perplexed

Description

Solution

1. Step 1Analyze the check routine
   Decompiling `check` reveals a 0x17-byte array `local_58` and two nested loops that compare each bit of the user input to each bit of `local_58`. The function also requires an exact 27-byte password (`strlen(input) == 0x1b`).
2. Step 2Recreate the bit logic in Python
   Copy the literal values from `local_58` into a Python list and reproduce the nested loops: for every bit that is set in `local_58`, set the bit in an accumulator byte and append the byte whenever eight bits have been processed. This mirrors what `check` does internally, except you build the string yourself.
   python3 - <<'PY' local_58 = [-0x1f, -0x59, 0x1e, -8, ord('u'), ord('#'), ord('{'), ord('a'), -0x47, -99, -4, ord('Z'), ord('['), -0x21, ord('i'), 0xd2, -2, 0x1b, -0x13, -0xc, -0x13, ord('g'), -0xc] flag = [] local_20 = 0 local_2c = 0 for value in local_58: for bit in range(8): if local_20 == 0: local_20 = 1 local_30 = 1 << (7 - bit) local_34 = 1 << (7 - local_20) if value & local_30: local_2c |= local_34 local_20 += 1 if local_20 == 8: flag.append(chr(local_2c)) local_20 = 0 local_2c = 0 print(''.join(flag)) PYCopied!
3. Step 3Submit the recovered password
   Running the script prints the picoCTF flag in plaintext. Paste it back into the program to see “Correct!! :D” and submit the same string as the challenge answer.

Flag

picoCTF{0n3_bi7_4t_a_...}

The encoded bytes in `local_58` already contain the flag, so no bruteforce is required once you mirror the loop in a higher-level language.