Reverse Engineering is a TryHackMe room focusing o the basics of reverse engineering.
Task 1 : Debugging and File permissions.
Quick disclaimer: I am a very beginner at reverse engineering, and my experience with radare2 was completing AdventOfCyber2 task 22 and 23, so I’m just happy I completed the room ;)~
Per the discussion in task 1 we will be using radare2 and the provided attack box. If you subscribe to TryHackMe you have access to an attack box that can be accessed via your browser which is bridged to the internet and the internal TryHackMe network learning environment. For me this is well worth the subscription …I can do rooms from my iPad!
Ok… on with the room.
In the following tasks the room provides “Download Tasks Files” which need to be reversed engineered. For ease of use I download them all to my host OS and then secure copy them to the TryHackMe Attack Machine.
After copying all the files to my attack machine I need to ensure that they are executable so I can debug them in radare2.
chmod +x crackme*
Task2: crackme1
Q: What is the correct password?
First I performed the following commands
radare2 -d crackme2.bin
this puts radare2 in debug mode
aaa
— analyzes all the flags and and functions within the program.
izz
— Search for Strings in the whole binary
radare2 has a very robust help system you can access by pressing
?
and then return. If you want to learn about something start the commanda?
and then press enter and it will provide help.
Task3: crackme2
What is the correct password?
First we perform the radare2 -d crackme.bin
command to load the crackme2.bin binary in radare2 then type aaa
to analyze the file.
next performing afl
to list all of the functions in the program we can see that main is listed.
We examine the main function by typing pdf @main
and it will provide the following output that shows some interesting assembly, it looks as though it is comparing eax with 0x137c and then jumping if it is not equal, if it is equal it states the password is valid. The contents of eax
look like the are read in from scanf so it seems that the password should be the equivalent of 0x137c
I was going to put a breakpoint at the jne
instruction but the answer is actually the decimal equivalent of 0x137c.
If we convert 0x137c
using the linux binary calculator we get 4988.
echo “obase=10; ibase=16; 137C” | bc
Task4: crackme3
Q: What are the first 3 letters of the correct password?
A: see steps below
Run through the following commands like we have run before…
radare2 -d ./crackme3.bin
to have radare2 load the binary in debug mode
aaa
to analyze everything
afl
to list the functions … it just shows main and some other stuff.
pdf @main
to view the main function… which is showed below and we can see that the entered password is having some shenanigans applied and then it is compared and a jump if equal is executed. Since I’m not the brightest one of the bunch we will just put a break point there and inspect it at run time.
we can set a breakpoint with the db 0xaddressofbreakpoint
command, in the following screenshot you can see that I have placed the breakpoint on the je
jump if equal command and then performed a pdf @main
so you can see the breakpoint denoted by the b
next to the address.
We can resume execution with the dc
command and we are prompted to input the password.
At the prompt I type not_the_correct_password
When we initially ran the pdf @main
and radare2 showed the address of the local storage variables. By looking through the logic we are going to be inspecting local_28h. This can be accomplished by typing px @rbp-0x28
Because of the “shenanigans” they must have added to the password and that can be seen when inspecting the local_28h variable shown below…those three letters will be your answer.
Thank you to ashu for such a great room, my RE is quite week, but rooms like Reverse Engineering allow me to get better one step at a time. #thankyou