first, look at the main function, I notice that the 0xdeadbeef is calling the func() as a transfer factor. and then, look the func() function, I notice that if key == 0xcafebabe, system("/bin/sh") is excuted. 

 To change the key value 0xcafebabe, I analyzed the bof using the gdb. 

and I disassemble <func>. It looks as follows.

From <+29> to <+40>, It can be seen that the distance from buffer to ret is 52bytes. So, I can change the key value by filling the dummy value by 52 bytes and filling with 0xcafebabe. 

Here is the payload and flag.