//[*prev][*next][size:15][final:1] struct block { block * prev:16; block * next:16; short len :15; bool end :01; }; If the username is "usernameusername" + prev + &password + '0001' then the password can be a fake block w/ a next pointer to an 2408: 0824 1e24 2100 # Block 2408[0] 0824: 2408 == (prev pointer?) 2408[2] 1e24: 241e == next pointer 2408[4] 2100: 0021 == 2 * block_size + 1 2408[6] data[0..bs] Heap (0 malloc) 2400: 0824 0010 0100 0000 0000 0000 0000 0000 .$.............. Word 1: 2408 == &(heap_start) Word 2: 1000 == total heap BYTES Word 3: 0001 == needs_initialize Word 4: 0000 == ??? Heap (1 malloc) 2400: 0824 0010 0000 0000 0824 1e24 2100 0000 .$.......$.$!... 2410: 0000 0000 0000 0000 0000 0000 0000 0824 ...............$ 2420: 0824 c81f 0000 0000 0000 0000 0000 0000 .$.............. 2408: 0824 1e24 2100 # Block 2408[0] 0824: 2408 == (prev pointer?) 2408[2] 1e24: 241e == next pointer 2408[4] 2100: 0021 == 2 * block_size + 1 (AKA {size:15,status:1}) 2408[6] data[0..bs] 241e: 0824 0824 c81f # End block 241e[0] 0824: prev pointer 241e[2] 0824: next pointer 241e[4] c81f: 1fc8 == 2*(size of free space) 241e[6] free space Heap (2 malloc) 2400: 0824 0010 0000 0000 0824 1e24 2100 0000 .$.......$.$!... 2410: 0000 0000 0000 0000 0000 0000 0000 0824 ...............$ 2420: 3424 2100 0000 0000 0000 0000 0000 0000 4$!............. 2430: 0000 0000 1e24 0824 9c1f 0000 0000 0000 .....$.$........