TryHackMe: Reverse Engineering

./crackme1.bin
strings ./crackme1.bin

Now I have the answer.

Let’s debug

r2 -d ./crackme1.bin

Analyze

aaa

List functions

afl

There’s a main function.

pdf @main

There’s password declaration and strcmp function.

Let’s look into variable’s value.

Set breakpoint at strcmp

db 0x56163a9737c7pdf @main

Now I have breakpoint.

Run the program

dc
pdf @main
px @ rsi

There’s a password.

2. crackme2

Run the program

./crackme2.bin

Let’s strings it

strings ./crackme2.bin

Nothing here

Let’s debug

r2 -d ./crackme2.bin

Analyze

List function

afl

There’s a main function.

pdf @main

There’s comparison with value.

Convert from hexa to decimal

3. crackme3

Run the program

./crackme3.bin
strings crackme3.bin

Nothing here

Let’s debug

r2 -d ./crackme3.bin

Analyze

aaa

List functions

afl

There’s a main function.

pdf @main

Set breakpoint

db 0x560334e1a75fdb 0x560334e1a79b
pdf @main

Run program til breakpoint

dc 
pdf @main

Run another step

dspdf @main

Just my gut that I have to look something in var_28h.

Variable “var28_h” is “rbp-0x28”.

Let’s check the value

px @ rbp-0x28

I just try to answer this and it’s correct.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store