PicoGym FACTCHECK (5/30/25)

Walkthrough of challenge "FactCheck" from the picoCTF picoGym.

The first thing I did was run the file through PEstudio to give me some idea of what I was working with. Some things to note:

1) Can see 142 strings, meaning most likeley not a packed file.

2) Can see half of the have of the flag perhaps? "picoCTF{wELF_d0N3_mate_"

3) Elf file

Since it is not a packed file, we should be able to put this in Ghidra.

First thing I like to do in Ghidra is to find the main() function, this is the start of the code and is a good place to find info about what the code is doing. When we decompile the code, we can see it was written in C++. Code starts off by declaring some strings, 2 chars, and a long.

Below the initial creation of variables, there are 2 sections of code. One section adds values of the strings it just initialized, the other is a section that uses logic to check the value of a string and then either adds a value to the half flag string if the logic returns true, or it does not add a value if the logic returns false. The variable local_248 contains our half flag.

We know it is adding to the string local_248 with the operation"+=", for example, this code snippet:

pcVar2 = (char *)std::__cxx11::string::operator[]((ulong)local_208);

if (*pcVar2 < 'B') {

std::__cxx11::string::operator+=(local_248,local_c8);

}

Would add the data in local_c8 to the string local_248 if the input is less than the value of "B". The value of local_208 is 5, which is in the first section of the code. To get the value of B we can use a Symbol to decimal chart. https://www.ascii-code.com/

To solve the challenge, follow this logic and you will get the flag!