picoCTF Solutions
picoGym ExclusiveBinary ExploitationMedium

Picker IV

Published: March 5, 2024Updated: December 9, 2025

Description

Picker IV is now compiled. It prompts for an address and jumps there directly, so feeding it the address of win() immediately prints the flag.

Setup

Binary analysisDownload picker-IV artifacts

Fetch both picker-IV and picker-IV.c so you can review the logic or compile locally.

Use objdump or Ghidra to locate the address of win().

wget https://artifacts.picoctf.net/c/529/picker-IV.c
wget https://artifacts.picoctf.net/c/529/picker-IV
objdump -D picker-IV | less

Solution

  1. Step 1Resolve win()
    Disassembling the binary shows win at 0x40129e. Because the service naively jumps to any address you supply, that value is all you need.
  2. Step 2Send the address remotely
    Connect to the provided host and type 40129e when prompted. The binary adds the 0x prefix internally and jumps straight into win().
    printf "40129e\n" | nc saturn.picoctf.net 56193
  3. Step 3Copy the flag
    win() prints the picoCTF flag directly, so no extra decoding steps are required.

Flag

picoCTF{n3v3r_jump_t0_u53r_5uppl13d_4ddr355...1af4}

Because there is no validation on the destination address, pointing execution at win() is trivial.