Question regarding 5th problem, Nitroglycerin

[ngjuping]

Hello! I had been looking into solutions for the bufbomb project, and much thanks for your very kind sharing of answer! However, I am eager to look into more working principles of the solutions. I think your first 4 solutions are very intuitive, but the 5th problem, Nitroglycerin, had been very difficult for me to understand. I have a few questions, and I wish that you can spend some time to help me and other people who has the same kind of confusion, and possibly an improvement to your wonderful project.

1. First, why would you pick 509 as a number to duplicate the nop 0x90? The buffer is 512 in bytes and I thought 512 0x90s should be the "intuitive" number? (509 is correct for me!)
2. What's the logic behind picking the maximum addr in the third part? The part where you run the nitro version of program once and used info reg to look into $ebp-0x208. Again, your efforts are very much appreciated, and I look forward for your reply!