Heapify implements a priority queue (min-heap) manager with create_cmd (insert) and exec_cmd (extract-min) operations. The binary never directly outputs addresses, and Full RELRO prevents GOT overwrites. Exploitation requires three novel techniques chained together: a binary search oracle to leak heap and libc pointers without any output primitive, an out-of-bounds index vulnerability in the heap's sift-down operation to create overlapping chunks, and finally the same ld.so dso_find_for_object resolver hijack used in Blinded -- reached here through tcache poisoning rather than single-byte writes.

The binary search leak technique is particularly noteworthy: by using the priority queue's ordering semantics as a comparison oracle, the exploit recovers full 52-bit pointers in ~52 iterations per pointer, without any format string or read primitive.

The binary maintains an array-based min-heap where each element has a size, priority, and data pointer. The create_cmd function allocates a heap chunk of the given size, writes user data into it, and inserts the element into the priority queue with the given priority. The exec_cmd function extracts the minimum-priority element, prints its data, and frees the chunk.

The vulnerability lies in the sift-down (downheap) operation during exec_cmd. When extracting the minimum, the last element is moved to the root and sifted down. The array bounds check on the child indices is insufficient -- when the heap contains entries with carefully chosen priorities that map to large integer values, the sift-down can write heap array entries beyond the allocated array bounds, corrupting adjacent memory.

By inserting entries with a priority set to a heap address (a large integer), the sift-down operation's index calculation overflows the array bounds, allowing controlled writes to memory adjacent to the priority queue array. This is exploited to create a fake 0x41-sized chunk at a controlled heap offset.

The key innovation is the leak technique. When a chunk is freed into tcache, its first 8 bytes become the fd pointer (XOR-encrypted with safe-linking). If we then allocate a new chunk of the same size and write "flag" into it, the priority queue will compare the priority of this new entry against others during insertion.

The trick: insert a chunk with data "flag" at a guessed priority mid, then allocate and free chunks to place the tcache fd pointer as data in a competing entry. When exec_cmd extracts the minimum: