Description
A sleepy Windows executable supposedly needs instrumentation to wake up, but its strings already reveal a Base64-encoded flag. Extract the packed archive, inspect the binary, and decode the message.
Fetch the archive and unzip it with the password picoctf to obtain bininst1.exe.
Run strings/binwalk on the binary or its extracted sections to look for human-readable clues.
wget https://challenge-files.picoctf.net/c_verbal_sleep/.../bininst1.zipunzip bininst1.zip # password: picoctfstrings bininst1.exe | grep -i flagecho "cGljb0NURnt3NGtlX20zX3VwX3cxdGhfZnIxZGFfZjI3YWNjMzh9" | base64 -dSolution
- Step 1Extract the binaryUnzip the provided archive and inspect bininst1.exe. binwalk -e can extract embedded sections if you want to search smaller blobs.
Learn more
Static analysis examines a binary without executing it, and is often the first step in reverse engineering. Tools like
strings,file,binwalk, and disassemblers such as Ghidra or IDA Pro extract information from the raw bytes of an executable. Even heavily obfuscated binaries often leak human-readable strings in their data sections.The
stringscommand scans a file for sequences of printable ASCII (or Unicode) characters of a minimum length (default 4). On Windows PE files this commonly reveals function names, error messages, URLs, registry keys, and - as in this challenge - encoded payloads that were embedded at compile time. Runningstrings | grep -i flagnarrows the output immediately.binwalk goes further by recognizing known file format signatures embedded within a binary - compressed archives, file systems, certificates, and more. The
-eflag automatically extracts everything it recognizes. This is especially useful for firmware analysis and for binaries that self-unpack additional resources at runtime. - Step 2Decode the hidden stringstrings reveals "Ok, I'm Up! The flag is: <Base64>". Decode that string with base64 -d (or CyberChef) to recover picoCTF{...}.
Learn more
Base64 is an encoding scheme (not encryption) that represents arbitrary binary data using only 64 printable ASCII characters: A–Z, a–z, 0–9,
+, and/, with=for padding. Because it is reversible without any key, any data encoded in Base64 is trivially recoverable - it is designed for safe transport, not secrecy.Developers sometimes Base64-encode strings to avoid special characters breaking parsers, or mistakenly believe it provides obfuscation. In CTF challenges it is one of the most common trivial encodings to recognize and reverse. The giveaway is usually a string that ends with one or two
=signs and uses only the Base64 alphabet. Tools like CyberChef can auto-detect and decode Base64 in a single click.The title "Binary Instrumentation 1" refers to Frida, a dynamic instrumentation toolkit that lets you inject JavaScript into running processes, hook function calls, and modify behavior at runtime. The intended solve path would hook
MessageBoxAor similar Windows API calls to capture output. The fact that static analysis also works demonstrates that proper secret storage requires runtime generation, not compile-time embedding.
Flag
picoCTF{w4ke_m3_up_w1th_fr1da_f27a...}
Despite the title, no instrumentation is required-plain static inspection suffices.