From 5f149b34cecb3a891df98a6156c7b93604ed420b Mon Sep 17 00:00:00 2001 From: Felix Martin Date: Sat, 21 Jan 2023 14:54:00 -0500 Subject: [PATCH] Document Addis Ababa --- README.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/README.md b/README.md index c6c7d1b..742d17b 100644 --- a/README.md +++ b/README.md @@ -286,6 +286,25 @@ And then we use the following passowrd. ## Addis Ababa +This is the first exercise that uses printf to print the password back to the +user. The printf-function provides a couple of conversion specifiers like `%s`, +`%x`, `%c` and `%n`. + +In this exercise, the value at 0x3a60 must not be zero to unlock the door. + +We can use a bug in printf that uses the printf string as the output address of +`%n` to set 0x3a60 to a non-zero value. If we use `%n` twice, the second `%n` +will then write `3` (number of characters to this point) into that address. + ``` + add + / +---- 603a256e61256e + ---------- + \ %na%n + ``` + +## Novosibirsk +