perplexed picoCTF 2025 Solution

Description

1. Step 1Analyze the check routine
   Decompiling check reveals a 0x17-byte array local_58 and two nested loops that compare each bit of the user input to each bit of local_58. The function also requires an exact 27-byte password (strlen(input) == 0x1b).
   Learn more

   Static reverse engineering is the process of analyzing a compiled binary without executing it. Tools like Ghidra (free, NSA-developed), IDA Pro (industry standard), and Binary Ninja disassemble machine code and use heuristics to reconstruct higher-level pseudocode. The decompiler output isn't perfect C, but it reveals the structure of loops, conditionals, and data accesses well enough to understand the algorithm.

   Ghidra names stack variables by offset from the saved frame pointer. The slots in check map cleanly: local_58 is the 23-byte hardcoded array, local_20 is the bit counter (0..7) inside the inner loop, local_2c is the byte accumulator that gets emitted every 8 bits, and local_30 / local_34 are the per-iteration bit masks computed from the bit index. When you read an unfamiliar decompilation, lining up these stack slots with their roles is what turns "wall of pseudocode" into "I can replay this".

   The byte-array literals print with signed values like (char)-0x1f because Ghidra renders signed char; that is the two's-complement of the raw byte. -0x1f equals 0xe1 at the byte level, and Python lines them up via value & 0xff when you need an unsigned reading. When a binary is stripped (compiled without debug symbols), function names like check are replaced with addresses; Ghidra still finds boundaries via prologue/epilogue heuristics, but you rename as you go. Symbols can sometimes be recovered by matching code against known library versions, a technique called FLIRT (Fast Library Identification and Recognition Technology) in IDA.

2. Step 2Recreate the bit logic in Python
   Right-click the local_58 array in Ghidra and copy the 23 literal values (some appear as signed bytes - keep them as the negative ints Ghidra prints, since Python signs map cleanly via & 0xff if needed). Reproduce the nested loops: for every set bit in local_58, set the matching bit in an accumulator and emit a character every 8 bits.
   python

   python3 - <<'PY'
   local_58 = [-0x1f, -0x59, 0x1e, -8, ord('u'), ord('#'), ord('{'), ord('a'), -0x47, -99, -4, ord('Z'), ord('['), -0x21, ord('i'), 0xd2, -2, 0x1b, -0x13, -0xc, -0x13, ord('g'), -0xc]
   flag = []
   local_20 = 0
   local_2c = 0
   for value in local_58:
       for bit in range(8):
           if local_20 == 0:
               local_20 = 1
           local_30 = 1 << (7 - bit)
           local_34 = 1 << (7 - local_20)
           if value & local_30:
               local_2c |= local_34
           local_20 += 1
           if local_20 == 8:
               flag.append(chr(local_2c))
               local_20 = 0
               local_2c = 0
   print(''.join(flag))
   PY

   Copied!
   Learn more

   Bit manipulation is a favourite obfuscation technique in CTF reverse engineering challenges. By operating on individual bits rather than whole bytes or characters, the author makes it harder to immediately recognize the algorithm from the decompiled output. Common bit operations include XOR masking, bit rotation (ROL/ROR), interleaving bit fields from two values, and permuting individual bit positions.

   The key insight for this challenge is that the check function is deterministic - given the same local_58 array (which is hardcoded in the binary), it always accepts exactly one password. Rather than guessing the password, you replay the same logic in Python to compute what the password must be. This "emulate the validator" approach works whenever the comparison function has no randomness and the key material is embedded in the binary.

   Python is ideal for this kind of reconstruction because its integers are arbitrary precision (no overflow surprises), it handles signed/unsigned values transparently when you use & 0xFF or ctypes.c_int8, and list comprehensions make bit manipulation loops compact. Alternatively, tools like angr (a symbolic execution engine) can automatically find inputs that satisfy a binary's constraints without manual analysis - useful for more complex validation logic.

3. Step 3Submit the recovered password
   Running the script prints the picoCTF flag in plaintext. The first 8 bytes of the buffer should already read picoCTF{ after the bit loop completes - if they don't, your bit indexing is wrong (most often an off-by-one in the inner mask). Paste the string back into the program to see "Correct!! :D" and submit the same string as the challenge answer.
   Learn more

   This final step validates your understanding of the algorithm. If the script's output triggers "Correct!! :D" when fed to the binary, you've successfully reversed the bit permutation. If not, the most common errors are off-by-one mistakes in the bit indexing, incorrect handling of signed vs. unsigned bytes from the Ghidra decompilation, or mis-transcribed constants from the local_58 array.

   A useful debugging technique is to run the binary under GDB and set a breakpoint inside check to observe what value the loop is building on each iteration, then compare that to your Python output at each step. The pwndbg and GEF GDB plugins add rich visualization of registers, stack frames, and memory - making dynamic analysis much more comfortable than vanilla GDB.

   For competitive CTF play, the "reversed algorithm" technique generalizes broadly: if you can understand what transformations a binary applies to your input before comparing it to a target, you can invert those transformations on the target to recover the expected input. This works for XOR ciphers, custom hash functions, encoding schemes, and many other challenge types.

Alternate Solution

Flag

The 23 encoded bytes in `local_58` already contain the password, so no bruteforce is required once you mirror the bit loop in a higher-level language. Running the script prints the flag directly.