changes

paper.tex

@@ -123,11 +123,14 @@ \subsection{Phases of developing the attack}
   \item Generate desired list of instructions and arguments (abstract payload/rop chain)
   \item Extract gadgets using tools, e.g. ROPgadget~\cref{par:ropgadget}
   \item Search gadgets for instructions
+  \item Determine how many bytes are needed to override the base pointer \Verb+ebp+
+  \item Determine position of a writable data segment
   \item Generate payload using the gadgets according to the the abstract payload while making sure gadgets dont interfere with our desired program state. This step can be done using Python which we will show in a later section~\cref{howtopack}
-  \item Insert payload into target
+  \item Insert payload into target using a vulnerability
 \end{enumerate}
 \paragraph{Goal and abstract payload}
-After specifying the goal and possibly simplifying it we have to write a list of instructions and arguments that achieve the goal, for this its favorable to directly use the format of the final payload except for using instructions instead of addresses as this will then allow to simply insert the found gadgets into this abstract payload.
+After specifying the goal and possibly simplifying it we have to write a list of instructions and arguments that achieve the goal, for this its favorable to directly use the format of the final payload except for using instructions instead of addresses as this will then allow to simply insert the found gadgets into this abstract payload. For the example in this paper we want to open a shell, for that the simplest way is to execute an execve system call. The following program state has to be achieved so the interrupt \bltInlineVerb{int 0x80} causes a shell to be opened.
+
 \paragraph{Extract and search gadgets}
 After extracting the gadgets using one of the above mentioned methods we can search for gadgets
 \paragraph{struct.pack}