picoCTF Solutions
picoCTF 2025Reverse EngineeringMedium

Binary Instrumentation 2

Published: April 2, 2025Updated: December 9, 2025

Description

A follow-up Windows binary supposedly writes the flag to disk via API hooks. In practice, the executable still leaks a Base64 flag in its strings section.

Setup

Download bininst2.zip

Unzip bininst2.zip (password: picoctf) to obtain bininst2.exe.

Use strings or binwalk -e to inspect the binary for Base64 chunks beginning with cGljb0NUR.

wget https://challenge-files.picoctf.net/.../bininst2.zip
unzip bininst2.zip # password: picoctf
strings bininst2.exe | grep cGljb0NUR | base64 -d

Solution

  1. Step 1Hunt for the payload
    Even without Frida, running strings (optionally against extracted sections) reveals `cGljb0NURntmcjFkYV9mMHJf...`. That Base64 string encodes the flag.
  2. Step 2Decode to finish
    Pipe the Base64 blob into base64 -d (or CyberChef) to retrieve picoCTF{fr1da_f0r_b1n_in5trum3nt4tion!...}.

Flag

picoCTF{fr1da_f0r_b1n_in5trum3nt4tion!_b21a...}

The intended path was to instrument CreateFile/WriteFile via Frida, but static decoding works too.