@WhurbinAranore Feel free to pm me if you are still stuck on that stage.
Just finished it, great challenge! If anyone would be interested in discussing solutions, please send me a PM.
Beautiful challenge, I learned a lot both on heap and shellcoding. After pwning it, I came here and saw that getting a shell was possible, while I got the flag with a bit of “dancing”. If someone could explain me how to get a shell, I would be grateful.
In my case, I needed to rebase the heap base address in 0x410. Looking at the heap in my local environment, just running the challenge, there is a freed chunk of size 0x410 with the message: "Welcome to Dream Diary: Chapter 3! The return of a Dream Diary with modern protections!". I guess that the remote instance does not store this string on the heap, and that’s why all heap addresses must be rebased 0x410 bytes. Does it make sense?
Anyways, thanks for the challenge!!