1. Leak `PIE` address
2. Overwrite `pie_addr + 0x2a55a3` with `main` address
3. Program end. And the `exit` will be called after `main` returns.
(it call `__libc_csu_fini` function)
4. `__libc_csu_fini` function call `QWORD [pie_addr + 0x2a55a3]`. so we again jump to `main` function.
5. Leak `Stack` address
6. Write a `ropchain` in the `bss`
7. Jump `ropchain`
8. Get Shell

:P

Author : MyriaBreak

[Korea writeup](https://xerxes-break.tistory.com/401)

[English writeup](https://go-madhat.github.io/onewrite-writeup/)