Aug 1, 2020
TryHackMe: Reversing ELF
- crackme1
Run the program
./crackme1
2. crackme2
Some 64 bit machine may not able to run this program. Install this package first
apt-get install lib32z1Run the program
./crackme2Need argument
./crackme2 test
strings crackme2
./crackme2 super_secret_password
3. crackme3
./crackme3Need argument
./crackme3 test
strings crackme3There’s base64 strings.
Decode it with cyberchef.
4. crackme4
./crackme4
./crackme4 test
strings crackme4Nothing much
Let’s debug
r2 -d ./crackme4
Analyze the program
aaa
List functions
aflThere’s main function.
pdf @mainThis looks like comparing function.
pdf @sym.compare_pwdHere’s the string compare.
Set breakpoint
db 0x004006d5
Supply argument
ood 'argement'
Run til breakpoint
dc
pdf @sym.compare_pwd
Let’s check the value
px @rdi
5. crackme5
./crackme5
strings crackme5
aaa
aflThere’s main function.
pdf @mainThere’s password declaration, but I’m too lazy to type one by one.
There’s string compare.
Set breakpoint
db 0x0040082f
Run program til breakpoint
dc
Verify breakpoint
pdf @main
Let’s get value of rsi.
px @rsi
6. crackme6
./crackme6./crackme 123
strings crackme6
r2 -d ./crackme6There’s main function.
pdf @mainThere’s compar_pwd function.
pdf @sym.compare_pwdThere’s another function.
pdf @sym.my_secure_test
I think this is comparing character function.
Let’s use graph for easier viewing.
VV @sym.my_secure_testGraph view
Combine all strings and decode to text.
7. crackme7
./crackme7
Let’s input some strings
strings crackme7
r2 -d ./crackme7aaaafl
There’s main function.
There’s Wow such h4x0r!. This not appear when I ran the program.
Looking more closely, there’s comparing function.
Convert to ascii text.
Let’s try input “zi”
Failed!!!
Let’s try decimal instead.
Success!!!
8. crackme8
./crackme8./crackme8 test
strings crackme8
r2 -d ./crackme8aaaafl
pdf @mainThere’s cmp here with “0xcafef00d”. Before that there’s atoi function.
This atoi will convert string to interger
Convert hex to decimal
Input numbers decimal and signed 2 complement.
