Writeup writen in Chinese.

Steps:

1. leak memcpy_got
2. write printf_plt to memcpy_got and make up a Format String bug
3. use FSB to craft a leak function
4. use DynELF to leak system address
5. write system address to memcpy_got
6. trigger memcpy_got again and get shell.

Exp: https://gist.github.com/cubarco/9bfafbc77dd2c0330e3c0ef87013c6fa#file-bank-exp-py

Original writeup (https://cubarco.org/blog/2018/07/writeup-ctfzone/#mobile-bank).