Tokyohot N0541 !exclusive! May 2026

gcc -no-pie

$ ./n0541 1) Register > 1 Name: AAAAA... Password: BBBBB... [debug] pwd ptr = 0x603090 The global logged_in lives at 0x603200 . The distance is: tokyohot n0541

user_t users[10]; int logged_in = 0;

void show_secret(void) if (logged_in) system("/bin/cat /home/ctf/flag.txt"); else puts("You must be logged in first!"); gcc -no-pie $

The interesting functions are register_user , login , and show_secret . void register_user() char *name = malloc(0x80); char *pwd = malloc(0x80); printf("Name: "); gets(name); // <--- vulnerable printf("Password: "); gets(pwd); // store pointers in a global struct (userlist) int logged_in = 0