Last weekend RITSEC hosted its annual CTF. I had the privilege of being the “Challenges Lead” for the event this year, so while I wasn’t directly in charge, I had broad authority over certain parts of the event, some ability to influence administrative decisions, and personally authored about a third of the 36 challenges we had.

Several weeks before our CTF, I played DiceGang’s 2026 qualifier, and the prevailing opinion among much of the CTF community, nearly unanimous among my friends, was that the capabilities of LLMs to autonomously solve challenges had reached something of a breaking point, to the extent that it was impossible to place well at the event if you weren’t “slopping” to at least some degree, which ruins the fun for human players who play because they like to challenge themselves and learn.

Last weekend my team and I competed in UofTCTF 2025, where we placed 9th overall. I found one of the reversing challenges really interesting, and I was proud of my solution and solve process, so I made a writeup for it.

Bloatware

For this challenge we’re given a flag checker program, chal.js. Upon opening it I quickly saw that it was obfuscated with obfuscator.io and then minified. Here’s a small snippet of the code in question.