Toggle search
Toggle menu
15
844
8
5,564
LCD wiki
Toggle personal menu
Not logged in
Your IP address will be publicly visible if you make any edits.

Isaimini.6 Here

FUN_00401000 entry point (main) FUN_00401200 parse_input FUN_00401430 execute FUN_00401780 op_add FUN_00401810 op_sub FUN_004018c0 op_load FUN_00401950 op_store FUN_00401b10 win int main(void) char buf[256]; read(0, buf, 256); parse_input(buf); execute(); puts("Failure!"); return 0;

# Send payload p = process(binary) p.send(payload) print(p.recvall().decode()) Running this script prints the flag (or “Success!”). | Technique | Why it mattered | |-----------|-----------------| | Static analysis of a stripped binary | Ghidra’s decompiler can

uint64_t regs[16]; // r0 … r15 uint64_t pc; // program counter (index into insts[]) All registers are initialised to 0 . The register file is stored in the .bss section at a fixed address (e.g., 0x00602000 ). | Opcode (hex) | Mnemonic | Operands | Description | |--------------|----------|----------|-------------| | 0x01 | MOV Rdst, imm | dst (4 bits) , imm (8 bytes) | regs[dst] = imm | | 0x02 | ADD Rdst, Rsrc | dst (4) , src (4) | regs[dst] += regs[src] | | 0x03 | SUB Rdst, Rsrc | same as ADD | subtraction | | 0x04 | LD Rdst, [Rsrc] | dst (4) , src (4) | regs[dst] = *(uint64_t*)regs[src] | | 0x05 | ST [Rdst], Rsrc | dst (4) , src (4) | *(uint64_t*)regs[dst] = regs[src] | | 0x06 | JMP imm | imm (8 bytes) | pc = imm | | 0x07 | JEQ Rsrc, Rdst, imm | src (4) , dst (4) , imm (8) | if(regs[src]==regs[dst]) pc = imm | | 0x08 | NOP | – | no‑op | | 0x09 | HLT | – | terminate execution (calls puts("Success!") if regs[0]==0xdeadbeef ) | isaimini.6

payload=$(printf '\x01\x01\x10\x1b\x40\x00\x00\x00\x00\x00\x05\x10\x01\x09') # Make the binary executable chmod +x isaimini.6

Putting it together (little‑endian encoding for the immediate): | Opcode (hex) | Mnemonic | Operands |

The program reads a user‑supplied string (up to 256 bytes) from , parses it as a sequence of ISA‑mini instructions, executes them, and finally prints either Success! or Failure! .

Category : Reverse Engineering / Binary Exploitation Difficulty : Medium – Hard (depending on your familiarity with custom byte‑code interpreters) Points : 425 (CTF‑2024) 1. Challenge Overview The challenge provides a single 64‑bit ELF binary called isaimini.6 and a small text file named input.txt (optional). The binary is an interpreter for a tiny “ISA‑mini” instruction set (the name comes from the challenge author’s earlier “isa‑mini” series). imm | dst (4 bits)

The goal is to craft an input that makes the interpreter print . The binary contains a hidden “secret” flag, but the only way to retrieve it is to cause the interpreter to call the function win() that prints the flag. 2. Files | File | Description | |------|-------------| | isaimini.6 | 64‑bit ELF executable (stripped, no debug symbols). | | input.txt | Empty starter file – you may ignore it and pipe your own payload to the binary. |