Check if that note was freed:
gdb -c core.dump ./bad_memories_v0.9 (gdb) info registers (gdb) x/20gx $rsp Look for a struct: Bad Memories -v0.9- -recreation-
gdb -c core.dump (gdb) dump memory recovered.bin 0x400000 0x401000 # typical .text section But better: use volatility (if full memory dump) or memdump from /proc/pid/maps style. Check if that note was freed: gdb -c core
So a note was freed, then its print_func pointer was overwritten via another allocation (use-after-free write), pointing to the secret function. The core dump captured the program after the exploit but before the flag was printed. We can manually trigger the print: Bad Memories -v0.9- -recreation-