picoCTF Solutions
picoCTF 2022Reverse EngineeringMedium

Bbbbloat picoCTF 2022 Solution

Published: July 20, 2023

Description

A heavily bloated binary makes static analysis tedious - there are many irrelevant functions. But it boils down to one integer comparison: find the magic value and enter it as input.

Ghidra quickly identifies the magic constant in main() even through all the bloat.

Setup

Download bbbbloat

Download the binary and make it executable.

Open in Ghidra (or run in the picoCTF web shell), find main(), and read the integer comparison.

bash
wget https://artifacts.picoctf.net/c/172/bbbbloat && chmod +x bbbbloat

Solution

Walk me through it
  1. Step 1Identify the magic constant in Ghidra
    Open the binary in Ghidra, navigate to the main function, and look for where your scanned input is compared to a constant. The comparison is if (input == 0x86187). In decimal that is 549255.
    bash
    wget https://artifacts.picoctf.net/c/172/bbbbloat && chmod +x bbbbloat
    bash
    # Open in Ghidra, run auto-analysis, find main(), read the if-check value
    Learn more

    The binary uses scanfto read an integer from the user and then compares it against a hardcoded constant. All the surrounding function calls are irrelevant bloat that does not affect the outcome. Ghidra's decompiler folds through constant propagation and shows the comparison plainly once you find main().

    Hex to decimal: 0x86187 = 8*65536 + 6*4096 + 1*256 + 8*16 + 7 = 549255. In Ghidra, right-click the hex constant in the decompiler and pick "Convert to Decimal" to avoid doing the arithmetic by hand.

    Heuristic for spotting bloat in the decompiler: long chains of nested function calls whose return value is discarded; loops with no observable side effect; functions that rebuild data they already have. Skip past those and look at where the input flows: scanf to a variable to a cmp. Trace forward from the input read; ignore everything else.

  2. Step 2Enter the magic value to get the flag
    Run the binary normally and enter 549255 (0x86187) when prompted. It prints the flag.
    bash
    echo '549255' | ./bbbbloat
    Learn more

    Piping the value directly via echo 'VALUE' | ./binary is a quick way to automate providing input without interactive prompts. The binary reads from stdin, and the pipe connects stdout of echo to stdin of the binary.

    This challenge teaches that code complexity (bloat) is not the same as security. True security requires cryptographic key material or secrets that cannot be recovered from static analysis - not just confusing code structure. A hardcoded comparison value is always recoverable with Ghidra.

Flag

picoCTF{cu7_7h3_bl047_695...}

Ghidra reveals the magic comparison value (549255 / 0x86187). Enter it when prompted and the binary prints the flag.

Want more picoCTF 2022 writeups?

Browse picoCTF 2022Full library

Tools used in this challenge

Related reading

What to try next