We can use format string exploit to leak values from the stack.

This reveals the base address..

We can look up the function offset from the base address
by inspecting where the function lies within the code segment.

objdump -d | grep WIN

gives 0x9ec