Isaimini.6

There is to win from the interpreter – it is only reachable via a function pointer stored in the global variable callback . The pointer is used after the instruction loop finishes:

*(uint64_t*)regs[dst] = regs[src]; regs[dst] is taken directly from a user‑controlled register index. The interpreter that dst is within 0‑15 . If we use a register index of 0x10 (16) , regs[16] points past the allocated register array, landing in the .bss area where the global variable callback lives: isaimini.6

Note : The actual binary uses a – each instruction occupies 1‑byte opcode followed by the required operands (packed tightly). Ghidra’s decompiler shows the exact parsing logic in parse_input . 4.3. The win Function At address 0x00401b10 : There is to win from the interpreter –

Success! If the real binary prints the flag, you will see it after Success! . (gdb) file isaimini.6 (gdb) set disassembly-flavor intel (gdb) break *0x00401430 # break at start of execute() (gdb) run (gdb) x/4gx $rsp # view saved RIP after HLT (gdb) x/gx 0x00603010 # examine callback after ST (gdb) continue You should see that after the ST instruction the memory at 0x00603010 holds 0x401b10 . When the interpreter reaches the final if(callback) check, it jumps to that address and prints the success message. 8. Full Exploit Script (Python / pwntools) #!/usr/bin/env python3 from pwn import * If we use a register index of 0x10

regs[0] -> 0x00602000 regs[1] -> 0x00602008 ... regs[15] -> 0x00602078 regs[16] -> 0x00602080 <-- this is exactly the address of `callback` Therefore, a overwrites callback with the address of win .