picoCTF Solutions
picoCTF 2022Reverse EngineeringMedium

Safe Opener

Published: July 20, 2023Updated: December 9, 2025

Description

The SafeOpener Java program stores an encoded password. Decode it, then wrap the plaintext inside picoCTF{…} to submit.

Setup

Download SafeOpener.java

Open the Java source-`openSafe()` defines the Base64-encoded password (`encodedkey`).

Extract the string, decode it, and either run the program with that password or directly wrap it with picoCTF{...}.

cat SafeOpener.java | grep encodedkey | sed -n '5p' | cut -d '"' -f2 | base64 -d
java SafeOpener.java # optional sanity check

Solution

  1. Step 1Read the source
    The main method simply compares the user input (Base64-encoded) against the constant stored in `encodedkey`. No reversing needed; just decode.
  2. Step 2Format the flag
    Take the decoded password, prepend `picoCTF{` and append `}` to produce the final submission.

Flag

picoCTF{pl3as3_l3t_m3_1nt0_th...}

Challenge reinforces that storing secrets in client-side code (even encoded) offers no real protection.