low Address to High Address): +----------------------+ <-- High Address (e.g., 0x0000ffff...) | Stack | (Main Thread Stack, grows DOWN) +----------------------+ | ... | | Memory Mapping | <--…

AFL Coverage Instrumentation Callback

  • Haco
  • December 22, 2025
  • 14 min read

0000000000000bc0 <bbCallback>: bc0: 90000102 adrp x2, 20000 <_exit@GLIBC_2.17> bc4: f9404c43 ldr x3, [x2, #152] bc8: b4000263 cbz x3, c14 <bbCallback+0x54> bcc: d53bd042 mrs x2, tpidr_el0 bd0: a9bf7bfd stp x29, x30, [sp, #-16]! bd4: 12003c01 and w1, w0, #0xffff bd8: 910003fd mov x29, sp bdc: 90000100 adrp x0, 20000 <_exit@GLIBC_2.17> be0: f9403404 ldr x4, [x0, #104] be4: 9101a000 add x0, x0, #0x68 be8: d63f0080 blr x4 bec: 78606844 ldrh w4, [x2, x0] bf0: 53017c25 lsr w5, w1, #1 bf4: 78206845 strh w5, [x2, x0] bf8: 4a040021 eor w1, w1,…

Executable Startup And Initialization

  • Haco
  • December 22, 2025
  • 7 min read

CRT (C Runtime) "glue code" refers to a set of pre-compiled object files (typically crt1.o, crti.o, crtn.o, crtbegin.o, and crtend.o) that are automatically linked with your program. They "glue" the operating system's process loader to your main() function by handling low-level setup (stack, environment) and high-level initialization (global constructors). Execution Order Summary: _start (Entry Point) __libc_start_main (Standard C Library setup) __libc_csu_init / _init (Generic initialization hooks) .init_array (Global constructors/C++ initializers) main() (Your code) Detailed Explanation 1. What is CRT Glue Code? The "glue" consists of startup files provided…

The difference between soundness and completeness

  • Haco
  • December 22, 2025
  • 2 min read

In logic and computer science, soundness and completeness are two fundamental properties of a formal system (a set of rules for proving things). They describe the relationship between Provability (can the system prove it?) and Truth (is it actually true?). Here is the simple breakdown: 1. Soundness: "Everything you prove is true." A system is sound if it never lies to you. If the system produces a proof for a statement, that statement must be valid. The Direction: Proof $\rightarrow$ Truth. The Fear: You don't want False Positives.…