How to properly overflow 2D coordinates on an overflowing/circular map?

I made a simple Snake game designed for trying Snake bots. I thought the base map functions work, but now I found there is an error. What I need is to properly translate any coordinates outside the actual map to coordinates within it.

For example, if you’re at the right edge of a 10×10 map and you go to (zero-indexed) [10, 5], you’d expect to pop out at [0, 5]. That works in my implementation, but not the negative overflow. I tried a lot of formulas in the dev console and just can’t figure it out. Consider this code:

    /**      * Normalizes overflow of a point so that it is within the map      * @param {number|Vector2} x      * @param {number} y      * @returns {Vector2}      */     normalizePoint(x, y) {         if (x instanceof Vector2) {             y = x.y;             x = x.x;         }          // auto overflow         if (x >= this.size) {             x = (x % this.size);         }         else if (x < 0) {             // ???         }         if (y >= this.size) {             y = (y % this.size);         }         else if (y < 0) {             // one of the formulae I tried, does not work for all values             y = this.size + (y-1) % this.size;         }         return new Vector2(x, y);     } 

Vector2 is a simple object with properties x and y. this.size represents the map size. For negative coordinates, I am not getting the correct results. I want overflowing X and Y coords to resolve to the same numbers. For example for a 5×5 map, all rows should be equal X coords after normalizing:

Real map coord X: 0 1 2 3 4
Negative alternatives: -5 -4 -3 -2 -1
Negative alternatives: -10 -9 -8 -7 -6

I would prefer it to be a O(1) formula, rather than some weird loop. With a loop, I solved it like this:

if (x < 0) {             while (x < 0) {                 x += this.size;             }         }  ``` 

body overflow hidden but keep browser’s native scrollbar

I’m using locomotive scroll library for smooth scrolling, The js file of this library creates a custom scrollbar to the body and there is even an option we can disable it.

See the demo of locomotive library codepne demo here

The CSS part of this library makes the native scrollbar hidden.

html.has-scroll-smooth {   overflow: hidden;  } 

I need the browser native scrollbar should be there and for that, I made the overflow: auto.

html.has-scroll-smooth {   overflow: auto;  } 

But it creates extra whitespace. Is there any way to keep the browser’s native scrollbar?

The tweaks I’ve made it codepen demo here

Buffer overflow Mona modules all show Rebase SafeSEH ASLR True

Almost every beginners (noob friendly) tutorial written for Stack based buffer overflow explains when using mona module to locate a safe reliable memory address for our EIP to JMP to our shellcode should have Rebase, Safe SEH, ASLR disabled.

enter image description here

However in a recent stack based buffer overflow challenge, all the modules mona provided showed they were protected except for the executable itself.

I used a module (DLL) that had those protections shown by mona to JMP to my shellcode and successfully execute my shellcode which really confused me.

If the executable itself is not protected does that mean we can use any DLL to JMP to our shellcode? if not what is the proper way to handle this situation?

Bypass ASLR in buffer overflow

Iam new in buffer overflow and i have some questions :

0- Is all dll files in windows are loaded at memory or some of them only , If some of them , Who tell windows to load this and leave this

1- How an .exe program know a dll’s functions memory location , after it (program) became an exe file (0,1) // While ASLR is enabled and location changed every time windows reboot

2- Why we didn’t use it’s method to find a (call/jmp esp)’s location in buffer overflow when ASLR is enabled

3- I want a resources to study basics of how os work and reverse engineering that I need for a (pentester) not a malware analyst or reverse engineer

Any exploit details regarding CVE-2019-3846 : Linux Kernel ‘marvell/mwifiex/scan.c’ Heap Buffer Overflow Vulnerability

How to get this exploit working or any method for this.

I have seen and read a lot about this issue at various references

It is seen that various Linux version < 8 is vulnerable to this issue

Linux Kernel ‘marvell/mwifiex/scan.c’ Heap Buffer Overflow Vulnerability

Issue Description: A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the mwifiex kernel module while connecting to a malicious wireless network.

Can you share exploit details regarding this.?

https://vulners.com/cve/CVE-2019-3846 https://www.securityfocus.com/bid/69867/exploit : NO exploit there

Any tips on how to exploit this.

Procedure for finding if Overflow occurs on addition

I have two 4-bit 2’s complement numbers a,b, and their sum in s (Also a 4-bit 2’s complement number). Using only the basic logical operations, I need to write a procedure to find if an overflow occurs. If there is an overflow, the output needs to be 1000 otherwise it is 0000.

The inputs in this procedure are a, b, s, and output is 1000 or 0000 depending on the inputs. I am allowed to use AND, OR and NOT operators

I know that there is an overflow if a and b have the same most significant bit and c has a different most significant bit but can’t seem to figure out what the expression should be except that whatever the result is, needs to be ANDed with 1000 for the final result. How do I solve this?

What is this “prepare” variable used for in this SEH based buffer overflow payload?

I am trying to understand how a SEH based buffer overflow is working and I have to write a paper about how an exploit works. I took this PoC for my paper.

junk = "\x41" * 4091  nseh = "\x61\x62" seh  = "\x57\x42"           # Overwrite Seh # 0x00420057 : {pivot 8}  prepare =  "\x44\x6e\x53\x6e\x58\x6e\x05" prepare += "\x14\x11\x6e\x2d\x13\x11\x6e\x50\x6d\xc3" prepare += "\x41" * 107; ... 

I don’t really understand how it’s jumping over the next SEH.

  • What is \x61\x62 used for in the nseh variable?
  • What is the prepare variable used for?
  • How is it jumping to the shellcode?

I already understand that the \x57\x42 is used as a pointer to target a pop pop ret to trigger a second error but I am stuck after that…

Understanding why this buffer overflow attack isn’t working

I’m doing a buffer overflow challenge, and I can’t understand what exactly I’m doing wrong. Through debugging, I managed to figure out how my input should look like such that I can force the program to return to a function. From gdb I figured if I entered “aaaaaaaaaaaaaaaaaaaaaaaaaaaacdefbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb” I can get the program to return to cdef of 0x66656463. Here’s a sc just in case: enter image description here As you can see, the program managed to go to 0x66656463. Now I the function’s address through gdb and I tried placing this in cdef’s spot in little endian order using pwntools:

payload = "a" * 28 + "\x56\x85\x04\x08" + "b"*47 msg = "-1\n" + payload  io.sendline(msg) 

The reason for the “-1\n” is because the program asks for input twice: the first time I just enter -1 and then the second input I try the exploit. So far, I’m just getting a segfault and the address I want to jump to should be starting a shell for me to exploit. I’m not sure what exactly I’m doing wrong, and any help would be appreciated. If I had to guess it’s that I’m somehow dealing with the two inputs incorrectly (they’re being read via fgets() in C if that matters.)

EDIT: I have the source binary and I tried running it locally. I created the following txt file

-1 aaaaaaaaaaaaaaaaaaaaaaaaaaaaV\x85\x04\x08bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb 

and I redirect it in gdb via

run < <(cat input.txt) 

this works the same but whenever I add an escaped hex in place of the cdef, I get a different seg fault at a different address: enter image description here

It looks like if I replace any of the cdef with an escaped hex, I get a segfault at 0x08048726. Is something wrong with passing in the bytes?