picoCTF Solutions
picoCTF 2021Reverse EngineeringEasy

crackme-py

Published: April 2, 2026

Description

Download the Python script crackme.py and find how to get the flag from the bezos_cc_secret variable.

Setup

Download crackme.py.

wget <url>/crackme.py

Solution

  1. Step 1Read the source and identify the decode function
    Open crackme.py and read it. You will find two variables: bezos_cc_secret (the encoded flag) and a decode_secret function that reverses the encoding. The script normally prompts for input and checks it, but the decode function is exposed and callable directly.
    cat crackme.py
    Learn more

    The script uses a ROT47-variant Caesar cipher. ROT47 shifts printable ASCII characters (code points 33–126) by 47 positions cyclically. Like ROT13, applying it twice returns the original -- making it self-inverse. The decode_secret function implements this shift on the encoded string stored in bezos_cc_secret.

    The key insight in reverse engineering is recognizing when a program already contains its own decryption routine. Rather than reimplementing the algorithm, you can simply call the existing function with the right input. This is a common pattern in crackme challenges and real malware analysis.

  2. Step 2Call decode_secret directly on the hardcoded value
    Use exec() to load the script into the current Python session, which defines all its functions and variables. Then call decode_secret(bezos_cc_secret) directly to decode the flag without needing to know the password.
    python3 -c "exec(open('crackme.py').read()); print(decode_secret(bezos_cc_secret))"
    Learn more

    exec(open('crackme.py').read()) evaluates the entire script as Python code in the current namespace. This defines all functions and variables from crackme.py -- including decode_secret and bezos_cc_secret -- without triggering the if __name__ == '__main__' block that would prompt for a password.

    This technique works because the encoding key is implicit in the decode function itself -- the function does not require a separate secret key argument. Any encoding scheme that embeds its own decryption logic alongside the ciphertext provides no real security; the attacker just needs to locate and call that logic.

Flag

picoCTF{...}

The script verifies input but also exposes the decode function -- just call it on the hardcoded encoded value to extract the flag directly.

More Reverse Engineering