Abstract -->

so like i've been working on an exploit for this program i f0und in the
wild..  i give u the program(s) -->

Examples -->

Progr4m 1:
---------

1:	print "Hi\n";
2:	if (user_input == 2) goto 5
3:	print "Loop\n";
4:	goto 3;
5:	segfault

anyway.. it took me some hours looking at th1z, but i still can't figure
it out (spaghetti don't you think?).  simple as i am, i figure that
i would try to guess some things what's happening and how to exploit (ie,
execute instruction 5).

Background --> i dont really follow programs top-d0wn since
this program iz 2 big for me to follow, so i go bott0m-up and figure
the segfault class is a nice place to start to look @.

1)	i find my potential segfault.
2)	i construct flow graph of program

--> looks like this (i think)

1       *
        | 
2       *---+
        |   |
3   +-->*   |
    |   |   |
4   +---*   |
            |
5       *<--+

hmm.. if i was to try to use some graph thingy, i could probably say
that the only way i can connect this directed beast from 1 to 5, is by
going through 2.  (its just a guess though).

2:	if (user_input == 2) goto 5

that looks like a conditional jump or something.. i wonder what makes
this condition true?  user_input == 2 i guess.

anyway.. i tried putting in 2 for the user input, and i got a segfault.
thought it was pretty cool when dat happened.


Progr4m 2:
---------

1:	print "Hi\n";
2:	var = user_input;
3:	foo = 1;
4:	var += 2;
5:	if (var == 2) goto 8;
6:	print "Loop\n";
7:	goto 6;
8:	segfault

man.. this one is tough..  i dont yet have any algorithmz for thiz stuff
though, so i figure i'll try guezzing some things again.

i'm gonna skip step 1), cause i'm psychic and all dat.

1       *
        | 
2       *
        |
3       *
        |
4       *
        |
5       *---+
        |   |
6   +-->*   |
    |   |   |
7   +---*   |
            |
8       *<--+

man.. i gotta go through instructions 1-4, 7 for thiz to be exploitable
i reckon..

anyway.. instruction 5 is conditional jump 

5:	if (var == 2) goto 8

1) for condition to be true, var == 2
2)
	instruction 4 does var += 2;
	for var == 2 as output, input of var muzt be 0.
3)	instruction 3 does not effect the data flow of interest, so
	i'll ignore it.
4)
	instruction 2 does var = user_input
	for var == 0 as output, user_input muzt be 0.

anyway.. i run my program again with user_input as 0, and i get a segfault.
think that was pretty cool.


man.. the only thing we need at this point, is an algorithm to brute force
user_input!  i luv t0p down approaches to thiz stuff.. cause when people
give you like big programz to audit, the first thing 1 do is look for main()
and follow the program flow until i hit an exploit.  1 never l00k for
classes of exploits or work backwards from things like strcpy's etc to
see if itz exploitable.. hmm.. anyway, i d1grezz at th1z.

0n the 0ther hand, 1 know 1 personally d0nt have implementation of thiz
approach, but maybe like your big bro has one?

man.. i heard the 0ther day, that some like dissasembly product (i dunno
which one, cause like, their isnt an industry standard for this stuff),
had some like architecture independance or something, but apparently like,
they removed this functionality at some random version (i didnt see
any documentation in either case though).. it was weird.. like, i dunno
who asked them to do this.

anyway.. any input in repsonse to this output is welcome.  otherwise i'll
ignore it (it will save my t1me).

--
Silvio