Pwn

Overflow the name buffer to corrupt the internal number variable, then feed back the overflowed value as a decimal integer to satisfy the equality check.

Build a ROP chain that calls gets twice to plant arbitrary data in the GOT, redirect strcspn to a shellcode stub, then trigger the win print path.

Overflow a stack buffer to overwrite the return address with a known win function address, then trigger it.

Inject a 4-byte stub shellcode that calls read to pull a full shell payload into the same buffer, then jump to it — bypassing the initial 4-byte size constraint on the first write.

Trigger a heap allocation that the binary prints, compute the shellcode landing address at heap+96, then overflow the stack with that return address followed by shellcode to get a shell.

Pass a negative quantity to an unsigned arithmetic check, causing integer underflow that bypasses a balance validation and grants access to a premium item.

Overwrite the canary’s null byte to leak the full 8-byte cookie over printf, simultaneously leak a saved RBP to base the stack, then use puts@got to find libc base and call system(’/bin/sh’) — all in two trips through the same vulnerable function.