1. I first `file` the file, since `.exe` is quite scary. We can see that it's an `ELF 64-bit`, so I then use Ghidra to examine it. ```shell= ┌──(kali㉿kali)-[~/code] └─$ file svchost.exe svchost.exe: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=c083b0f6ecaeb1517082fb6ed0cd9e3f295ec2cc, stripped ``` 2. Go through all the function, and there's a `FUN_0010298a` that contains lots of other functions 3. If going into the functions, we'll see that the function will lead us to the letters in flag 4. We have to assemble those letters. A faster(?) way of doing this is to create a snapshot (the camera icon on the top right corner)So when we can explore another function without needing to go back to find the `FUN_0010298a` again, like this:  ~~4. After finding one letter, when we want to jump to the next function, we can create a snapshot again (so that we won't lose the `FUN_0010298a` window)(you can see at the bottom right, there are two snapshot windows)~~ ▲ This won't work, seems like the copied decomplier works different from the regular one... 4. Copy the function from the snapshot window(`FUN_0010298a`),`Ctrl+shift+E` to search it in the `listing` window`Dismiss` search, double click the new function, then will able to see another element of the flag 5. Repeat step 4 until finish finding `}` => flag: `picoCTF{d15a5m_ftw_eab78e4}` <hr> In [this tutorial](https://www.youtube.com/watch?v=IA2_9Pk9QTw), he mentioned that we need to `sudo apt-get install gnat` to run the file, but I guessed the current version of `gnat` is no longer the same? So I have no choice but to assemble the flag elements manually... ```shell= ┌──(kali㉿kali)-[~/code] └─$ ./svchost.exe ./svchost.exe: error while loading shared libraries: libgnat-7.so.1: cannot open shared object file: No such file or directory ```