This problem concerns the following C code, for which you are to design a buffer overflow attack such that when it is run the program will print "You've defused me!"

int read_string(){

char buf[5];

scanf("%s", buf);

return 351;

}

int main(){

int val=read_string();

val>>=2;

if (val!=351)

printf("Boom!");

else

print("You've defused me!");

return 0;

}

Here is the x86-64 assembly code for the functions above:

0000000000400598 :

400598: sub $0x18,%rsp

40059c: mov %rsp, %rsi

40059f: mov $0x4006dc, %edi

4005a4: mov $0x0, %eax

4005a9: callq 400418

4005ae: mov %0x15f, %eax

4005b3: add $0x18, %rsp

4005b7: retq

00000000004005b8

:

4005b8: sub $0x8, %rsp

4005bc: callq 400598

4005c1: sar $0x2, %eax

4005c4 cmp $0x15f, %eax

4005c9: je 4005df

4005cb mov $0x4006df, %edi

4005d0: callq 4003f8

4005d5: mov $0x0, %eax

4005da: add $0x8. %rsp

4005de: retq

4005df: mov $0x4006e5, %edi

4005e4: callq 4003f8

4005e9: jmp 4005d5

After the callq instruction in read_string returns, where is the return address to main found in memory, expressed as a decimal offset from %rsp?

What input would defuse this bomb? Give your answer as a series of 2-digit hex values (leave out 0x prefixes)