NCTF 2023 Writeup --Polaris战队

本次 NCTF 2023，我们Polaris战队排名第2。PWNcheckin带有沙箱的可见字符shellcode。int __fastcall main(int argc, const char **argv, const char **envp){  __int64 v3; // rbx  __int64 v4; // rbx  __int64 v5; // rbx  unsigned __int64 v7; // [rsp+8h] [rbp-28h]  char *v8; // [rsp+10h] [rbp-20h]  int i; // [rsp+1Ch] [rbp-14h]  v8 = (char *)mmap((void *)0x20230000, 0x1000uLL, 7, 34, -1, 0LL);  if ( v8 == (char *)-1LL )  {    perror("mmap");    exit(1);  }  write(1, "Give me your shellcode: ", 0x18uLL);  v7 = read(0, v8 + 0x30, 0x100uLL);  for ( i = 0; i  {    if ( (v8[i + 48] '`' || v8[i + 48] > 'z')      && (v8[i + 48] '@' || v8[i + 48] > 'Z')      && (v8[i + 48] '/' || v8[i + 48] > '9')      && v8[i + 48] != '/' )    {      printf("Invalid character: %c\n", (unsigned int)v8[i]);      exit(1);    }  }  v3 = qword_4088;  *(_QWORD *)v8 = payload;  *((_QWORD *)v8 + 1) = v3;  v4 = qword_4098;  *((_QWORD *)v8 + 2) = qword_4090;  *((_Q ………………………………