Description
A challenge about Windows internals. Analyze the Windows executable to find the flag.
Setup
Download the executable.
wget <url>/B1ll_Gat35.exeSolution
Walk me through it- Step 1Examine the PE binaryRun file and strings on the .exe file. Identify the executable type (32-bit vs 64-bit, .NET or native). Native PE files can be analyzed in Ghidra or Radare2.bash
file B1ll_Gat35.exebashstrings B1ll_Gat35.exe | head -50bashstrings B1ll_Gat35.exe | grep -i picoLearn more
PE (Portable Executable) is Windows' binary format, analogous to ELF on Linux. A PE file has a DOS header (starts with MZ), a PE header, section headers, and sections including .text (code), .data (initialized data), .rdata (read-only data, where strings live), and .rsrc (resources).
If it is a .NET assembly, use dnSpy or dotPeek for decompilation. If it is a native binary, use Ghidra, x64dbg, or IDA.
- Step 2Load in Ghidra or run in WineOn Linux, use Ghidra for static analysis. If you need dynamic analysis, run the executable under Wine. On Windows, use x64dbg for dynamic debugging.bash
ghidra B1ll_Gat35.exe &bash# Or with Wine:bashwine B1ll_Gat35.exeLearn more
Ghidra handles PE files natively on any OS. After auto-analysis, navigate to the main function (search for the entry point in the Symbol Tree). The Windows API calls (MessageBox, CreateFile, etc.) provide context for understanding what the program does.
- Step 3Find the password check and extract the flagLook for string comparison functions (lstrcmpA, strcmp, etc.) or conditional jumps after an input read. Trace the expected password or flag value.
Learn more
Windows API functions for string comparison:
lstrcmpA(ANSI),lstrcmpW(Unicode/Wide). In Ghidra, these appear as function calls with two pointer arguments. Both arguments are usually visible in the decompilation - one is user input and one is the expected value.
Flag
picoCTF{...}
Analyze the Windows PE executable in Ghidra to find the password check logic and extract the hardcoded flag.