[https://sectt.github.io/writeups/Hacklu19/crypto_lamport/README](https://sectt.github.io/writeups/Hacklu19/crypto_lamport/README)

The binary was compiled without randomized addresses

1 Write a string of 32 bytes with a \xc0 as the last byte. This allows us write one extra byte and overflow the buffer.

2 We try every possibility for this new byte. This is the LSB of a pointer to a flag address addrFlag which is the memory allocated right after the buffer (where we are writing to). The oracle gives “correct” when we write there the address of the buffer (as it’s now comparing the buffer with itself).

3 Since we are given the signature for whatever is in the memory which flag_addr points to, we make the buffer all zero bytes, and point the flag_addr to it (we know the address from 2.).

Original writeup (https://sectt.github.io/writeups/Hacklu19/crypto_lamport/README).