 What's up YouTube, my name is John Hammond and welcome back to some more Pico CTF 2018. This challenge is called Be Quick or Be Dead 2. It's the sequel to the previous Be Quick or Be Dead challenge. It's worth 275 points in the reversing category and it only has 537 solves. So that's not a lot and this is now like mid December so it's been a while since Pico was actually finished but a lot of people have still worked on it but it's still not a lot compared to the surrounding challenges. So the challenge bomb here is as you enjoy this music even more which is again another link to the Iron Maiden song, another executable Be Quick or Be Dead 2 shows up. Can you run this fast enough? You can find the executable here on the shell server but we're given the binary to go ahead and download. So let's go ahead and play with this. I will move over to my directory here. We can W get it and this is actually the first time that I am like recording on my new computer. I just bought a Dell XPS 15 so hopefully this video won't suck but I'll be fumbling around on the keyboard. When we try and run this binary it gives us a banner, tells us it's calculating the key and tells us you need a faster machine bye bye. So we can't do anything right? We have no interaction with this binary. We don't know entirely what it's doing. Maybe if you wanted to we could L trace or S trace some of this stuff. I don't know if that's yeah that's okay. Printing out the banner, getting a single arm so the alarm handlers is occurring. Looks like it's trying to run that function after three seconds. So let's break this down right? I'm going to open it up in Hopper which if you don't have it you can go to hopperapp.com and download a free version. I think the actual pro version or the the licensed is only $90. I bought it and it's actually pretty nice. I don't have the license already set up on this in this machine just yet but let's open it up and control shift. Oh not just oh where is the binary? There we go. Okay so on the left hand side you can see all the procedures here and I've got the main function locked on and once we jump to it we can hit alt and enter to view kind of a pseudo code decompilation right? So looks like the main function will display the header which if I click on here will display be quicker be dead too tries to show out those equal signs as a little horizontal line that's nice. It sets the timer for us. Looks like it has a disclaimer if something goes wrong but otherwise it will set an alarm for three seconds and we see an alarm handler function over off to the left here and that will simply say you need a faster machine and it will exit. So looks like after those three seconds are up we can't do anything but if I go back to the main function after that alarm handler is created and set it moves on so it tries to run get key as you can see right because it told us calculating key and that calls this function calculate key and then once it's completed it will go ahead and spit out the flag. Looks like it uses decrypt flag as a function so that key is probably very important. We will probably need to keep that intact if we were actually modifying or changing up this binary so let's see how it does that. In the calculate key function looks like it's calling this thing called fib with an argument 0x422 so the hex number 422. If I click on fib reading through this just even superficially you can kind of assume this looks like the Fibonacci sequence right recursive function with if it's less than one or about zero it will return itself otherwise keep calling it with variables being subtracted here so this is the Fibonacci sequence it is past 0x422 if we check out what that number is and your number might be different right in my case it's 1058 we need to get the 1058 number in the Fibonacci sequence that's going to take a lot of time to calculate it's certainly not going to happen in less than three seconds so we've got to try and figure out how we can modify or do something interesting with this binary and poke at it so let's go ahead and do that I want to showcase an interesting technique that I'm pretty pleased with although I cannot take the credit myself a good friend of mine showed me this but I think it's a very very cool technique so it's creating a script for this user bin environment Python let's do from Pone import all going to be using Pone tools and that's what I want to showcase here the Pone tools documentation covers an interesting thing that you can do with binaries right if you have an elf object or if created kind of just a file or a binary that you're working with within Pone tools you have a function that's really neat called ASM and it will go ahead and assemble a specified instruction set or the specified instruction sorry and insert them into the elf or the binary at the specified address address being the first argument assembly being the second this modifies the binary in place I'm assuming that's meant to say in place the resulting binary can be saved with elf.save so that means we can essentially modify change up and do cool things with the binary we can patch the binary and patch the program without having to have to deal with it in Hopper or Ida or anything else that may be kind of clunky with a disassembler and gooey stuff because I've tried to not or like no op things out or part of the procedure and processes within Hopper and I would save a new executable and stuff like that but it just would give me a seg fault and it just wouldn't work so I think this is a really cool procedure and process so be quick or be dead too we've got the elf binary that we're working with here let's go ahead and run python ape and be quick or be dead gotcha so the check sec banner runs looks like we have partial row row no stack canaries but an X is enabled so no executing off the stack and no position independent code that's fine we don't care we're not going to be dealing with that stuff in this video or with this binary or this challenge but we want to actually take a look at what symbols we have right so if you wanted to you can always check out the symbols that are actually present in a binary you can just you have elf dot symbols as a dictionary so let's do four key and address in elf dot symbols iter tools or iter items I'm sorry we can print out key and then the hex of the address and if you wanted to you could literally always get an idea of where things are in your program so you can look at the procedural linkage table you can look at the global offset table you can see some of the functions that it's trying to call or work with right you can see get key you can see decrypt flag etc and where they're located in the binary so we can take advantage of this right and we can also just go ahead and patch things with that elf dot assembly file to essentially remove that alarm call let's say I wanted to have elf dot asm so call this function with elf dot symbols at the location of the alarm function right and let's say I don't want the alarm function to do anything else anymore I want to make it useless render it null and void so what we can do is we can have the function go ahead and return so simply do nothing the instruction for that is just ret right and now that that's completed we've essentially just said the alarm function is not going to do anything else anymore after those three seconds doesn't matter we never even set up the alarm handler nothing's going to happen so we'll go ahead and save this right we'll save it as a new binary just like the documentation said now when we run the script I have a new file new over here it's the same binary but if we mark it as executable go ahead and run it it's going to try and calculate a key it's going to do this however long it takes because we're not going to get that three second timeout but we're still trying to calculate the a thousandth and fifty eight or whatever in your case number in the Fibonacci sequence right and that's going to take a long time certainly certainly way too long so let's see if we can patch this binary to also just have that number ready let's go ahead and see if we can figure out what that number is let's go ahead and google right let's I've seen actually big primes.net and that's where I actually ended up finding this earlier big primes.net if you go there it has an interesting archive of really cool numbers mercy prime prime numbers formats etc and the Fibonacci archive so if you were to click on one of these you can view sorry a thousandth Fibonacci number or whatever you can view the specific page and specific number for any number in the sequence so I'm going to change the url bring me to a thousand fifty eight and you can use whatever you need in your case and I will try to copy and paste this with my mouse just tweaking out on me please and whatever I'll just create a new document and we'll cut it up so this is the number this is what we would have eventually calculated right let's go ahead and create a variable for that let's just say number equals that and let's try and patch the binary so the calculate key function no longer has to roll through all those Fibonacci sequences it'll just spit out this number we'll say calculate key will instead we'll just simply put this value into eax right and let's use percent s because we're just gonna have to submit it in there and then new line ret new line so just instructions here on one line set eax equal to our number we're gonna have to add that in as the format specifier and then return so all it will do is immediately return that number we will have to format specify it with the percentage here and we want that number in hex for one thing we also need to make it just a 32 bit number something that will fit in that register so the way i'm going to do that is actually use the and sign or ampersand logical and to crank it down to 0x one two three four one two three four so all the way just that just that 32 bit here so that will fit in the register and now that that's calculated and done cool we've patched that function we can save that let's go ahead and run the script now python ape great so now we still have our new binary here let's run it and just like that we've got the correct key in place and it can go ahead and print the flag for us if we wanted to we could streamline this let's like import os and then we can probably do os.system chmod plus x new or something then we can run new right with uh process dot slash new and that could be p p dot receive all ideally uh we might have to wait for it to do things pull out true nope oh the issue is i'm not printing out what i'm receiving that would do it great okay cool so we can actually just get the last line here if you wanted to split that up i think there's a new line at the very end so we'll have to get to like second index cool and then let's say context dot log level equals critical so we don't get all of that nonsense at the very top here great so that means we have a successful get flag script so we can chmod plus x that run our get flag script redirect that to a flag dot text file and we can go ahead and copy that as well if we wanted to i don't think i have x clip set up on this new computer so let's move be quicker be dead to to complete mark that challenge as complete and let's go ahead and submit the flag all right that is the end of the video i hope that all made sense i hope it was kind of cool i think patching like that in poem tools is really really neat and i hope that's something that you and others can i don't take on and and do more of because it's super handy in a lot of these reverse engineering and binary exploit boitation challenges right if you can just change what a function does that's pretty cool so uh before i go i did want to give a quick shout out to the people that support me on patreon thank you guys so much i cannot say it enough one dollar a month on patreon will give you a special shout out just like this at the end of every video it's nothing special right yeah you just get your name up in lights it's cool let's give you like a good samaritan feel good feeling warm and fuzzies in your heart but i appreciate it if you want to help a dude put food on the table uh for making stupid videos on the internet i'm grateful for that um five dollars a month will give you early access to everything that are released on youtube before it goes live i've been in a funk and haven't been able to do a whole lot lately um but it's just a google drive like shared folder that will give you all the videos once i've got stuff recorded but also just helps me out if you if you don't care about getting early content and just want to help buy me coffee i'm grateful for that so please do join our discord server link in the description it's a cool community full of ctf players programmers and hackers um we're gonna be tackling a lot of capture flag competitions together it's just a cool ctf work camp hangout place talk about a lot of programming a lot of smart people much smarter than me so definitely a cool place to hang out um i would love to see you guys in the next video please do like comment and subscribe and uh toodaloo