PicoCTF 2019: Reverse Engineering - Need For Speed

Problem

The name of the game is speed. Are you quick enough to solve this problem and keep it above 50 mph? Binary

Solution

I'd like to do think that my solution for this problem was elegant and different, hence the reason for me writing this.

In the problem we're given a binary, which when run, quits after about a second. Using $ objdump -d returns the following assembly:

        
          0000000000000974 <main>:
 974:	55                   	push   %rbp
 975:	48 89 e5             	mov    %rsp,%rbp
 978:	48 83 ec 10          	sub    $0x10,%rsp
 97c:	89 7d fc             	mov    %edi,-0x4(%rbp)
 97f:	48 89 75 f0          	mov    %rsi,-0x10(%rbp)
 983:	b8 00 00 00 00       	mov    $0x0,%eax
 988:	e8 a5 ff ff ff       	callq  932 <header>
 98d:	b8 00 00 00 00       	mov    $0x0,%eax
 992:	e8 e8 fe ff ff       	callq  87f <set_timer>
 997:	b8 00 00 00 00       	mov    $0x0,%eax
 99c:	e8 36 ff ff ff       	callq  8d7 <get_key>
 9a1:	b8 00 00 00 00       	mov    $0x0,%eax
 9a6:	e8 5b ff ff ff       	callq  906 <print_flag>
 9ab:	b8 00 00 00 00       	mov    $0x0,%eax
 9b0:	c9                   	leaveq
 9b1:	c3                   	retq
 9b2:	66 2e 0f 1f 84 00 00 	nopw   %cs:0x0(%rax,%rax,1)
 9b9:	00 00 00
 9bc:	0f 1f 40 00          	nopl   0x0(%rax)
        
      

So in the main function, the set_timer function is called. This function essentially just kills the program a second after running.

It would be certainly nice if this particular function simply would just not run right? Well let's do that.

Start off by opening the binary in a hex editor. I'll be using vim with :%!xxd to show everything in hex. Using the above code block as reference we can remove the 5 bytes of assembly at 0x992. We can then replace the removed instruction with NOPs, No Operations, which have a value of 0x90.

        
          0000000000000974 <main>:
 974:	55                   	push   %rbp
 975:	48 89 e5             	mov    %rsp,%rbp
 978:	48 83 ec 10          	sub    $0x10,%rsp
 97c:	89 7d fc             	mov    %edi,-0x4(%rbp)
 97f:	48 89 75 f0          	mov    %rsi,-0x10(%rbp)
 983:	b8 00 00 00 00       	mov    $0x0,%eax
 988:	e8 a5 ff ff ff       	callq  932 <header>
 98d:	b8 00 00 00 00       	mov    $0x0,%eax
 992:	90 90 90 90 90       	callq  87f <set_timer>
 997:	b8 00 00 00 00       	mov    $0x0,%eax
 99c:	e8 36 ff ff ff       	callq  8d7 <get_key>
 9a1:	b8 00 00 00 00       	mov    $0x0,%eax
 9a6:	e8 5b ff ff ff       	callq  906 <print_flag>
 9ab:	b8 00 00 00 00       	mov    $0x0,%eax
 9b0:	c9                   	leaveq
 9b1:	c3                   	retq
 9b2:	66 2e 0f 1f 84 00 00 	nopw   %cs:0x0(%rax,%rax,1)
 9b9:	00 00 00
 9bc:	0f 1f 40 00          	nopl   0x0(%rax)


        

Once that's done, we can save the modified binary with :%!xxd -r and then run it!

          
me:~/Documents/ctf/pico/2019/needforspeed ./need-for-speed
Keep this thing over 50 mph!
============================

Creating key...
Finished
Printing flag:
PICOCTF{Good job keeping bus #0b812872 speeding along!}