TryHackMe | Reverse Engineering
Task 1 : Debugging and File permissions.
Quick disclaimer: I am a very beginner at reverse engineering, and my experience with radare2 was completing AdventOfCyber2 task 22 and 23, so I’m just happy I completed the room ;)~
Per the discussion in task 1 we will be using radare2 and the provided attack box. If you subscribe to TryHackMe you have access to an attack box that can be accessed via your browser which is bridged to the internet and the internal TryHackMe network learning environment. For me this is well worth the subscription …I can do rooms from my iPad!
Ok… on with the room.
In the following tasks the room provides “Download Tasks Files” which need to be reversed engineered. For ease of use I download them all to my host OS and then secure copy them to the TryHackMe Attack Machine.
After copying all the files to my attack machine I need to ensure that they are executable so I can debug them in radare2.
chmod +x crackme*
Q: What is the correct password?
First I performed the following commands
radare2 -d crackme2.bin this puts radare2 in debug mode
aaa — analyzes all the flags and and functions within the program.
izz — Search for Strings in the whole binary
radare2 has a very robust help system you can access by pressing
?and then return. If you want to learn about something start the command
a?and then press enter and it will provide help.
What is the correct password?
First we perform the
radare2 -d crackme.bin command to load the crackme2.bin binary in radare2 then type
aaa to analyze the file.
afl to list all of the functions in the program we can see that main is listed.
We examine the main function by typing
pdf @main and it will provide the following output that shows some interesting assembly, it looks as though it is comparing eax with 0x137c and then jumping if it is not equal, if it is equal it states the password is valid. The contents of
eax look like the are read in from scanf so it seems that the password should be the equivalent of
0x137c I was going to put a breakpoint at the
jne instruction but the answer is actually the decimal equivalent of 0x137c.
If we convert
0x137c using the linux binary calculator we get 4988.
echo “obase=10; ibase=16; 137C” | bc
Q: What are the first 3 letters of the correct password?
A: see steps below
Run through the following commands like we have run before…
radare2 -d ./crackme3.bin to have radare2 load the binary in debug mode
aaa to analyze everything
afl to list the functions … it just shows main and some other stuff.
pdf @main to view the main function… which is showed below and we can see that the entered password is having some shenanigans applied and then it is compared and a jump if equal is executed. Since I’m not the brightest one of the bunch we will just put a break point there and inspect it at run time.
we can set a breakpoint with the
db 0xaddressofbreakpoint command, in the following screenshot you can see that I have placed the breakpoint on the
je jump if equal command and then performed a
pdf @main so you can see the breakpoint denoted by the
b next to the address.
We can resume execution with the
dc command and we are prompted to input the password.
At the prompt I type not_the_correct_password
When we initially ran the
pdf @main and radare2 showed the address of the local storage variables. By looking through the logic we are going to be inspecting local_28h. This can be accomplished by typing
Because of the “shenanigans” they must have added to the password and that can be seen when inspecting the local_28h variable shown below…those three letters will be your answer.