index.html

<!DOCTYPE HTML>
<html lang="en" class="sidebar-visible no-js navy">
    <head>
        <!-- Book generated using mdBook -->
        <meta charset="UTF-8">
        <title>Nightmare - Nightmare</title>
        
        


        <!-- Custom HTML head -->
        


        <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
        <meta name="description" content="Nightmare: an intro to binary exploitation / reverse engineering course based around CTF challenges.">
        <meta name="viewport" content="width=device-width, initial-scale=1">
        <meta name="theme-color" content="#ffffff" />

        
        <link rel="icon" href="favicon.svg">
        
        
        <link rel="shortcut icon" href="favicon.png">
        
        <link rel="stylesheet" href="css/variables.css">
        <link rel="stylesheet" href="css/general.css">
        <link rel="stylesheet" href="css/chrome.css">
        <link rel="stylesheet" href="css/print.css" media="print">

        <!-- Fonts -->
        <link rel="stylesheet" href="FontAwesome/css/font-awesome.css">
        
        <link rel="stylesheet" href="fonts/fonts.css">
        

        <!-- Highlight.js Stylesheets -->
        <link rel="stylesheet" href="highlight.css">
        <link rel="stylesheet" href="tomorrow-night.css">
        <link rel="stylesheet" href="ayu-highlight.css">

        <!-- Custom theme stylesheets -->
        

        
    </head>
    <body>
        <!-- Provide site root to javascript -->
        <script type="text/javascript">
            var path_to_root = "";
            var default_theme = window.matchMedia("(prefers-color-scheme: dark)").matches ? "navy" : "navy";
        </script>

        <!-- Work around some values being stored in localStorage wrapped in quotes -->
        <script type="text/javascript">
            try {
                var theme = localStorage.getItem('mdbook-theme');
                var sidebar = localStorage.getItem('mdbook-sidebar');

                if (theme.startsWith('"') && theme.endsWith('"')) {
                    localStorage.setItem('mdbook-theme', theme.slice(1, theme.length - 1));
                }

                if (sidebar.startsWith('"') && sidebar.endsWith('"')) {
                    localStorage.setItem('mdbook-sidebar', sidebar.slice(1, sidebar.length - 1));
                }
            } catch (e) { }
        </script>

        <!-- Set the theme before any content is loaded, prevents flash -->
        <script type="text/javascript">
            var theme;
            try { theme = localStorage.getItem('mdbook-theme'); } catch(e) { }
            if (theme === null || theme === undefined) { theme = default_theme; }
            var html = document.querySelector('html');
            html.classList.remove('no-js')
            html.classList.remove('navy')
            html.classList.add(theme);
            html.classList.add('js');
        </script>

        <!-- Hide / unhide sidebar before it is displayed -->
        <script type="text/javascript">
            var html = document.querySelector('html');
            var sidebar = 'hidden';
            if (document.body.clientWidth >= 1080) {
                try { sidebar = localStorage.getItem('mdbook-sidebar'); } catch(e) { }
                sidebar = sidebar || 'visible';
            }
            html.classList.remove('sidebar-visible');
            html.classList.add("sidebar-" + sidebar);
        </script>

        <nav id="sidebar" class="sidebar" aria-label="Table of contents">
            <div class="sidebar-scrollbox">
                <ol class="chapter"><li class="chapter-item expanded affix "><a href="../index.html">Nightmare</a></li><li class="chapter-item expanded "><a href="00-intro/index.html"><strong aria-hidden="true">1.</strong> Introduction</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="01-intro_assembly/assembly/index.html"><strong aria-hidden="true">1.1.</strong> Assembly</a></li><li class="chapter-item expanded "><a href="01-intro_assembly/reversing_assembly/index.html"><strong aria-hidden="true">1.2.</strong> Reversing Assembly</a></li><li class="chapter-item expanded "><a href="02-intro_tooling/ghidra/index.html"><strong aria-hidden="true">1.3.</strong> Reversing with GHIDRA</a></li><li class="chapter-item expanded "><a href="02-intro_tooling/gdb-gef/index.html"><strong aria-hidden="true">1.4.</strong> Debugging with GDB</a></li><li class="chapter-item expanded "><a href="02-intro_tooling/pwntools/index.html"><strong aria-hidden="true">1.5.</strong> Scripting with Python pwntools</a></li><li class="chapter-item expanded "><a href="03-beginner_re/csaw18_x86tour_pt1/index.html"><strong aria-hidden="true">1.6.</strong> Beginner Reversing</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="03-beginner_re/pico18_strings/index.html"><strong aria-hidden="true">1.6.1.</strong> Pico'18: Strings</a></li><li class="chapter-item expanded "><a href="03-beginner_re/helithumper_re/index.html"><strong aria-hidden="true">1.6.2.</strong> Helithumper RE</a></li><li class="chapter-item expanded "><a href="03-beginner_re/csaw19_beleaf/index.html"><strong aria-hidden="true">1.6.3.</strong> CSAW'19: Beleaf</a></li></ol></li></ol></li><li class="chapter-item expanded "><a href="04-bof_variable/csaw18_boi/index.html"><strong aria-hidden="true">2.</strong> Stack Buffer Overflows</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="04-bof_variable/tamu19_pwn1/index.html"><strong aria-hidden="true">2.1.</strong> TAMU'19: Pwn1</a></li><li class="chapter-item expanded "><a href="04-bof_variable/tw17_justdoit/index.html"><strong aria-hidden="true">2.2.</strong> TokyoWesterns'17: JustDoIt</a></li><li class="chapter-item expanded "><a href="05-bof_callfunction/csaw16_warmup/index.html"><strong aria-hidden="true">2.3.</strong> CSAW'16: Warmup</a></li><li class="chapter-item expanded "><a href="05-bof_callfunction/csaw18_getit/index.html"><strong aria-hidden="true">2.4.</strong> CSAW'18: Getit</a></li><li class="chapter-item expanded "><a href="05-bof_callfunction/tu17_vulnchat/index.html"><strong aria-hidden="true">2.5.</strong> TU'17: Vulnchat</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="5.1-mitigation_aslr_pie/index.html"><strong aria-hidden="true">2.5.1.</strong> ASLR/PIE</a></li></ol></li><li class="chapter-item expanded "><a href="06-bof_shellcode/csaw17_pilot/index.html"><strong aria-hidden="true">2.6.</strong> CSAW'17: Pilot</a></li><li class="chapter-item expanded "><a href="06-bof_shellcode/tamu19_pwn3/index.html"><strong aria-hidden="true">2.7.</strong> TAMU'19: Pwn3</a></li><li class="chapter-item expanded "><a href="06-bof_shellcode/tu18_shellaeasy/index.html"><strong aria-hidden="true">2.8.</strong> TU'18: Shellaeasy</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="6.1-mitigation_nx/index.html"><strong aria-hidden="true">2.8.1.</strong> NX/XN/DEP</a></li></ol></li><li class="chapter-item expanded "><a href="07-bof_static/bkp16_simplecalc/index.html"><strong aria-hidden="true">2.9.</strong> BKP'16: SimpleCalc</a></li><li class="chapter-item expanded "><a href="07-bof_static/dcquals19_speedrun1/index.html"><strong aria-hidden="true">2.10.</strong> DCQuals'19: Speedrun1</a></li><li class="chapter-item expanded "><a href="07-bof_static/dcquals16_feedme/index.html"><strong aria-hidden="true">2.11.</strong> DCQuals'16: Feedme</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="7.1-mitigation_canary/index.html"><strong aria-hidden="true">2.11.1.</strong> Canaries/Cookies</a></li><li class="chapter-item expanded "><a href="7.2-mitigation_relro/index.html"><strong aria-hidden="true">2.11.2.</strong> RELRO</a></li></ol></li><li class="chapter-item expanded "><a href="08-bof_dynamic/csaw19_babyboi/index.html"><strong aria-hidden="true">2.12.</strong> CSAW'19: Babyboi</a></li><li class="chapter-item expanded "><a href="08-bof_dynamic/csawquals17_svc/index.html"><strong aria-hidden="true">2.13.</strong> CSAW Quals'17: SVC</a></li><li class="chapter-item expanded "><a href="08-bof_dynamic/fb19_overfloat/index.html"><strong aria-hidden="true">2.14.</strong> FB'19: Overfloat</a></li><li class="chapter-item expanded "><a href="08-bof_dynamic/hs19_storytime/index.html"><strong aria-hidden="true">2.15.</strong> HS'19: Storytime</a></li></ol></li><li class="chapter-item expanded "><a href="fmt.html"><strong aria-hidden="true">3.</strong> Format Strings</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="10-fmt_strings/backdoor17_bbpwn/index.html"><strong aria-hidden="true">3.1.</strong> Backdoor'17: bbpwn</a></li><li class="chapter-item expanded "><a href="10-fmt_strings/pico18_echo/index.html"><strong aria-hidden="true">3.2.</strong> PicoCTF'18: echo</a></li><li class="chapter-item expanded "><a href="10-fmt_strings/tw16_greeting/index.html"><strong aria-hidden="true">3.3.</strong> TokyoWesterns'16: Greeting</a></li></ol></li><li class="chapter-item expanded "><a href="indexing.html"><strong aria-hidden="true">4.</strong> Array Indexing</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="11-index/csaw18_doubletrouble/index.html"><strong aria-hidden="true">4.1.</strong> CSAW'18: DoubleTrouble</a></li><li class="chapter-item expanded "><a href="11-index/dcq16_xkcd/index.html"><strong aria-hidden="true">4.2.</strong> DCQ'16: XKCD</a></li><li class="chapter-item expanded "><a href="11-index/sunshinectf2017_alternatesolution/index.html"><strong aria-hidden="true">4.3.</strong> SunshineCTF'17: Alt. Solution</a></li><li class="chapter-item expanded "><a href="11-index/swampctf19_dreamheaps/index.html"><strong aria-hidden="true">4.4.</strong> SwampCTF'19: Dreamheaps</a></li></ol></li><li class="chapter-item expanded "><a href="randomness.html"><strong aria-hidden="true">5.</strong> Bad Seed</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="09-bad_seed/h3_time/index.html"><strong aria-hidden="true">5.1.</strong> H3: Time</a></li><li class="chapter-item expanded "><a href="09-bad_seed/hsctf19_tuxtalkshow/reamde.html"><strong aria-hidden="true">5.2.</strong> HSCTF'19: Tuxtalkshow</a></li><li class="chapter-item expanded "><a href="09-bad_seed/sunshinectf17_prepared/index.html"><strong aria-hidden="true">5.3.</strong> SunshineCTF'17: Prepared</a></li></ol></li><li class="chapter-item expanded "><a href="z3_angr.html"><strong aria-hidden="true">6.</strong> Z3 &amp; Symbolic Execution (angr)</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="12-z3/hs19_abyte/index.html"><strong aria-hidden="true">6.1.</strong> HS'19: abyte</a></li><li class="chapter-item expanded "><a href="12-z3/tokyowesterns17_revrevrev/index.html"><strong aria-hidden="true">6.2.</strong> TokyoWesterns'17: revrevrev</a></li><li class="chapter-item expanded "><a href="12-z3/tuctf_future/index.html"><strong aria-hidden="true">6.3.</strong> TUCTF: Future</a></li><li class="chapter-item expanded "><a href="13-angr/defcamp_r100/index.html"><strong aria-hidden="true">6.4.</strong> DEFCamp: r100</a></li><li class="chapter-item expanded "><a href="13-angr/plaid19_icancount/index.html"><strong aria-hidden="true">6.5.</strong> PlaidCTF'19: icancount</a></li><li class="chapter-item expanded "><a href="13-angr/securityfest_fairlight/index.html"><strong aria-hidden="true">6.6.</strong> SecurityFest Fairlight</a></li></ol></li><li class="chapter-item expanded "><a href="rop.html"><strong aria-hidden="true">7.</strong> Return Oriented Programming (ROP)</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="15-partial_overwrite/index.html"><strong aria-hidden="true">7.1.</strong> Partial Overwrite</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="15-partial_overwrite/hacklu15_stackstuff/index.html"><strong aria-hidden="true">7.1.1.</strong> Hack.lu'15: stackstuff</a></li><li class="chapter-item expanded "><a href="15-partial_overwrite/tamu19_pwn2/index.html"><strong aria-hidden="true">7.1.2.</strong> TAMU'19: pwn2</a></li><li class="chapter-item expanded "><a href="15-partial_overwrite/tuctf17_vulnchat2/index.html"><strong aria-hidden="true">7.1.3.</strong> TUCTF'17: vulnchat2</a></li></ol></li><li class="chapter-item expanded "><a href="17-stack_pivot/index.html"><strong aria-hidden="true">7.2.</strong> Stack Pivoting</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="17-stack_pivot/dcquals19_speedrun4/index.html"><strong aria-hidden="true">7.2.1.</strong> DCQuals'19: speedrun4</a></li><li class="chapter-item expanded "><a href="17-stack_pivot/insomnihack18_onewrite/index.html"><strong aria-hidden="true">7.2.2.</strong> Insomnihack'18: onewrite</a></li><li class="chapter-item expanded "><a href="17-stack_pivot/seccon19_sum/index.html"><strong aria-hidden="true">7.2.3.</strong> SECCON'19: sum</a></li><li class="chapter-item expanded "><a href="17-stack_pivot/xctf16_b0verflow/index.html"><strong aria-hidden="true">7.2.4.</strong> XCTF'16: b0verflow</a></li></ol></li><li class="chapter-item expanded "><a href="16-srop/index.html"><strong aria-hidden="true">7.3.</strong> SIGROP (SROP)</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="16-srop/backdoor_funsignals/index.html"><strong aria-hidden="true">7.3.1.</strong> BackdoorCTF: funsigals</a></li><li class="chapter-item expanded "><a href="16-srop/csaw19_smallboi/index.html"><strong aria-hidden="true">7.3.2.</strong> CSAW'19: smallboi</a></li><li class="chapter-item expanded "><a href="16-srop/inctf17_stupidrop/index.html"><strong aria-hidden="true">7.3.3.</strong> InCTF'17: stupidrop</a></li><li class="chapter-item expanded "><a href="16-srop/swamp19_syscaller/index.html"><strong aria-hidden="true">7.3.4.</strong> SwampCTF'19: syscaller</a></li></ol></li><li class="chapter-item expanded "><a href="18-ret2_csu_dl/index.html"><strong aria-hidden="true">7.4.</strong> ret2csu</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="18-ret2_csu_dl/0ctf18_babystack/index.html"><strong aria-hidden="true">7.4.1.</strong> 0CTF'18: babystack</a></li><li class="chapter-item expanded "><a href="18-ret2_csu_dl/ropemporium_ret2csu/index.html"><strong aria-hidden="true">7.4.2.</strong> ROPEmporium</a></li></ol></li><li class="chapter-item expanded "><a href="14-ret_2_system/index.html"><strong aria-hidden="true">7.5.</strong> ret2system</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="14-ret_2_system/asis17_marymorton/index.html"><strong aria-hidden="true">7.5.1.</strong> ASIS'17: marymorton</a></li><li class="chapter-item expanded "><a href="14-ret_2_system/hxp18_poorCanary/index.html"><strong aria-hidden="true">7.5.2.</strong> HXP'18: poorCanary</a></li><li class="chapter-item expanded "><a href="14-ret_2_system/tu_guestbook/index.html"><strong aria-hidden="true">7.5.3.</strong> TUCTF: guestbook</a></li></ol></li></ol></li><li class="chapter-item expanded "><a href="25-heap/index.html"><strong aria-hidden="true">8.</strong> Heap Exploitation</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="27-edit_free_chunk/double_free_explanation/index.html"><strong aria-hidden="true">8.1.</strong> Double Frees</a></li><li class="chapter-item expanded "><a href="27-edit_free_chunk/heap_consolidation_explanation/index.html"><strong aria-hidden="true">8.2.</strong> Heap Consolidation</a></li><li class="chapter-item expanded "><a href="27-edit_free_chunk/uaf_explanation/index.html"><strong aria-hidden="true">8.3.</strong> Use-after-Frees</a></li><li class="chapter-item expanded "><a href="24-heap_overflow/protostar_heap0/index.html"><strong aria-hidden="true">8.4.</strong> Protostar: heap0</a></li><li class="chapter-item expanded "><a href="24-heap_overflow/protostar_heap1/index.html"><strong aria-hidden="true">8.5.</strong> Protostar: heap1</a></li><li class="chapter-item expanded "><a href="24-heap_overflow/protostar_heap2/reamdme.html"><strong aria-hidden="true">8.6.</strong> Protostar: heap2</a></li><li class="chapter-item expanded "><a href="30-unlink/unlink_explanation/index.html"><strong aria-hidden="true">8.7.</strong> unlink() Exploitation</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="30-unlink/hitcon14_stkof/index.html"><strong aria-hidden="true">8.7.1.</strong> HITCON'14: stkof</a></li><li class="chapter-item expanded "><a href="30-unlink/zctf16_note2/index.html"><strong aria-hidden="true">8.7.2.</strong> ZCTF'16: note2</a></li></ol></li><li class="chapter-item expanded "><a href="26-heap_grooming/explanation_heap_grooming/index.html"><strong aria-hidden="true">8.8.</strong> Heap Grooming</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="26-heap_grooming/pico_areyouroot/index.html"><strong aria-hidden="true">8.8.1.</strong> PicoCTF: areyouroot</a></li><li class="chapter-item expanded "><a href="26-heap_grooming/swamp19_heapgolf/index.html"><strong aria-hidden="true">8.8.2.</strong> SwampCTF'19: Heap Golf</a></li></ol></li><li class="chapter-item expanded "><a href="28-fastbin_attack/explanation_fastbinAttack/index.html"><strong aria-hidden="true">8.9.</strong> Fastbin Attack</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="28-fastbin_attack/0ctf_babyheap/index.html"><strong aria-hidden="true">8.9.1.</strong> 0CTF: babyheap</a></li><li class="chapter-item expanded "><a href="28-fastbin_attack/csaw17_auir/index.html"><strong aria-hidden="true">8.9.2.</strong> CSAW'17: Auir</a></li></ol></li><li class="chapter-item expanded "><a href="31-unsortedbin_attack/unsorted_explanation/index.html"><strong aria-hidden="true">8.10.</strong> Unsortedbin Attack</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="31-unsortedbin_attack/0ctf16_zerostorage/index.html"><strong aria-hidden="true">8.10.1.</strong> 0CTF'16: zerostorage</a></li><li class="chapter-item expanded "><a href="31-unsortedbin_attack/hitcon_magicheap/index.html"><strong aria-hidden="true">8.10.2.</strong> HITCON: magicheap</a></li></ol></li><li class="chapter-item expanded "><a href="32-largebin_attack/largebin_explanation0/index.html"><strong aria-hidden="true">8.11.</strong> Largebin Attack (part 1)</a></li><li class="chapter-item expanded "><a href="32-largebin_attack/largebin_explanation1/index.html"><strong aria-hidden="true">8.12.</strong> Largebin Attack (part 2)</a></li><li class="chapter-item expanded "><a href="29-tcache/tcache_explanation/index.html"><strong aria-hidden="true">8.13.</strong> GLibc Tcache</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="29-tcache/dcquals19_babyheap/index.html"><strong aria-hidden="true">8.13.1.</strong> DCQuals'19: babyheap</a></li><li class="chapter-item expanded "><a href="29-tcache/plaid19_cpp/index.html"><strong aria-hidden="true">8.13.2.</strong> PlaidCTF'19: cpp</a></li><li class="chapter-item expanded "><a href="44-more_tcache/csaw19_popping_caps0/index.html"><strong aria-hidden="true">8.13.3.</strong> CSAW'19: Popping Caps 1</a></li><li class="chapter-item expanded "><a href="44-more_tcache/csaw19_popping_caps1/index.html"><strong aria-hidden="true">8.13.4.</strong> CSAW'19: Popping Caps 2</a></li></ol></li><li class="chapter-item expanded "><a href="39-house_of_spirit/house_spirit_exp/index.html"><strong aria-hidden="true">8.14.</strong> House of Spirit</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="39-house_of_spirit/hacklu14_oreo/index.html"><strong aria-hidden="true">8.14.1.</strong> Hack.lu'14: Oreo</a></li></ol></li><li class="chapter-item expanded "><a href="40-house_of_lore/house_lore_exp/index.html"><strong aria-hidden="true">8.15.</strong> House of Lore</a></li><li class="chapter-item expanded "><a href="41-house_of_force/house_force_exp/index.html"><strong aria-hidden="true">8.16.</strong> House of Force</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="41-house_of_force/bkp16_cookbook/index.html"><strong aria-hidden="true">8.16.1.</strong> BKP'16: Cookbook</a></li></ol></li><li class="chapter-item expanded "><a href="42-house_of_einherjar/house_einherjar_exp/index.html"><strong aria-hidden="true">8.17.</strong> House of Einherjar</a></li><li class="chapter-item expanded "><a href="43-house_of_orange/house_orange_exp/index.html"><strong aria-hidden="true">8.18.</strong> House of Orange</a></li><li class="chapter-item expanded "><a href="33-custom_misc_heap/index.html"><strong aria-hidden="true">8.19.</strong> Miscellaneous</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="33-custom_misc_heap/csaw17_minesweeper/index.html"><strong aria-hidden="true">8.19.1.</strong> CSAW'17: Minesweeper</a></li><li class="chapter-item expanded "><a href="33-custom_misc_heap/csaw18_alienVSsamurai/index.html"><strong aria-hidden="true">8.19.2.</strong> CSAW'18: alienVSsamurai</a></li><li class="chapter-item expanded "><a href="33-custom_misc_heap/csaw19_traveller/index.html"><strong aria-hidden="true">8.19.3.</strong> CSAW'19: Traveller</a></li></ol></li></ol></li><li class="chapter-item expanded "><a href="35-integer_exploitation/index.html"><strong aria-hidden="true">9.</strong> Integer Overflows</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="35-integer_exploitation/int_overflow_post/index.html"><strong aria-hidden="true">9.1.</strong> sploitFUN: vuln</a></li><li class="chapter-item expanded "><a href="35-integer_exploitation/puzzle/index.html"><strong aria-hidden="true">9.2.</strong> Puzzle</a></li><li class="chapter-item expanded "><a href="35-integer_exploitation/signed_unsigned/index.html"><strong aria-hidden="true">9.3.</strong> Signed vs. Unsigned</a></li></ol></li><li class="chapter-item expanded "><a href="37-fs_exploitation/index.html"><strong aria-hidden="true">10.</strong> FILE Exploitation</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="37-fs_exploitation/swamp19_badfile/index.html"><strong aria-hidden="true">10.1.</strong> SwampCTF'19: Bad File</a></li></ol></li><li class="chapter-item expanded "><a href="grabbag.html"><strong aria-hidden="true">11.</strong> Grab Bag</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="19-shellcoding_pt1/index.html"><strong aria-hidden="true">11.1.</strong> Shellcoding</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="19-shellcoding_pt1/csaw18_shellpointcode/index.html"><strong aria-hidden="true">11.1.1.</strong> CSAW'18: Shellpointcode</a></li><li class="chapter-item expanded "><a href="19-shellcoding_pt1/defconquals19_s3/index.html"><strong aria-hidden="true">11.1.2.</strong> DCQuals'19: S3</a></li><li class="chapter-item expanded "><a href="19-shellcoding_pt1/defconquals19_s6/index.html"><strong aria-hidden="true">11.1.3.</strong> DCQuals'19: S6</a></li></ol></li><li class="chapter-item expanded "><a href="20-patching_and_jumping/index.html"><strong aria-hidden="true">11.2.</strong> Patching</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="20-patching_and_jumping/csawquals16_gametime/index.html"><strong aria-hidden="true">11.2.1.</strong> CSAW Quals'16: gametime</a></li><li class="chapter-item expanded "><a href="20-patching_and_jumping/dcquals18_elfcrumble/index.html"><strong aria-hidden="true">11.2.2.</strong> DCQuals'18: ELFCrumble</a></li><li class="chapter-item expanded "><a href="20-patching_and_jumping/plaid19_ppp/index.html"><strong aria-hidden="true">11.2.3.</strong> Plaid'19: PPP</a></li></ol></li><li class="chapter-item expanded "><a href="21-dot_net/index.html"><strong aria-hidden="true">11.3.</strong> .NET</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="21-dot_net/bikinibonanza/index.html"><strong aria-hidden="true">11.3.1.</strong> Bikinibonanza</a></li><li class="chapter-item expanded "><a href="21-dot_net/dot_net/index.html"><strong aria-hidden="true">11.3.2.</strong> CSAW'13: DotNetReversing</a></li><li class="chapter-item expanded "><a href="21-dot_net/whitehat18_re06/index.html"><strong aria-hidden="true">11.3.3.</strong> Whitehat'18: re06</a></li></ol></li><li class="chapter-item expanded "><a href="36-obfuscated_reversing/index.html"><strong aria-hidden="true">11.4.</strong> Obfuscation</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="36-obfuscated_reversing/bkp16_unholy/index.html"><strong aria-hidden="true">11.4.1.</strong> BKP'16: Unholy</a></li><li class="chapter-item expanded "><a href="36-obfuscated_reversing/csaw15_wyvern/index.html"><strong aria-hidden="true">11.4.2.</strong> CSAW'15: Wyvern</a></li><li class="chapter-item expanded "><a href="36-obfuscated_reversing/csaw17_prophecy/index.html"><strong aria-hidden="true">11.4.3.</strong> CSAW'17: Prophecy</a></li><li class="chapter-item expanded "><a href="22-movfuscation/index.html"><strong aria-hidden="true">11.4.4.</strong> MOVfuscation</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="22-movfuscation/asis18_babyc/index.html"><strong aria-hidden="true">11.4.4.1.</strong> ASIS'18: babyc</a></li><li class="chapter-item expanded "><a href="22-movfuscation/recon_movfuscated/index.html"><strong aria-hidden="true">11.4.4.2.</strong> RECON: movfuscated</a></li><li class="chapter-item expanded "><a href="22-movfuscation/swamp19_future/index.html"><strong aria-hidden="true">11.4.4.3.</strong> SwampCTF'19: Future Fun</a></li></ol></li></ol></li><li class="chapter-item expanded "><a href="23-custom_architecture/index.html"><strong aria-hidden="true">11.5.</strong> Custom Architecture</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="23-custom_architecture/h3_h3machine0/index.html"><strong aria-hidden="true">11.5.1.</strong> H3Machine (part 1)</a></li><li class="chapter-item expanded "><a href="23-custom_architecture/h3_h3machine1/index.html"><strong aria-hidden="true">11.5.2.</strong> H3Machine (part 2)</a></li><li class="chapter-item expanded "><a href="23-custom_architecture/h3_h3machine2/index.html"><strong aria-hidden="true">11.5.3.</strong> H3Machine (part 3)</a></li><li class="chapter-item expanded "><a href="23-custom_architecture/h3_h3machine3/index.html"><strong aria-hidden="true">11.5.4.</strong> H3Machine (part 4)</a></li></ol></li><li class="chapter-item expanded "><a href="34-emulated_targets/index.html"><strong aria-hidden="true">11.6.</strong> Emulation</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="34-emulated_targets/csaw15_hackingtime/index.html"><strong aria-hidden="true">11.6.1.</strong> CSAW'15: Hackingtime</a></li><li class="chapter-item expanded "><a href="34-emulated_targets/csaw17_realism/index.html"><strong aria-hidden="true">11.6.2.</strong> CSAW'17: Realism</a></li><li class="chapter-item expanded "><a href="34-emulated_targets/csaw18_x86_pt2/index.html"><strong aria-hidden="true">11.6.3.</strong> CSAW'18: x86 Pt.2</a></li></ol></li><li class="chapter-item expanded "><a href="38-grab_bad/uninit_vars/index.html"><strong aria-hidden="true">11.7.</strong> Uninitialized Variables</a></li><li class="chapter-item expanded "><a href="38-grab_bad/csaw18_doubletrouble/index.html"><strong aria-hidden="true">11.8.</strong> CSAW'18: Doubletrouble</a></li><li class="chapter-item expanded "><a href="38-grab_bad/csaw19_gibberishCheck/index.html"><strong aria-hidden="true">11.9.</strong> CSAW'19: Gibberishcheck</a></li><li class="chapter-item expanded "><a href="38-grab_bad/hackim19_shop/index.html"><strong aria-hidden="true">11.10.</strong> HackIM'19: Shop</a></li></ol></li><li class="chapter-item expanded "><a href="45-automatic_exploit_generation/index.html">Auto Pwning</a></li><li class="chapter-item expanded affix "><a href="next/index.html">What's Next</a></li><li class="chapter-item expanded affix "><a href="references/index.html">References</a></li></ol>
            </div>
            <div id="sidebar-resize-handle" class="sidebar-resize-handle"></div>
        </nav>

        <div id="page-wrapper" class="page-wrapper">

            <div class="page">
                
                <div id="menu-bar-hover-placeholder"></div>
                <div id="menu-bar" class="menu-bar sticky bordered">
                    <div class="left-buttons">
                        <button id="sidebar-toggle" class="icon-button" type="button" title="Toggle Table of Contents" aria-label="Toggle Table of Contents" aria-controls="sidebar">
                            <i class="fa fa-bars"></i>
                        </button>
                        <button id="theme-toggle" class="icon-button" type="button" title="Change theme" aria-label="Change theme" aria-haspopup="true" aria-expanded="false" aria-controls="theme-list">
                            <i class="fa fa-paint-brush"></i>
                        </button>
                        <ul id="theme-list" class="theme-popup" aria-label="Themes" role="menu">
                            <li role="none"><button role="menuitem" class="theme" id="light">Light</button></li>
                            <li role="none"><button role="menuitem" class="theme" id="rust">Rust</button></li>
                            <li role="none"><button role="menuitem" class="theme" id="coal">Coal</button></li>
                            <li role="none"><button role="menuitem" class="theme" id="navy">Navy (default)</button></li>
                            <li role="none"><button role="menuitem" class="theme" id="ayu">Ayu</button></li>
                        </ul>
                        
                        <button id="search-toggle" class="icon-button" type="button" title="Search. (Shortkey: s)" aria-label="Toggle Searchbar" aria-expanded="false" aria-keyshortcuts="S" aria-controls="searchbar">
                            <i class="fa fa-search"></i>
                        </button>
                        
                    </div>

                    <h1 class="menu-title">Nightmare</h1>

                    <div class="right-buttons">
                        <a href="print.html" title="Print this book" aria-label="Print this book">
                            <i id="print-button" class="fa fa-print"></i>
                        </a>
                        
                        <a href="https://github.com/guyinatuxedo/nightmare/" title="Git repository" aria-label="Git repository">
                            <i id="git-repository-button" class="fa fa-github"></i>
                        </a>
                        
                    </div>
                </div>

                
                <div id="search-wrapper" class="hidden">
                    <form id="searchbar-outer" class="searchbar-outer">
                        <input type="search" name="search" id="searchbar" name="searchbar" placeholder="Search this book ..." aria-controls="searchresults-outer" aria-describedby="searchresults-header">
                    </form>
                    <div id="searchresults-outer" class="searchresults-outer hidden">
                        <div id="searchresults-header" class="searchresults-header"></div>
                        <ul id="searchresults">
                        </ul>
                    </div>
                </div>
                

                <!-- Apply ARIA attributes after the sidebar and the sidebar toggle button are added to the DOM -->
                <script type="text/javascript">
                    document.getElementById('sidebar-toggle').setAttribute('aria-expanded', sidebar === 'visible');
                    document.getElementById('sidebar').setAttribute('aria-hidden', sidebar !== 'visible');
                    Array.from(document.querySelectorAll('#sidebar a')).forEach(function(link) {
                        link.setAttribute('tabIndex', sidebar === 'visible' ? 0 : -1);
                    });
                </script>

                <div id="content" class="content">
                    <main>
                        <h1><a class="header" href="#nightmare" id="nightmare">Nightmare</a></h1>
<p>Nightmare is an intro to binary exploitation / reverse engineering course based around ctf challenges. I call it that because it's a lot of people's nightmare to get hit by weaponized 0 days, which these skills directly translate into doing that type of work (plus it's a really cool song).</p>
<h2><a class="header" href="#what-makes-nightmare-different" id="what-makes-nightmare-different">What makes Nightmare different?</a></h2>
<p>It's true there are a lot of resources out there to learn binary exploitation / reverse engineering skills, so what makes this different?</p>
<pre><code>*    Amount of Content             -    There is a large amount of content in this course (currently over 90 challenges), laid out in a linear fashion.

*    Well Documented Write Ups         -    Each challenge comes with a well documented writeup explaining how to go from being handed the binary to doing the exploit dev.

*    Multiple Problems per Topic     -    Most modules have multiple different challenges. This way you can use one to learn how the attack works, and then apply it to the others. Also different iterations of the problem will have knowledge needed to solve it.

*    Using all open source tools     -    All the tools used here are free and open sourced. No IDA torrent needed.

*    A Place to Ask Questions         -    So if you have a problem that you've been working for days and can't get anywhere (and google isn't helping).
</code></pre>
<p>I have found that resources that have many of these things to be few and far between. As a result it can make learning these skills difficult since you don't really know what to learn, or how to learn it. This is essentially my attempt to help fix some of those problems.</p>
<h2><a class="header" href="#static-site" id="static-site">Static Site</a></h2>
<p>If you want, there is a static github pages site which people say looks better: https://guyinatuxedo.github.io/</p>
<p>If you want to manually build the site, I just used mdbook. After installing rust and cargo, just install mdbook with <code>sudo cargo install mdbook</code>. Then just run <code>mdbook build</code>.</p>
<h2><a class="header" href="#github" id="github">Github</a></h2>
<p>A copy of all of the challenges listed, can be found on the github: https://github.com/guyinatuxedo/nightmare</p>
<h2><a class="header" href="#special-thanks" id="special-thanks">Special Thanks</a></h2>
<p>Special thanks to these people:</p>
<pre><code>noopnoop     -    For dealing with me
digitalcold  -    For showing me how good nightmare could look with mdbook
you nerds     -    For looking at this
</code></pre>
<h2><a class="header" href="#discord" id="discord">Discord</a></h2>
<p>If you get stuck on something for hours on end and google can't answer your question, try asking in the discord (or if you just feel like talking about cool security things). Here is a link to it <code>https://discord.gg/p5E3VZF</code></p>
<p>Also if you notice any typos or mistakes, feel free to mention it in the Discord. With how much content is here, there is bound to be at least one.</p>
<h1><a class="header" href="#index" id="index">Index</a></h1>
<p>Here is the index for all of the content in this course. Feel free to go through the whole thing, or only parts of it (don't let me tell you how to live your life). For the order that you do the challenges in a module, I would recommend starting with the first.</p>
<h2><a class="header" href="#intro-departure" id="intro-departure">Intro Departure</a></h2>
<h4><a class="header" href="#0-intro-to-the-project" id="0-intro-to-the-project">0.) Intro to the Project</a></h4>
<h4><a class="header" href="#1-intro-to-assembly" id="1-intro-to-assembly">1.) Intro to Assembly</a></h4>
<ul>
<li>Intro to assembly</li>
<li>Sample assembly reverse challs</li>
</ul>
<h4><a class="header" href="#2-intro-to-tooling" id="2-intro-to-tooling">2.) Intro to Tooling</a></h4>
<ul>
<li>gdb-gef</li>
<li>pwntools</li>
<li>ghidra</li>
</ul>
<h4><a class="header" href="#3-beginner-re" id="3-beginner-re">3.) Beginner RE</a></h4>
<ul>
<li>pico18_strings</li>
<li>helithumper_re</li>
<li>csaw18_tourofx86pt1</li>
<li>csaw19_beleaf</li>
</ul>
<h2><a class="header" href="#stack-pt-0-stack-tendencies" id="stack-pt-0-stack-tendencies">Stack pt 0 Stack Tendencies</a></h2>
<h4><a class="header" href="#4-buffer-overflow-of-variables" id="4-buffer-overflow-of-variables">4.) Buffer Overflow of Variables</a></h4>
<ul>
<li>Csaw18/boi</li>
<li>TokyoWesterns17/just_do_it</li>
<li>Tamu19_pwn1</li>
</ul>
<h4><a class="header" href="#5-buffer-overflow-call-function" id="5-buffer-overflow-call-function">5.) Buffer Overflow Call Function</a></h4>
<ul>
<li>Csaw18_getit</li>
<li>Tu17_vulnchat</li>
<li>Csaw16_warmup</li>
</ul>
<h4><a class="header" href="#51-aslrpie-intro" id="51-aslrpie-intro">5.1) aslr/pie intro</a></h4>
<ul>
<li>quick aslr/pie explanation</li>
</ul>
<h4><a class="header" href="#6-buffer-overflow-call-shellcode" id="6-buffer-overflow-call-shellcode">6.) Buffer Overflow Call Shellcode</a></h4>
<ul>
<li>Tamu19_pwn3</li>
<li>Csaw17_pilot</li>
<li>Tu18_shelleasy</li>
</ul>
<h4><a class="header" href="#61-nx-intro" id="61-nx-intro">6.1) nx intro</a></h4>
<ul>
<li>nx explanation</li>
</ul>
<h4><a class="header" href="#7-rop-chain-statically-compiled" id="7-rop-chain-statically-compiled">7.) ROP Chain Statically compiled</a></h4>
<ul>
<li>dcquals19_speedrun1</li>
<li>bkp16_simplecalc</li>
<li>dcquals16_feedme</li>
</ul>
<h4><a class="header" href="#71-stack-canary-intro" id="71-stack-canary-intro">7.1) stack canary intro</a></h4>
<ul>
<li>stack canary introduction</li>
</ul>
<h4><a class="header" href="#72-relro-intro" id="72-relro-intro">7.2) relro intro</a></h4>
<ul>
<li>relro introduction</li>
</ul>
<h4><a class="header" href="#8-rop-dynamically-compiled" id="8-rop-dynamically-compiled">8.) ROP Dynamically Compiled</a></h4>
<ul>
<li>csaw17_svc</li>
<li>fb19_overfloat</li>
<li>hs19_storytime</li>
<li>csaw19_babyboi</li>
<li>utc19_shellme</li>
</ul>
<h2><a class="header" href="#general-pt-0-stardust-challenges" id="general-pt-0-stardust-challenges">General pt 0 Stardust Challenges</a></h2>
<h4><a class="header" href="#9-bad-seed" id="9-bad-seed">9.) Bad Seed</a></h4>
<ul>
<li>h3_time</li>
<li>hsctf19_tuxtalkshow</li>
<li>sunshinectf17_prepared</li>
</ul>
<h4><a class="header" href="#10-format-strings" id="10-format-strings">10.) Format strings</a></h4>
<ul>
<li>backdoor17_bbpwn</li>
<li>twesterns16_greeting</li>
<li>pico_echo</li>
<li>watevr19_betstar</li>
</ul>
<h4><a class="header" href="#11-index-array" id="11-index-array">11.) Index Array</a></h4>
<ul>
<li>dcquals16_xkcd</li>
<li>sawmpctf19_dreamheaps</li>
<li>sunshinectf2017_alternativesolution</li>
</ul>
<h4><a class="header" href="#12-z3" id="12-z3">12.) Z3</a></h4>
<ul>
<li>tokyowesterns17_revrevrev</li>
<li>tuctf_future</li>
<li>hsctf19_abyte</li>
</ul>
<h4><a class="header" href="#13-angr" id="13-angr">13.) Angr</a></h4>
<ul>
<li>securityfest_fairlight</li>
<li>plaid19_icancount</li>
<li>defcamp15_r100</li>
</ul>
<h2><a class="header" href="#stack-pt-1-return-to-stack-truly-a-perfect-game" id="stack-pt-1-return-to-stack-truly-a-perfect-game">Stack pt 1 Return to Stack, truly a perfect game</a></h2>
<h4><a class="header" href="#14-ret2system" id="14-ret2system">14.) Ret2system</a></h4>
<ul>
<li>asis17_marymorton</li>
<li>hxp18_poorcanary</li>
<li>tu_guestbook</li>
</ul>
<h4><a class="header" href="#15-partial-overwrite" id="15-partial-overwrite">15.) Partial Overwrite</a></h4>
<ul>
<li>Tu17_vulnchat2</li>
<li>Tamu19_pwn2</li>
<li>hacklu15_stackstuff</li>
</ul>
<h4><a class="header" href="#16-srop" id="16-srop">16.) SROP</a></h4>
<ul>
<li>backdoorctf_funsignals</li>
<li>inctf17_stupiddrop</li>
<li>swamp19_syscaller</li>
<li>csaw19_smallboi</li>
</ul>
<h4><a class="header" href="#17-stack-pivot--partial-overwrite" id="17-stack-pivot--partial-overwrite">17.) Stack Pivot / Partial Overwrite</a></h4>
<ul>
<li>defconquals19_speedrun4</li>
<li>insomnihack18_onewrite</li>
<li>xctf16_b0verfl0w</li>
</ul>
<h4><a class="header" href="#18-ret2csu--ret2dl" id="18-ret2csu--ret2dl">18.) Ret2Csu / Ret2dl</a></h4>
<ul>
<li>ropemporium_ret2csu</li>
<li>0ctf 2018 babystack</li>
</ul>
<h2><a class="header" href="#general-pt-1-armstrong-challenges" id="general-pt-1-armstrong-challenges">General pt 1 Armstrong challenges</a></h2>
<h4><a class="header" href="#19-shellcoding-pt-1" id="19-shellcoding-pt-1">19.) Shellcoding pt 1</a></h4>
<ul>
<li>defconquals19_s3</li>
<li>Csaw18_shellpointcode</li>
<li>defconquals19_s6</li>
</ul>
<h4><a class="header" href="#20-patchingjumping" id="20-patchingjumping">20.) Patching/Jumping</a></h4>
<ul>
<li>dcquals18_elfcrumble</li>
<li>plaid19_plaid_part_planning_III</li>
<li>csaw16_gametime</li>
</ul>
<h4><a class="header" href="#21-net-reversing" id="21-net-reversing">21.) .NET Reversing</a></h4>
<ul>
<li>csaw13_dotnet</li>
<li>csaw13_bikinibonanza</li>
<li>whitehat18_re06</li>
</ul>
<h4><a class="header" href="#22-movfuscation" id="22-movfuscation">22.) Movfuscation</a></h4>
<ul>
<li>sawmpctf19_future</li>
<li>asis18quals_babyc</li>
<li>other_movfuscated</li>
</ul>
<h4><a class="header" href="#23-custom-architectures" id="23-custom-architectures">23.) Custom Architectures</a></h4>
<ul>
<li>h3_challenge0</li>
<li>h3_challenge1</li>
<li>h3_challenge2</li>
<li>h3_challenge3</li>
</ul>
<h2><a class="header" href="#heap-pt-0-rip-angel-beats" id="heap-pt-0-rip-angel-beats">Heap Pt 0 rip Angel Beats</a></h2>
<h4><a class="header" href="#24-basic-heap-overflow" id="24-basic-heap-overflow">24.) Basic Heap overflow</a></h4>
<ul>
<li>protostar_heap1</li>
<li>protostar_heap0</li>
<li>protostar_heap2</li>
</ul>
<h4><a class="header" href="#25-intro-to-heap-exploitation--binning" id="25-intro-to-heap-exploitation--binning">25.) Intro to heap exploitation / binning</a></h4>
<ul>
<li>explanation</li>
</ul>
<h4><a class="header" href="#26-heap-grooming" id="26-heap-grooming">26.) Heap Grooming</a></h4>
<ul>
<li>explanation</li>
<li>swamp19_heapgolf</li>
<li>pico_areyouroot</li>
</ul>
<h4><a class="header" href="#27-edit-freed-chunk-pure-explanation" id="27-edit-freed-chunk-pure-explanation">27.) Edit Freed Chunk (pure explanation)</a></h4>
<ul>
<li>Use After Free</li>
<li>Double Free</li>
<li>Null Byte Heap Consolidation</li>
</ul>
<h4><a class="header" href="#28-fastbin-attack" id="28-fastbin-attack">28.) Fastbin Attack</a></h4>
<ul>
<li>explanation</li>
<li>0ctf18_babyheap</li>
<li>csaw17_auir</li>
</ul>
<h4><a class="header" href="#29-tcache" id="29-tcache">29.) tcache</a></h4>
<ul>
<li>explanation</li>
<li>dcquals19_babyheap</li>
<li>plaid19_cpp</li>
</ul>
<h4><a class="header" href="#30-unlink" id="30-unlink">30.) unlink</a></h4>
<ul>
<li>explanation</li>
<li>hitcon14_stkof</li>
<li>zctf16_note</li>
</ul>
<h4><a class="header" href="#31-unsorted-bin-attack" id="31-unsorted-bin-attack">31.) Unsorted Bin Attack</a></h4>
<ul>
<li>explanation</li>
<li>hitcon_magicheap</li>
<li>0ctf16_zer0storage</li>
</ul>
<h4><a class="header" href="#32-large-bin-attack" id="32-large-bin-attack">32.) Large Bin Attack</a></h4>
<ul>
<li>largebin0_explanation</li>
<li>largebin1_explanation</li>
</ul>
<h4><a class="header" href="#33-custom-malloc" id="33-custom-malloc">33.) Custom Malloc</a></h4>
<ul>
<li>csawquals17_minesweeper</li>
<li>csawquals18_AliensVSSamurai</li>
<li>csawquals19_traveller</li>
</ul>
<h2><a class="header" href="#general-pt-2-generic-isekai-367" id="general-pt-2-generic-isekai-367">General Pt 2 Generic Isekai #367</a></h2>
<h4><a class="header" href="#34-qemu--emulated-targets" id="34-qemu--emulated-targets">34.) Qemu / Emulated Targets</a></h4>
<ul>
<li>csaw18_tour_of_x86_pt_2</li>
<li>csaw15_hackingtime</li>
<li>csaw17_realism</li>
</ul>
<h4><a class="header" href="#35-integer-exploitation" id="35-integer-exploitation">35.) Integer Exploitation</a></h4>
<ul>
<li>puzzle</li>
<li>int_overflow_post</li>
<li>signed_unsigned_int_expl</li>
</ul>
<h4><a class="header" href="#36-obfuscated-reversing" id="36-obfuscated-reversing">36.) Obfuscated Reversing</a></h4>
<ul>
<li>csaw15_wyvern</li>
<li>csaw17_prophecy</li>
<li>bkp16_unholy</li>
</ul>
<h4><a class="header" href="#37-fs-exploitation" id="37-fs-exploitation">37.) FS Exploitation</a></h4>
<ul>
<li>swamp19_badfile</li>
</ul>
<h4><a class="header" href="#38-grab-bag" id="38-grab-bag">38.) Grab Bag</a></h4>
<ul>
<li>csaw18_doubletrouble</li>
<li>hackim19_shop</li>
<li>unit_vars_expl</li>
<li>csaw19_gibberish</li>
</ul>
<h2><a class="header" href="#heap-pt-1-heap-x-heap" id="heap-pt-1-heap-x-heap">Heap pt 1 heap x heap</a></h2>
<h4><a class="header" href="#39-house-of-spirit" id="39-house-of-spirit">39.) House of Spirit</a></h4>
<ul>
<li>explanation</li>
<li>hacklu14_oreo</li>
</ul>
<h4><a class="header" href="#40-house-of-lore" id="40-house-of-lore">40.) House of Lore</a></h4>
<ul>
<li>explanation</li>
</ul>
<h4><a class="header" href="#41-house-of-force" id="41-house-of-force">41.) House of Force</a></h4>
<ul>
<li>explanation</li>
<li>bkp16_cookbook</li>
</ul>
<h4><a class="header" href="#42-house-of-einherjar" id="42-house-of-einherjar">42.) House of Einherjar</a></h4>
<ul>
<li>explanation</li>
</ul>
<h4><a class="header" href="#43-house-of-orange" id="43-house-of-orange">43.) House of Orange</a></h4>
<ul>
<li>explanation</li>
</ul>
<h4><a class="header" href="#44-more-tcache" id="44-more-tcache">44.) More tcache</a></h4>
<ul>
<li>csaw19_poppingCaps0</li>
<li>csaw19_poppingCaps1</li>
</ul>
<h4><a class="header" href="#45-automatic-exploit-generation" id="45-automatic-exploit-generation">45.) Automatic Exploit Generation</a></h4>
<ul>
<li>csaw20_rop</li>
</ul>
<h4><a class="header" href="#ending-documentation" id="ending-documentation">Ending Documentation</a></h4>
<ul>
<li>References</li>
<li>What's next</li>
</ul>

                    </main>

                    <nav class="nav-wrapper" aria-label="Page navigation">
                        <!-- Mobile navigation buttons -->
                        

                        
                            <a rel="next" href="00-intro/index.html" class="mobile-nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
                                <i class="fa fa-angle-right"></i>
                            </a>
                        

                        <div style="clear: both"></div>
                    </nav>
                </div>
            </div>

            <nav class="nav-wide-wrapper" aria-label="Page navigation">
                

                
                    <a rel="next" href="00-intro/index.html" class="nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
                        <i class="fa fa-angle-right"></i>
                    </a>
                
            </nav>

        </div>

        

        

        

        
        <script type="text/javascript">
            window.playground_copyable = true;
        </script>
        

        

        
        <script src="elasticlunr.min.js" type="text/javascript" charset="utf-8"></script>
        <script src="mark.min.js" type="text/javascript" charset="utf-8"></script>
        <script src="searcher.js" type="text/javascript" charset="utf-8"></script>
        

        <script src="clipboard.min.js" type="text/javascript" charset="utf-8"></script>
        <script src="highlight.js" type="text/javascript" charset="utf-8"></script>
        <script src="book.js" type="text/javascript" charset="utf-8"></script>

        <!-- Custom JS scripts -->
        

        

    </body>
</html>