# ret2text

## Theory

This attack is also called **ret2win**. Basically we just control `$rip` and then jump to some "hidden" function in the binary. If PIE is turned off, the address of this function will be fixed. Read this writeup to learn more:

{% embed url="<https://www.ctfwriteup.com/pwn/rop-emporium/ret2win>" %}
ROP Emporium ret2win - ctfwriteup.com
{% endembed %}

## Template:&#x20;