Description
In the function doStuff with parent and child processes, what does the child process return?
Setup
Download the binary.
wget <url>/Forkychmod +x ForkySolution
Walk me through it- Step 1Run the binary and observe outputExecute Forky. It uses fork() to create child processes. The parent and child take different code paths. Observe what each process outputs.bash
./ForkyLearn more
fork()creates an exact copy of the current process. In the parent, fork() returns the child's PID (a positive number). In the child, fork() returns 0. Both processes continue executing from the same point in the code but take different branches based on the return value. - Step 2Decompile with GhidraOpen Forky in Ghidra. Find the doStuff function and the fork() call. Trace the child process path (where fork returns 0) to find what value it returns or outputs.bash
ghidra Forky &Learn more
In the decompiled code, the fork pattern looks like:
pid = fork(); if (pid == 0) { /* child code */ } else { /* parent code */ }. The child may compute a value, write to a pipe, or exit with a specific code.Inter-process communication via pipes:
pipe(fd)creates a pair of file descriptors. The child writes to fd[1] and the parent reads from fd[0]. The flag may be assembled from multiple process outputs. - Step 3Trace the flag assemblyThe flag may be built up through multiple fork() calls, with each child process contributing characters. Trace the complete execution tree to collect all characters in order.
Learn more
Multiple fork calls produce a tree of processes: each process can fork multiple children. If each child writes one character of the flag, the parent must collect them all in the correct order. This is a classic concurrent programming pattern where ordering matters.
Flag
picoCTF{...}
Trace the child process execution path after fork() in the Ghidra decompilation to find the characters each process contributes to the flag.