The program has two scanf calls that use a pointer incorrectly - they write to whatever address the uninitialized local variable holds. Combined with a printf format string leak, you can overflow name[] to plant an address where passcode1 lives on the stack, then write the address of the login-success block into fflush@GOT. When fflush() is called, execution jumps to your target instead.