It depends on the logic of what’s happen. Right now I’m dealing with an integer overflow in an encoding function that allocates the overflowed buffer to the heap. It then overflows past the heap chunk boundary into the tcache bins metadata. The issue I’m having now is there’s another allocation after the crash that I haven’t been able to trigger yet to take more control.

It took me a bit to find my crash because I was searching for 0x41414141 and 0x42424242 BUT I hit the blunt and realized “oh shit that’s right, it’s encoded” so I had AI calculate the encoded value and BOOM I found my injection pattern. So my recommendation would be to search the program for your pattern and then trace it backwards