Tags: pwn heap
Rating:
* Free the weapon heap chunk
* Malloc a chunk with the same size of the the weapon chunk freed and fill it with chars until the pointer you want to leak.
* Show the weapons and leak pie base.
* Free again the weapon chunk and write the last 8 bytes with the ret2win function.
* When you call show again it get executed. From Ghidra: (**(code **)(storage + 0x48))();
