Description
The executable was designed to write the flag but it seems like a few things went wrong. Can you find a way to get it to work? Download the binary bin-ins3.zip (password: picoctf).
Download and extract bin-ins3.zip using the password 'picoctf'.
Inspect the binary to understand what it's supposed to do.
unzip -P picoctf bin-ins3.zip
chmod +x bin-ins3
file bin-ins3
Solution
- Step 1Run the binary and observe nothing is writtenThe binary calls WriteFile() to output the flag, but the nNumberOfBytesToWrite parameter is set to zero -- so no bytes are written. The flag exists in memory but is never output. Frida will let you intercept and fix this call at runtime.unzip -P picoctf bin-ins3.zip./bin-ins3# No output -- WriteFile called with 0 bytes
- Step 2Hook WriteFile() with Frida to fix the byte countWrite a Frida script that intercepts the Windows WriteFile() API call and overrides the nNumberOfBytesToWrite argument (the 3rd parameter) with the actual length of the flag buffer.pip install frida-toolscat > fix.js << 'EOF' // Frida script: hook WriteFile and fix nNumberOfBytesToWrite const WriteFile = Module.getExportByName("kernel32.dll", "WriteFile"); Interceptor.attach(WriteFile, { onEnter(args) { // args[2] = nNumberOfBytesToWrite (currently 0) const bufPtr = args[1]; // Read until null terminator to find actual length const content = bufPtr.readUtf8String(); if (content && content.length > 0) { args[2] = ptr(content.length); console.log("Fixed WriteFile byte count to:", content.length); console.log("Content:", content); } } }); EOFfrida -l fix.js ./bin-ins3
- Step 3Read the flag from the outputWith the byte count fixed, WriteFile outputs the flag to stdout or the target file. Read it from the Frida console output.
Flag
picoCTF{b1n_1nstrum3nt4t10n_3_...}
The binary calls WriteFile() with nNumberOfBytesToWrite = 0, preventing any output. A Frida script intercepting WriteFile() and overriding the byte count argument with the real flag length causes the flag to be written.