Description
What can you do with a file that has been WebAssembly compiled? Find the flag on the website.
Setup
Open the challenge URL in your browser.
Solution
- Step 1Find and download the WASM binaryOpen the browser's Network tab (DevTools > Network) and reload the page. Look for a request returning a binary file or base64 blob with a .wasm extension or Content-Type of application/wasm. Download it.
Learn more
WebAssembly (WASM) is a binary instruction format designed for execution in web browsers alongside JavaScript. It compiles from languages like C, C++, or Rust and runs at near-native speed. WASM modules are fetched over HTTP just like JavaScript files -- they appear in the Network tab as requests with Content-Type
application/wasm. - Step 2Decompile the WASM to WAT text formatUse wasm2wat (from the WebAssembly Binary Toolkit, WABT) to convert the binary WASM file to its human-readable WAT (WebAssembly Text Format) equivalent. Search the output for the picoCTF string.wasm2wat xSAR1.wasm -o xSAR1.watgrep -i pico xSAR1.wat
Learn more
WAT (WebAssembly Text Format) is the textual representation of WASM bytecode. It uses S-expression syntax (like Lisp) and is fully reversible from WASM -- no information is lost in decompilation. String literals from the original source code are embedded as
datasegments in the WASM binary and appear verbatim in the WAT output.This is a fundamental property of compiled languages: string constants survive compilation. Strings like flag values, error messages, and format strings are stored in the data section of the binary and can be extracted with tools like
strings,wasm2wat, or a hex editor. Always search compiled binaries for string literals before attempting deeper reverse engineering.
Flag
picoCTF{...}
WebAssembly binaries compile to a readable WAT text format -- string constants in the original source survive compilation and are visible in decompiled output.