Isaimini.6 May 2026

uint64_t regs[16]; // r0 … r15 uint64_t pc; // program counter (index into insts[]) All registers are initialised to 0 . The register file is stored in the .bss section at a fixed address (e.g., 0x00602000 ). | Opcode (hex) | Mnemonic | Operands | Description | |--------------|----------|----------|-------------| | 0x01 | MOV Rdst, imm | dst (4 bits) , imm (8 bytes) | regs[dst] = imm | | 0x02 | ADD Rdst, Rsrc | dst (4) , src (4) | regs[dst] += regs[src] | | 0x03 | SUB Rdst, Rsrc | same as ADD | subtraction | | 0x04 | LD Rdst, [Rsrc] | dst (4) , src (4) | regs[dst] = *(uint64_t*)regs[src] | | 0x05 | ST [Rdst], Rsrc | dst (4) , src (4) | *(uint64_t*)regs[dst] = regs[src] | | 0x06 | JMP imm | imm (8 bytes) | pc = imm | | 0x07 | JEQ Rsrc, Rdst, imm | src (4) , dst (4) , imm (8) | if(regs[src]==regs[dst]) pc = imm | | 0x08 | NOP | – | no‑op | | 0x09 | HLT | – | terminate execution (calls puts("Success!") if regs[0]==0xdeadbeef ) |

The program reads a user‑supplied string (up to 256 bytes) from , parses it as a sequence of ISA‑mini instructions, executes them, and finally prints either Success! or Failure! . isaimini.6

Note : The actual binary uses a – each instruction occupies 1‑byte opcode followed by the required operands (packed tightly). Ghidra’s decompiler shows the exact parsing logic in parse_input . 4.3. The win Function At address 0x00401b10 : uint64_t regs[16]; // r0 … r15 uint64_t pc;

if (callback != NULL) ((void (*)(void))callback)(); callback is a global 8‑byte variable at 0x00603010 , initialised to 0 . The only way to set it is through the ST instruction (store to memory). or Failure

Category : Reverse Engineering / Binary Exploitation Difficulty : Medium – Hard (depending on your familiarity with custom byte‑code interpreters) Points : 425 (CTF‑2024) 1. Challenge Overview The challenge provides a single 64‑bit ELF binary called isaimini.6 and a small text file named input.txt (optional). The binary is an interpreter for a tiny “ISA‑mini” instruction set (the name comes from the challenge author’s earlier “isa‑mini” series).

# Instead of assembling, we manually encode: payload = b"\x01\x01" + p64(win_addr) # MOV r1, win payload += b"\x05\x10\x01" # ST [r16], r1 (write win → callback) payload += b"\x09" # HLT