Tokyohot N0541 -

stack (login): 0x7fffffffe5c0 buf[0x40] The login function does allocate any heap memory; it uses the stack buffer buf . However, after the call to login , the program returns to menu , which later accesses the users array in the global BSS. The overflow in login does not directly touch the global variable – it only corrupts the stack.

heap: 0x603010 -> name buffer (0x80) 0x603090 -> pwd buffer (0x80) tokyohot n0541

struct user users[10]; // global, zero‑initialized int logged_in = 0; // global When register_user is called: after the call to login

def get_flag(s): menu(s) s.sendall(b'3\n') flag = recvuntil(s, b'\n') print(flag.decode()) the program returns to menu