picoCTF Solutions
picoCTF 2021Reverse EngineeringHard

Checkpass picoCTF 2021 Solution

Published: April 2, 2026

Description

Can you figure out the password to this program? Provide the correct input to have the binary print the flag.

Setup

Download the binary and make it executable.

bash
wget https://mercury.picoctf.net/static/.../checkpass
bash
chmod +x checkpass

Solution

Walk me through it
  1. Step 1Try ltrace to intercept library calls
    Run the binary under ltrace to intercept all dynamic library calls, especially strcmp and strncmp. The password being compared against will appear in the ltrace output.
    bash
    ltrace ./checkpass AAAA 2>&1
    bash
    ltrace ./checkpass 'picoCTF{test}' 2>&1
    Learn more

    ltrace intercepts dynamic library calls made by a program (similar to strace for system calls). Every call to a C library function like strcmp, printf, malloc, or strcpy is printed with its arguments and return value. For password checking programs that use strcmp(user_input, correct_password), ltrace reveals the correct password in plaintext without any reverse engineering of the binary.

    What success looks like. A real ltrace line for the password compare looks like this:

    strcmp("AAAA", "picoCTF{s3cur3_p4ss}")  = -1
                  ^               ^
                  your guess      the answer (second arg of strcmp)

    The non-zero return value (-1 or 1) is strcmp telling you the strings differ; the second argument is the answer in plaintext.

    Limitation: ltrace only works for dynamically linked binaries. If the binary is statically linked or uses inline comparison code, ltrace will not show the strcmp call. In that case, fall back to GDB. For the broader landscape of CLI tools that crack open dynamic-binary behavior, see Linux CLI for CTF.

  2. Step 2Verify with the discovered password
    Run the binary with the password found in the ltrace output. The binary should print the flag.
    bash
    ./checkpass 'picoCTF{...}'
    Learn more

    strace is the companion to ltrace: it traces system calls (kernel interactions like open, read, write, execve) rather than library calls. For programs that read the expected password from a file, strace shows the open and read calls, revealing the filename. For programs that check a password character by character in hand-written code (no library calls), neither ltrace nor strace helps - use GDB or Ghidra.

Flag

picoCTF{...}

ltrace intercepts dynamic library calls including strcmp - the correct password appears in plaintext in the ltrace output without any disassembly required.

Want more picoCTF 2021 writeups?

Browse picoCTF 2021Full library

Useful tools for Reverse Engineering

Related reading

What to try next