PicoCTF-2019 Writeup
  • HHousen PicoCTF-2019 Writeup
  • Binary Exploitation
    • L1im1tL355
    • messy-malloc
    • OverFlow 2
    • CanaRy
    • NewOverFlow-1
    • NewOverFlow-2
    • sice_cream
    • seed-sPRiNG
    • leap-frog
    • GoT
    • rop64
    • rop32
    • Ghost_Diary
    • zero_to_hero
    • Challenge Name
    • Heap overflow
    • slippery-shellcode
    • AfterLife
    • SecondLife
    • stringzz
  • Cryptography
    • la cifra de
    • b00tl3gRSA2
    • b00tl3gRSA3
    • AES-ABC
    • john_pollard
    • b00tl3gRSA2
    • waves over lambda
  • Forensics
    • What Lies Within
    • m00nwalk
    • shark on wire 1
    • shark on wire 2
    • Glory of the Garden
    • pastaAAA
    • Investigative Reversing 0
    • Investigative Reversing 1
    • extensions
    • investigation_encoded_1
    • Investigative Reversing 2
    • investigation_encoded_2
    • Investigative Reversing 3
    • like1000
    • Investigative Reversing 4
    • WebNet0
    • B1g_Mac
    • m00nwalk 2
    • WebNet1
    • WhitePages
    • So Meta
    • c0rrupt
  • Web Exploitation
    • Java Script Kiddie 2
    • Empire1
    • Empire2
    • cereal hacker 1
    • Empire3
    • cereal hacker 2
    • Java Script Kiddie
    • JaWT Scratchpad
    • Irish-Name-Repo 1
    • Irish-Name-Repo 2
    • Irish-Name-Repo 3
  • Reverse Engineering
    • Time's Up, Again!
    • Forky
    • droids0
    • Challenge Name
    • droids1
    • droids2
    • droids3
    • reverse_cipher
    • droids4
    • B1ll_Gat35
    • Time's Up
    • Time's Up, For the Last Time!
    • asm1
    • asm2
    • asm3
    • asm4
  • Challenge Name
Powered by GitBook
On this page
  • Problem
  • Solution
  • Flag

Was this helpful?

Edit on Git
  1. Reverse Engineering

Time's Up, Again!

PreviousReverse EngineeringNextForky

Last updated 4 years ago

Was this helpful?

Problem

Previously you solved things fast. Now you've got to go faster. Much faster. Can you solve this one before time runs out? times-up-again, located in the directory at /problems/time-s-up--again-_1_014490a2cb518921928db099702cbfd9.

Solution

  1. Decompile the binary file using (). main() function:

     undefined8 main(void)

 {
 init_randomness();
 printf("Challenge: ");
 generate_challenge();
 putchar(10);
 fflush(stdout);
 puts("Setting alarm...");
 fflush(stdout);
 ualarm(200,0);
 printf("Solution? ");
 __isoc99_scanf(&DAT_00100efb,&guess);
 if (guess == result) {
     puts("Congrats! Here is the flag.txt!");
     system("/bin/cat flag.txt");
 }
 else {
     puts("Nope!");
 }
 return 0;
 }

    We cannot use the same script as in the previous challenge, Time's Up, because we only have 200 uSeconds. pwntools is too slow.

  2. We will use SIGSTOP and SIGCONT to pause to resume the program before the timer can expire. Wikipedia description of SIGSTOP and SIGCONT: "When SIGSTOP is sent to a process, the usual behaviour is to pause that process in its current state. The process will only resume execution if it is sent the SIGCONT signal. SIGSTOP and SIGCONT are used for job control in the Unix shell, among other purposes. SIGSTOP cannot be caught or ignored."

  3. The works by:

    1. Running

    2. Waiting for...

      • the moment right before the alarm is about to go off (which would trigger the SIGALRM signal and end the program)

      • the moment after the problem has been printed

    3. Pausing the program with the SIGSTOP signal

    4. Solving the mathematical equation given by the program using eval()

    5. Sending the answer and a newline

    6. Flushing the stdin and resuming the program by sending the SIGCONT signal

    7. Waiting 0.2 seconds for the program to output success or failure.

    8. Checking 4 lines of output for the word "pico". If it is found, the line is printed and the program ends. If "pico" does not appear, restart from step 1.

  4. I tweaked the sleep amount and settled on 0.000175 seconds since it works well most of the time.

  5. I attempted to use the threading.Timer class, as discussed in this , in order to handle the rare cases that make the appear to hang. However, using it caused delays and messed with the exact timing needed to run this script.

  6. The original program was likely written in a language that does not implicitly support arbitrary-percision integers (python does). Also, the binary is only 64-bit: times-up-again: ELF 64-bit LSB shared object (output from file times-up-again). Thus, any integer we want to pass into the program we should turn back into 64-bit. This can be done with %pow(2,64) or %(1 << 64). Other write-ups used ctypes.c_longlong instead of these techniques, but I could not get this to work.

  7. SIGSTOP cannot be caught, which means the process doesn't even know it ever received the signal.

  8. Run the . If it hangs for more than a second, kill it with ^C and rerun. It will work eventually. Example output below (only two tries!):

     $ python script.py 
 Iteration #0
 Challenge:  (((((-1886135413) * (-687120364)) + ((294269581) * (1582871241))) - ((((-17798219) * (1585379416)) * (1261009084)) * ((-43416399) + (1227394943)))) - ((((-1868099744) * (388792763)) + ((-761322635) * (-1904639340))) + (((423915198) + (938350835)) + ((898339908) + (-1468634992)))))

 Answer: 42128093804841937203064357319295560
 Iteration #1
 Challenge:  (((((-1198557986) * (-1647142996)) + ((-1134528065) * (-441174539))) - ((((-1094944300) * (-239912724)) * (-770189614)) * ((230930317) + (638786821)))) - ((((910186477) * (-660748696)) + ((-1457806516) * (-2113165691))) + (((-894967377) + (1288049451)) + ((-1413128335) + (-1784259912)))))

 Answer: 175962852982823941714121282654933100
 picoCTF{Hasten. Hurry. Ferrociously Speedy. #3b0e50c7}

 It took 2 tries to get the flag.

  9. Other Write-ups: () and ()

Flag

picoCTF{Hasten. Hurry. Ferrociously Speedy. #3b0e50c7}

Program
Ghidra
cheat sheet
script.py
times-up-again
StackOverflow answer
script.py
script.py
C program by Dvd848
Archive
Python script that runs fast enough by AMACB
Archive