This problem concerns the following code, for which you are to design a buffer overflow attack such that when it is run the program will print "You've defused me!". int read_string() { char buf[5]; scanf("%s", buf); neturn 351; } int main() { int val = read_string(); val >>= 2; if (val != 351) printf("Boom!"); else printf("You've defused me!"); return; } Note that scanf("%s", buf) reads an input string from stdin and stores it at address buf (including the terminating '\0' character). It does not check the size of the destination buffer. Here's the x86-64 assembly code for the functions above: 0000000000400598 : 400598: sub $0x18,%rsp 40059C: mov %Isp,%rsi 40059f: mov $0x4006dc , %edi 4005a4: mov $0x0,%eax 4005a9: calla 400418 4005ae: mov $0x15f,%eax 4005b3: add $0x18,%rsp 4005b7: reta 00000000004005b8

: 4005b8: sub $0x8,%rsp 4005bc: callq 400598 400501: sar $0x2,%eax 400504: cmp $0x15f, %eax 400509: je 4005df 4005cb: mov $0x4006df,%edi 4005do: calla 400505: mov $0x0,%eax 4005da: add $0x8,%rsp 4005de: retq 4005df: mov $0x4006e5,%edi 4005e4: calla 4003f8 4005e9: jmp 400505 After the call instruction in read_string returns, where is the return address to main found in memory, expressed as a decimal offset from $rsp? . %rsp + What input would defuse this bomb? Give your answer as a series of 2-digit hex values (leave out the "Ox" prefixes), as you would have passed to the "hex2raw" utility in the attack lab. Input