typo

Author: thotypous

content/sec/defcon-quals-2025/index.md

@@ -28,7 +28,7 @@ Since the binary is statically linked, and since it had strings referencing `GCC
 
 Then, we spent a couple of hours reversing the main program, since it had a lot of C++ indirection going on and we thought some important behavior could be hidden there. However, it turns out the program simply called 0x4E8440 (which we named `fill_func_arr`) to load a big array of functions, then asked the user which of these functions they wanted to call, and finally asked for some base64 encoded data to pass as an argument to the chosen function. Lesson learned: start thinking simple; only if that does not work, carry out a deep analysis.
 
-We noticed the first two functions of the array (0x404450 and 0x404780) did the same thing, only dimensions of the buffers where different. They copied the provided string into a grid (9x8 or 7x5, respectively) called `arr` in boustrophedonic order (i.e. consecutive rows alternated between left-to-right and right-to-left). In the stack, just after `arr`, there was a small buffer called `target`. After copying the provided string to `arr`, the function checked if `target` contained some `wanted` string.
+We noticed the first two functions of the array (0x404450 and 0x404780) did the same thing, only dimensions of the buffers were different. They copied the provided string into a grid (9x8 or 7x5, respectively) called `arr` in boustrophedonic order (i.e. consecutive rows alternated between left-to-right and right-to-left). In the stack, just after `arr`, there was a small buffer called `target`. After copying the provided string to `arr`, the function checked if `target` contained some `wanted` string.
 
 In short, we needed to find which function had `arr` dimensions shorter than the grid size. Then, it would be possible to overflow `arr` and overwrite `target` with the desired string.