Sanity Check - Write-up

Challenge Information

• Category: Reverse Engineering
• Points: 489pts
• Description: "Remember, do not trust your decompiler!"
• Flag Format: warmup{...}

Initial Analysis

Found Strings

$ strings executable | grep warmup
warmup{is_this_fake_flag?}

Suspicious string: warmup{is_this_fake_flag?} - Is this really a fake flag?

Disassembly

main function logic:

1. Print "Give me something:"
2. fgets(buffer, 0x29, stdin) - read input
3. strlen(buffer)
4. buffer[strlen(buffer)-1] = '\0' - remove newline
5. strcmp(buffer, "warmup{is_this_fake_flag?}")
6. If equal → "Correct!", else → "Incorrect!"

Looks simple: Enter string to get "Correct!"

The Trap

Test Binary

$ echo "warmup{is_this_fake_flag?}" | ./executable
Give me something:
Incorrect!

❌ Wait, what?

Trying variations:

$ echo "warmup{is_this_real_flag?}" | ./executable
Incorrect!

$ echo "test" | ./executable  
Incorrect!

$ echo "" | ./executable
Incorrect!

❌ EVERYTHING is "Incorrect!"

Deep Investigation

Hook Library Functions

Create LD_PRELOAD hook to intercept fgets, strlen, strcmp:

Run results:

fgets returned (41 bytes max): 0a 
  text: \n

strlen called on: 0a 

strcmp called:
  s1 (buffer): (empty string)
  s2: warmup{is_this_fake_flag?}
  result: -119

Discovery

1. ✅ fgets called correctly
2. ❌ fgets only read newline (0x0a)!
3. ❌ strlen("\n") returns 1
4. ❌ buffer[1-1] = '\0' → buffer[0] = '\0' → Empty buffer!
5. ❌ strcmp("", "warmup{...}") → Always non-zero
6. ❌ Result: ALWAYS "Incorrect!"

Bug/Trick

Subtle bug in edge case handling:

len = strlen(input);        // If only newline, len = 1
input[len - 1] = '\0';      // input[0] = '\0' → Clear entire buffer!

When fgets only reads newline, buffer cleanup logic accidentally deletes entire input!

Real Flag

With hint "Do not trust your decompiler!" and impossible behavior, the flag might be:

Most Likely Possibilities:

1. warmup{do_not_trust_your_decompiler} ← Based on hint
2. warmup{dont_trust_your_decompiler} ← Variation
3. warmup{sanity_check} ← Based on title
4. warmup{is_this_sanity_check} ← Question format

Lesson

Challenge teaches:

• ✅ Don't just trust static analysis
• ✅ Don't trust surface observations
• ✅ Think meta - sometimes the challenge IS the answer
• ✅ Edge cases matter - buffer cleanup bug only happens with specific input

Solution Process

1. Static analysis → Found "warmup{is_this_fake_flag?}"
2. Test it → Didn't work
3. Try variations → Nothing worked
4. Hook functions → Discovered fgets reading nothing
5. Code analysis → Found buffer cleanup bug
6. Understand trick → Flag is about the lesson!

Key Takeaways

1. Static analysis can be deceiving - runtime ≠ disassembly
2. Test assumptions - "obvious" flag was wrong
3. Dynamic debugging - hooking reveals the truth
4. Think outside the box - flag could be about understanding the trick
5. Edge cases matter - subtle bug broke everything