Tags: pwn heap 


* Free the weapon heap chunk
* Malloc a chunk with the same size of the the weapon chunk freed and fill it with chars until the pointer you want to leak.
* Show the weapons and leak pie base.
* Free again the weapon chunk and write the last 8 bytes with the ret2win function.
* When you call show again it get executed. From Ghidra: (**(code **)(storage + 0x48))();

Original writeup (https://github.com/GonTanaka/CTF-Writeups/tree/main/Cyber_Apocalypse2022/pwn/Trick_or_Deal).