Description
Can you look at the data in this binary? Download static and ltdis.sh.
Setup
Download both static and ltdis.sh from the challenge page.
Confirm the binary type before running tools that assume a specific format.
wget <url>/staticwget <url>/ltdis.shfile staticSolution
Want to try it yourself first?
The guided walkthrough reveals hints one step at a time.
Step 1
Run ltdis.sh on the binaryObservationThe challenge provided two downloads, a binary called static and a shell script called ltdis.sh, which suggested the script was specifically designed to extract readable data from that binary and was the intended first step.ltdis.sh runsstrings -o static(or similar) on the binary and saves output to a.strings.txtfile alongside it. Run it, then list the generated text files to find the output filename.bashbash ltdis.sh staticbashls *.txtExpected output
picoCTF{d15a5m_t34s3r_...}What didn't work first
Tried: Run strings directly on the binary without ltdis.sh and print to the terminal.
Running
strings staticprints thousands of lines to stdout with no output file created. You can still grep the terminal output with a pipe, but ltdis.sh is specifically provided to save the output to static.ltdis.strings.txt for persistent inspection. Skipping the script means missing the expected file and potentially the intended workflow for finding the flag offset.Tried: Run bash ltdis.sh without making it executable first.
If you try
./ltdis.sh staticinstead ofbash ltdis.sh static, the shell returns a permission denied error because the downloaded script does not have the execute bit set. The fix is eitherbash ltdis.sh static(which invokes bash directly) orchmod +x ltdis.sh && ./ltdis.sh static. The challenge download does not preserve the executable bit.Learn more
The
stringsutility scans any binary file and extracts sequences of printable ASCII characters above a minimum length (default 4). This works because compiled programs often contain embedded text: error messages, URLs, version strings, author credits, and - in CTFs - flags. Even without source code,stringsis one of the first tools any reverse engineer runs on an unknown binary.Shell scripts as wrappers:
ltdis.shis a bash script that wrapsstringswith specific options and redirects output to a predictably named file. Writing wrapper scripts around existing tools is a common Unix practice - it standardizes arguments, captures output for later analysis, and makes workflows repeatable. The name "ltdis" likely stands for "light disassembly" or similar.Static vs. dynamic analysis: The challenge title "Static Ain't Always Noise" plays on two meanings of "static." In reverse engineering, static analysis means examining a binary without executing it - reading its bytes, running
strings, disassembling withobjdump, or decompiling with Ghidra. Dynamic analysis means running the program and observing its behavior. Both are complementary and important skills.Step 2
Search for the flagObservationI noticed that ltdis.sh saves the extracted strings to a text file named static.ltdis.strings.txt, which contains thousands of lines, so grepping for the picoCTF{ prefix was the fastest way to isolate the flag from all the surrounding binary metadata.Grep the output file for the picoCTF prefix. If nothing matches, lower the strings minimum length (default is 4) - the flag may be a short word in a longer transformation. Filter to lines starting withpicoCTF{if multiple matches appear.bashgrep '^picoCTF{' static.ltdis.strings.txtbash# If no matches, re-run strings with a smaller minimum length:bashstrings -n 3 static | grep -i picoWhat didn't work first
Tried: Grep the binary file directly instead of the generated text file.
Running
grep 'picoCTF' staticon the raw binary produces garbled output because grep processes binary data byte-by-byte without the length-filtering and offset alignment that strings provides. The flag bytes are present in the file but surrounded by null bytes and non-printable characters, so the match either does not display cleanly or triggers grep's 'binary file matches' message with no text shown. Always grep the strings output file, not the binary itself.Tried: Search for 'pico' case-sensitively and miss the flag.
The flag prefix 'picoCTF{' contains a capital C and T, so
grep 'pico' static.ltdis.strings.txtmatches correctly - butgrep 'PICO'orgrep 'PicoCTF'would not. More commonly, solvers anchor with^picoand miss the flag because the strings output includes an offset column at the start of each line (e.g.1234 picoCTF{...}), so the line does not start with 'pico'. Usegrep 'picoCTF'without the caret anchor, or strip the offset column first.Learn more
grep(Global Regular Expression Print) searches text for lines matching a pattern. It's an indispensable Unix tool for filtering large outputs. In CTF work, grepping for known patterns likepicoCTF,flag, orFLAGquickly filters thousands of lines of binary output down to the one line you care about.A compiled binary can easily contain thousands of strings - library function names, debug symbols, format strings, linker metadata, and more. Without
grep, manually scanningstatic.ltdis.strings.txtwould take minutes. With it, the search takes milliseconds. Usefulgrepflags for CTF work:-i- case-insensitive search (matchespicoctf,PICOCTF, etc.)-n- show line numbers so you can find context in the file-A 2 -B 2- show 2 lines of context around each match-r- recurse into directories (useful when output is split across files)
Why flags appear in binaries: Flag-checking programs typically compare user input against a stored value. The simplest approach stores the flag as a literal string, making it trivially extractable with
strings. More sophisticated challenges encode, encrypt, or generate the flag at runtime to prevent this - but even then, static analysis often reveals key clues.
Interactive tools
- Strings ExtractorPull printable text from any binary, library, or image. ASCII and UTF-16 detection, configurable minimum length, flag-like highlight, no command line needed.
- File Magic IdentifierIdentify file types from magic numbers. Paste hex bytes or drop a file to detect PNG, JPEG, ZIP, PDF, ELF, PCAP, SQLite, and dozens of other formats.
- Hex ViewerView text or raw hex bytes as a xxd-style hex dump with byte offset, hex columns, and ASCII sidebar. Highlights printable characters and null bytes.
Flag
Reveal flag
picoCTF{d15a5m_t34s3r_...}
ltdis.sh runs strings on the binary and saves output; the flag is embedded as a plaintext string.