Open in app

Sign in

Write

Sign in

Reverse Engineering(tryHackMe-walkthrough)

Ronex Ondimu
3 min readMar 29, 2021

level:medium

Tools used : r2 (radare2) ,ltrace

CRACKME1

Method1(r2/radare2)

I loaded the crackme1.bin into a r2 or radare2 in debugging mode (flag -d) after making it executable (chmod +x crackme1.bin)

The “aaa” was to enable analysis of the crackme1.bin ,”s main” was to seek the main program and “pdf @ main” to print out the stack

After displaying the main at address “0x55ddb5a6c7c7 “i saw the program calls the strcmp function which must be comparing our input to the correct password and i put a breakpoint at that address under strcmp function

The “db” stands for breakpoint in the program which is always followed by and an address then “dc” to execute and i put my password as “1234”.

since the cmp function (cmp dword [var_18h], 0) compares the value stored in “var_18h” with “0” and if its not equal it jumps to address “0x55ddb5a6c7e8" and if it does not met the condition int output “password is correct”

I decided to check the value of “var_18h” which is being rep in the stack as ‘rbp-0x18'

with “px @ rbp-0x18”

and my input “1234” was being compared with “hax0r” which is the password

method 2

using ltrace

opening the file with ltrace and provide the input as “1234” and the function strcmp compares the user input with “hax0r”

CRACKME2

Same process as crackme1 to debug the file

After analyzing the main at address “ 0x560bba5c9758” the cmp instruction compares the value stored in ‘eax’ which is the user input with the hex value “0x137c” and if its not equal we jump to address “0x560bba5c9779” which will print out or put out “password is incorrect” while if are equal it will execute the instruction ‘lea’ which is used for calculations and put out “password is valid”.

i convert the hex value “0x137c’ to integer:

CRACKME3

Same process to load the file into debug mode and analyzing it as crackme1

After going through the main i found the ‘cmp’ instruction which takes the value contained in ‘var_28h” and compares it with constant ‘2’ and if the value in ‘var_28’ is less or equal to ‘2’ it will jump to address “”0x5645480fe768" otherwise the ‘lea’ instruction will be executed which will execute “password is correct “

i put a breakpoint at address “0x5645480fe797” and execute it ,providing user input as ‘1234’ and look the value at “var_28” which in line 1 it result in ‘azt1234’ which is the password plus the input i provided

follow @ronexondimu :twitter

Tryhackme Walkthrough
Reverse Engineering

--

--

Ronex Ondimu

Written by Ronex Ondimu

2 Followers

Web3 Dev||backend Dev (django)||cyber security Enthusiast|| pentester ||ctf player

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams