Rating:

* Swap `atoi` , `printf` to leak `stack`.
* Swap( a , &a ) -> *a = a.
* Swap( `0x601526` , `&0x601526` ).
* Swap( `0x601526 - 6` , `printf GOT - 6` ).
* `printf -> 0x56510` , `one gadget -> 0x45526`.
* Overwrite `printf GOT` last two byte to `0x1526`, gues it add with carry.
* With probability approx 1/16.
* [exploit.py](https://github.com/ssspeedgit00/CTF/tree/master/2018/TokyoWesterns/swap_returns)

Original writeup (https://github.com/ssspeedgit00/CTF/tree/master/2018/TokyoWesterns/swap_returns).