App - System

This program print the address of check variable, but I must pass on the format string by argv[1] before I can see the address, and I have been stuck in the challenge for about 5 hours. Can someone please give me some hints about how to solve this challenge?

The ASLR is closed, so I can know the address of check, but my payload dosen’t work. Could someone give me hints that what is wrong with it?
./ch14 `python -c "print ’\x48\xfa\xff\xbf%3735928555c%9$n’"`