Tokyohot N0541 — Fix

$ ./n0541 1) Register > 1 Name: AAAAA... Password: BBBBB... [debug] pwd ptr = 0x603090 The global logged_in lives at 0x603200 . The distance is:

To confirm this, I printed the address of user->pwd after registration: tokyohot n0541

The challenge is a 64‑bit ELF binary that runs locally on the provided Docker image. It listens on a TCP port (or can be run interactively) and offers a simple menu‑driven interface. The goal is to gain a remote shell (or read the flag) by exploiting a vulnerability in the program. $ ./n0541 1) Register &gt

def get_flag(s): menu(s) s.sendall(b'3\n') flag = recvuntil(s, b'\n') print(flag.decode()) I printed the address of user-&gt

user_t users[10]; int logged_in = 0;