Hacking Series Part 11

Challenge: Need For Speed

Category: reverse engineering

We are given a binary called “need-for-speed”. When you first run the program, there is no needed input from the user. The program simply starts generating a key, but exits before the process is finished with the message “Not fast enough. BOOM!”. When I opened the program in IDA, I saw that there were four main functions that controlled the program logic.

The function is only responsible for printing the banner when the program is first fun. If you look inside , you will see that there is a signal set up to terminate the program after a certain amount of seconds has elapsed. This is responsible for the exit message shown earlier, since the alarm went off before the program was done generating a key and printing a flag.

We need to figure out what determines how many seconds are set as the alarm. If you look at the function above, it seems to always set to 1, which means this number is static — we will always have exactly 1 second to run the program, generate the key, and print the flag. It is likely that 1 second is not enough time to do all this, which means we will need to find another way to get the flag.

Next, if you look inside the function, you will see that there is actually another function called that is responsible for the key creation. Within this new function, there is a loop that essentially continues for a long time until a certain number is reached, which is the key. This number is 0ED0CC64Ah (hex). Knowing the key may be useful for the future if needed, but since the user doesn’t actually need to input the correct key, it may not be that useful after all.

After this, we finally move on to . This function is responsible for calling a decryption function , then printing the resulting flag. In , there are a lot of instructions that are used for decryption and it would be very time consuming to try to understand exactly how each character of the flag is changed.

Instead, I tried to find a way to bypass and continue execution after it. Realistically, we only need to call and in order to get our decoded flag. The function has no influencing variables or parameters that other functions rely on, so it should be possible to skip over it.

To do this, I opened the binary in gdb and set a breakpoint before the execution of . Then, I used the function in gdb to directly access the two functions needed in order. took a couple of seconds to complete, then I called . This gave me the decrypted flag.

PICOCTF{Good job keeping bus #24c43740 speeding along!}

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store