本次 NCTF 2023,我们Polaris战队排名第2。PWNcheckin带有沙箱的可见字符shellcode。int __fastcall main(int argc, const char **argv, const char **envp){ __int64 v3; // rbx __int64 v4; // rbx __int64 v5; // rbx unsigned __int64 v7; // [rsp+8h] [rbp-28h] char *v8; // [rsp+10h] [rbp-20h] int i; // [rsp+1Ch] [rbp-14h] v8 = (char *)mmap((void *)0x20230000, 0x1000uLL, 7, 34, -1, 0LL); if ( v8 == (char *)-1LL ) { perror("mmap"); exit(1); } write(1, "Give me your shellcode: ", 0x18uLL); v7 = read(0, v8 + 0x30, 0x100uLL); for ( i = 0; i { if ( (v8[i + 48] '`' || v8[i + 48] > 'z') && (v8[i + 48] '@' || v8[i + 48] > 'Z') && (v8[i + 48] '/' || v8[i + 48] > '9') && v8[i + 48] != '/' ) { printf("Invalid character: %c\n", (unsigned int)v8[i]); exit(1); } } v3 = qword_4088; *(_QWORD *)v8 = payload; *((_QWORD *)v8 + 1) = v3; v4 = qword_4098; *((_QWORD *)v8 + 2) = qword_4090; *((_Q
………………………………