Rating:

Writeup writen in Chinese.

Steps:
1. leak memcpy_got
2. write printf_plt to memcpy_got and make up a Format String bug
3. use FSB to craft a leak function
4. use DynELF to leak system address
5. write system address to memcpy_got
6. trigger memcpy_got again and get shell.

Exp: [https://gist.github.com/cubarco/9bfafbc77dd2c0330e3c0ef87013c6fa#file-bank-exp-py](https://gist.github.com/cubarco/9bfafbc77dd2c0330e3c0ef87013c6fa#file-bank-exp-py)

Original writeup (https://cubarco.org/blog/2018/07/writeup-ctfzone/#mobile-bank).