Description
WASM with more complex obfuscation. Multiple layers of transformation are applied to your input before the comparison. Reverse all layers to find the flag.
Setup
Open the challenge URL with DevTools, download the WASM file from the Network tab.
wasm2wat xSAR4.wasm -o xSAR4.watSolution
Walk me through it- Step 1Static analysis: decompile and locate the comparisonTry static analysis first - it is often faster and tells you exactly what the WASM is doing. Decompile to WAT, then search for the comparison instruction the validator uses. If after 10 minutes the transformation pipeline is still opaque, escalate to dynamic analysis (next step).bash
wasm2wat xSAR4.wasm -o xSAR4.watbashwc -l xSAR4.watbash# Find the comparison: memcmp, byte-wise eq/ne, or strcmpbashgrep -nE 'call \$memcmp|i32\.eq|i32\.ne|call \$strcmp' xSAR4.watLearn more
Some Assembly Required 4 typically combines XOR encoding, character permutation, and possibly additional arithmetic transformations. The static-first approach is: decompile the WASM, trace the transformation pipeline in order, then apply the inverse transformations in reverse order to the expected output value. The grep above pulls every plausible comparison primitive in one pass; the validation function is almost always one of those.
- Step 2Dynamic: dump expected bytes via the debuggerOpen Chrome DevTools > Sources > find the WASM module. Set a breakpoint at the comparison instruction located in the previous step. Submit any input; when the breakpoint hits, read the comparison buffer out of WASM linear memory using the DevTools console.js
// In the DevTools console while paused at the breakpoint:js// 'instance' is exposed by the page (or look in window.* / Module).jsconst mem = new Uint8Array(instance.exports.memory.buffer, OFFSET, LENGTH);js// Replace OFFSET and LENGTH with the values you saw on the operand stackjs// at the cmp instruction.jsconsole.log(Array.from(mem));Learn more
Browser WASM debugging is extremely powerful for reverse engineering. Chrome and Firefox both support stepping through WASM instructions, setting breakpoints, and inspecting linear memory. When the WASM comparison function runs, the expected bytes are loaded into memory and compared to your transformed input - at that moment, reading the memory at the comparison address reveals the target value directly.
Accessing memory. The console expression is
new Uint8Array(instance.exports.memory.buffer, offset, length). The handle to the WASMinstancedepends on how the page loads it: some pages bind it towindow, others to a global calledModule, and Emscripten output usesModule._memory. Inspectwindowin the console to find the right handle.Workflow split. Run dynamic analysis only to dump the raw expected-comparison bytes. Then leave the browser, decode in Python (apply any remaining inverse transformations identified statically), and submit the recovered string in the browser. This separates "observe one value" (browser) from "compute the inverse" (Python script) and is much faster than trying to do everything inside DevTools.
- Step 3Reconstruct the flag from memory inspectionFrom the breakpoint, read the bytes at the expected-value memory address. This gives you the final transformed value. If needed, apply inverse transformations using Python. Otherwise the memory may already contain the flag in plaintext.bash
# In browser console after hitting breakpoint: # Read WASM linear memory as a Uint8Array # and decode the bytes at the expected addresspythonpython3 - <<'EOF' # If additional decoding is needed after extracting bytes from WASM memory: raw_bytes = bytes([...]) # bytes from WASM memory # Apply inverse transformations identified from static analysis # ... print(raw_bytes.decode('ascii', errors='replace')) EOFLearn more
WASM linear memory is a flat array of bytes (a
WebAssembly.Memoryobject backed by anArrayBuffer). You can read it directly from JavaScript in the browser console using the memory export. In the DevTools console, after pausing at a breakpoint:new Uint8Array(wasmModule.instance.exports.memory.buffer, offset, length)readslengthbytes starting atoffset.
Flag
picoCTF{...}
Dynamic analysis via the browser's WASM debugger reveals the expected comparison value at runtime - bypassing even complex multi-layer static obfuscation without needing to reverse it mathematically.