PicoCTF-2019 Writeup
  • HHousen PicoCTF-2019 Writeup
  • Binary Exploitation
    • L1im1tL355
    • messy-malloc
    • OverFlow 2
    • CanaRy
    • NewOverFlow-1
    • NewOverFlow-2
    • sice_cream
    • seed-sPRiNG
    • leap-frog
    • GoT
    • rop64
    • rop32
    • Ghost_Diary
    • zero_to_hero
    • Challenge Name
    • Heap overflow
    • slippery-shellcode
    • AfterLife
    • SecondLife
    • stringzz
  • Cryptography
    • la cifra de
    • b00tl3gRSA2
    • b00tl3gRSA3
    • AES-ABC
    • john_pollard
    • b00tl3gRSA2
    • waves over lambda
  • Forensics
    • What Lies Within
    • m00nwalk
    • shark on wire 1
    • shark on wire 2
    • Glory of the Garden
    • pastaAAA
    • Investigative Reversing 0
    • Investigative Reversing 1
    • extensions
    • investigation_encoded_1
    • Investigative Reversing 2
    • investigation_encoded_2
    • Investigative Reversing 3
    • like1000
    • Investigative Reversing 4
    • WebNet0
    • B1g_Mac
    • m00nwalk 2
    • WebNet1
    • WhitePages
    • So Meta
    • c0rrupt
  • Web Exploitation
    • Java Script Kiddie 2
    • Empire1
    • Empire2
    • cereal hacker 1
    • Empire3
    • cereal hacker 2
    • Java Script Kiddie
    • JaWT Scratchpad
    • Irish-Name-Repo 1
    • Irish-Name-Repo 2
    • Irish-Name-Repo 3
  • Reverse Engineering
    • Time's Up, Again!
    • Forky
    • droids0
    • Challenge Name
    • droids1
    • droids2
    • droids3
    • reverse_cipher
    • droids4
    • B1ll_Gat35
    • Time's Up
    • Time's Up, For the Last Time!
    • asm1
    • asm2
    • asm3
    • asm4
  • Challenge Name
Powered by GitBook
On this page
  • Problem
  • Solution

Was this helpful?

Edit on Git
  1. Reverse Engineering

Challenge Name

Previousdroids0Nextdroids1

Last updated 4 years ago

Was this helpful?

Problem

The name of the game is speed. Are you quick enough to solve this problem and keep it above 50 mph? need-for-speed.

Solution

  1. Run the program `chmod +x need-for-speed && ./need-for-speed:

     Keep this thing over 50 mph!
     ============================
    
     Creating key...
     Not fast enough. BOOM!
  2. Run the program in GDB and ignore SIGALRM messages:

     $ gdb ./need-for-speed
     (gdb) handle SIGALRM ignore
     Signal        Stop      Print   Pass to program Description
     SIGALRM       No        No      No              Alarm clock
     (gdb) r
     Starting program: ~/Documents/PicoCTF/Reverse Engineering/Need For Speed/need-for-speed 
     Keep this thing over 50 mph!
     ============================
    
     Creating key...
     Finished
     Printing flag:
     PICOCTF{Good job keeping bus #3b89d39c speeding along!}
     [Inferior 1 (process 66066) exited normally]

    More Info:

  3. Alternative Method 1: Run in GDB and skip the set_timer() function:

    ``` (gdb) break set_timer Breakpoint 1 at 0x883 (gdb) r Starting program: ~/Documents/PicoCTF/Reverse Engineering/Need For Speed/need-for-speed

    Keep this thing over 50 mph!

Breakpoint 1, 0x0000555555554883 in set_timer ()
(gdb) return
Make selected stack frame return now? (y or n) y
#0  0x0000555555554997 in main ()
(gdb) step
Single stepping until exit from function main,
which has no line number information.
Creating key...
Finished
Printing flag:
PICOCTF{Good job keeping bus #3b89d39c speeding along!}
__libc_start_main (main=0x555555554974 <main>, argc=1, argv=0x7fffffffdb58, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffdb48) at ../csu/libc-start.c:342
342     ../csu/libc-start.c: No such file or directory.
```

* [GDB Skip Command StackOverflow](https://stackoverflow.com/questions/1133365/preventing-gdb-from-stepping-into-a-function-or-file)
* [GDB Continuing and Skipping Documentation](https://sourceware.org/gdb/current/onlinedocs/gdb/Continuing-and-Stepping.html)
* [GDB Skipping Over Functions and Files Documentation](https://sourceware.org/gdb/onlinedocs/gdb/Skipping-Over-Functions-and-Files.html)
  1. Alternative Method 2: Only calling the needed functions:

     (gdb) break main
     Breakpoint 1 at 0x978
     (gdb) r
     Starting program: ~/Documents/PicoCTF/Reverse Engineering/Need For Speed/need-for-speed
    
     Breakpoint 1, 0x0000555555554978 in main ()
     (gdb) call (int) get_key()
     Creating key...
     Finished
     $1 = 9
     (gdb) call (int) print_flag()
     Printing flag:
     PICOCTF{Good job keeping bus #3b89d39c speeding along!}
     $3 = 56
  2. Alternative Method 3: Bypass the long loop:

     (gdb) break main
     Breakpoint 1 at 0x978
     (gdb) r
     Starting program: ~/Documents/PicoCTF/Reverse Engineering/Need For Speed/need-for-speed
    
     Breakpoint 1, 0x0000555555554978 in main ()
     (gdb) call (int) decrypt_flag(0xe99d7887)
     $1 = 55
     (gdb) call (int) print_flag()
     Printing flag:
     PICOBTD{Eold$jkb%kceviig(b}s)#9b29o35c,s}ekdgnh qlnv!o
     $2 = 56
     (gdb) call (int) print_flag()
     Printing flag:
     PICOCTF{Good job keeping bus #3b89d39c speeding along!}
     $3 = 56

    The key value can be found with Ghidra.

Flag

PICOCTF{Good job keeping bus #3b89d39c speeding along!}

The significant functions as decompiled by Ghidra can be found in

Program
StackOverflow
GDB Function Calling Documentation
GDB Variables Documentation
ghidra.c