Isaimini.6 May 2026

void win(void) puts("Success!"); // In the real challenge this prints the flag, e.g. // system("/bin/cat flag.txt");

if (callback != NULL) ((void (*)(void))callback)(); callback is a global 8‑byte variable at 0x00603010 , initialised to 0 . The only way to set it is through the ST instruction (store to memory). isaimini.6

The program reads a user‑supplied string (up to 256 bytes) from , parses it as a sequence of ISA‑mini instructions, executes them, and finally prints either Success! or Failure! . void win(void) puts("Success

Putting it together (little‑endian encoding for the immediate): The program reads a user‑supplied string (up to

*(uint64_t*)regs[dst] = regs[src]; regs[dst] is taken directly from a user‑controlled register index. The interpreter that dst is within 0‑15 . If we use a register index of 0x10 (16) , regs[16] points past the allocated register array, landing in the .bss area where the global variable callback lives: