Rating:
When decompiling the binary in `ghidra`, and exporting it, getting past all the flashy ASCII art banner code and whatnot, we have the first line of logic; which is important.
```c
param3 = getppid();
snprintf(local_58,0x14,"/proc/%d/comm",param3);
__stream = fopen(local_58,"r");
fgets(local_38,0x20,__stream); //get 0x20 bytes (more than enough)
local_8c = 0;
```
What is happening here is, when the program first runs, it checks /proc/[PID]/comm and gets the value located within it. The thing with the *comm* value in `procfs` is that it is essentially what binary is actually executing. So, for instance, if you were to run `python3 test.py` with PID 1337, the value in `/proc/1337/comm` would be `python3`.
In later portions of the code, we realize that in order for us to advance toward the flag, our *comm* value would have to be `tidbits`.
```c
iVar1 = strncmp("tidbits",local_38,7);
if (iVar1 == 0) {
puts("\nUpon seeing the tidbits, the dolphins begin their performance.");
puts(
"\nAs you give them the signal, you are amazed by the dolphins\' uncanny ability to\nperform a double-backwards-somersault through a hoop whilst whistling \"The Star\nSpangled Banner.\" You can\'t help but wonder if there\'s some hidden meaning behind\ntheir actions."
);
//we want tricks() to return 0
//if it does, JIT code will execute
uVar2 = tricks();
if ((int)uVar2 == 0) {
FUN_00121960();
}
}
```
(Incase you want to know, `FUN_00121960()` is something which isn't going to be reverse engineered statically, because it looks like this and it's just not worth reverse engineering once we pass all the checks accordingly.)
![abomination function](https://i.imgur.com/UeOmO0l.png)
In order to spoof the comm value, we can simply perform `ln -s /bin/ltrace /usr/bin/tidbits` (which will create a symbolic link named "tidbits" in `${PATH}` to /bin/ltrace), and then run that with the argument of our given target binary. This will make it so the PID comm value is set to `tidbits`, which will allow our code to continue on to the `tricks()` function (which must return a 0 in order for our target function to run).
![/usr/bin/tidbits example](https://i.imgur.com/qtUaJvm.png)
As we can see, it works, and we've advanced into the `tricks` function.
Now that we are running inside the tricks function, we can see that some other stuff is going on. To keep everything brief and short, we want to get to this `goto` statement, which can only happen if `i` is less than 6 but greater than 4 (meaning it has to be 5). *i* is higher when more results are outputted from `/bin/grep tidbits /proc/*/comm` (which essentially checks for *any other process* that *also* has `tidbits` as it's *comm* value.)
![tricks()](https://i.imgur.com/rxOgxKD.png)
So, what we essentially need to do is just...open more processes with this `tidbits` value in their *comm*. This was relatively easy on my part, I just did the same method I did with getting the target binary running with `tidbits` as it's *comm*, only except for the other processes I used `/bin/sleep` with a high value (so it doesn't terminate). When adjusting this to be *juuust* right, I managed to get *i* to it's appropriate value, and thus, have it get to the target function....which conveniently prints out the flag (phew).
![finale](https://i.imgur.com/mk7jIxP.png)
`shctf{0k_but_h4v3_y0u_s33n_th3_m1c3}`