Reverse Engineering

August 31, 2020

TryHackMe | Reverse EngineeringTryHackMe

TASK 1: Set up a debugger

For this task I already have Radare2 set up, but other debuggers like gdb can work for this challenge. Note: you need to change file permissions on each download.

TASK 2: crackme1

This is a straight forward task- just change permissions and run

strings Downloads/crackme1.bin

Your password appears under the “password is incorrect”.

TASK 3: crackme2

For this task, you want to use your debugger. Begin opening radare2 with this:

r2 -d directory-location/crackme2.bin

We will be using -d for the debugging mode, and as soon as we open r2 in its debugger we want to analyze the flags with “aa“.

Now that our flags are analyzed we list the functions and open up main with pdf @main. Here we want to check the format of the strings and see if a value is compared against anything.

Right on 0x557637cb6758 you can see the cmp eax, 0x137c. (The cmp essentially compares our input to the functions information and then decides to either jump if not equal or grant access if correct.) We do a search on 0x137c and get a 4-digit number that gives us the password for the file and task.

TASK 4: crackme3

I feel as if this last task was a little bit cheated for me, so I tried using another method from a write-up to verify my findings I will link here at the end.

I opened up radare2 just like I would with crackme2, except this time I notice we are using a loop. In this program, we have a loop comparing every single character to the known password. If each following character is correct the compare function validates if we are correct or not.

However, the loop exits if the character comparison is incorrect. Below is the compare functions found in the program:

cmp dl, al

The cmp function takes the user's input (lets say mouse for example) at “dl” and then compares it against the correct character at “al”. This is important because we can view the register of the loop when we set a break in the program.

If we set a break at 0x55cb889b777c then we can run the loop and print dl and al to reveal the proper contents.

Unfortunately, it is a little more difficult to use a tool like gdb to solve this task.

For some reason, r2 has already broken down the password in the mov word and move byte (0x..7731, 0x..7737). In assembly, words are 2 bytes, and a byte is well.. 1. You can see next to the mov word there is 0x7a61 and if you break that into 2 bytes you will get 2 hexadecimal that converts to decimal. These digits are actually in hexadecimal though, so we will need to convert that:

7a = 122 = z | 61 = 97 = a

Once that is converted, the line right under states 0x74 = 116 = t. This gives us a good password to use.

Conclusion:

I hope someone out there enjoys this read, I'm glad to have learned more about debugging tools during this challenge.

Website Reference:

https://0xsmiley.github.io/2020-05-09-Reverse/

Chart:

For Reference