Questions on GLIBC Heap Exploitation (House of Force)

Questions on GLIBC Heap Exploitation (House of Force)

This is with reference to Max Kamper's video on GLIBC heap exploitation and these articles I read

• https://www.crow.rip/crows-nest/binexp/heap/house-of-force-i
• https://www.crow.rip/crows-nest/binexp/heap/house-of-force-i/house-of-force-ii

I have a few questions about the video and articles.

• Why is the formula for calculating the wrap around address the following?

def diff(x, y):
    return (0xffffffffffffffff - x) + y

Why use 0xffffffffffffffff to minus x and then plus y? How does this give us the difference in the distance? Why use 0xffffffffffffffff?

• When using __malloc_hook to execute the system function, how does the binary knows where is the argument for the function call? The pointer to the argument is located at malloc((heap + 0x30) "") but how does the function knows that its there and why heap + 0x30?