THM-Reversing ELF-Writeup
Room for beginner Reverse Engineering CTF players
Find This Room: Reversing ELF
Crackme1
To get the first flag we just need to run the binary. But first we need to give it permissions to run with chmod +x crackme1.
Crackme2
The second crackme asks for a password as an argument. If the password is wrong it outputs “Access denied”.
Running the strings command reveals us the super secret password.
Now we can run the binary with the super secret password as argument to get the flag.
Crackme3
This crackme, as the previous one, asks for the right password as an argument.
Running the strings command on the binary reveals a base64 encoded string.
Decoding the string gives us the flag.
Crackme4
On this challenge we are provides an elf file which it’s interesting because if we run the file we are somehow given hint.
Because we have some hint that it uses strcmp to compare the actual password and the one you supplied it, let us use ltrace.
Well, we can see it compares (my… pwd) to test meaning (my… pwd) is the correct password. Now that we ran the binary with the password we found gave us the password message OK which means we are right.
Crackme5
By now I think it’s becoming easier and easier. So let’s have a look at crackme5 binary file. Let’s start by seeing if there is any strings on the binary by using strings. Well we ain’t lucky this time because their is no unusual string. By running the binary file normal with unknown input it gives us “Always dig deeper”
Now we shall run the elf using ltrace to see if the input is being compared to a string.
As you can see it is comparing test with (Of...4tXtz so let’s try and use that as our input.
Well game over
Crackme6
We will now run the program as usual
We would start off by basic recon which is searching through the strings to check if we have something juicy. I think we are unlucky once again. So we shall use ltrace to see if their is string comparison happening.
Well once again we are unlucky so we need to decompile the file using radare2 to see what’s happening. Once you have opened and analyzed using aaa we would list all the function by afl. There is main function so we would seek to main function by s main and print assembly of main function by pdf. We can see sym.compare_pwd is being called.
0x0040074c 4889c7 mov rdi, rax ; int64_t arg1
0x0040074f e87dffffff call sym.compare_pwdWe would seek to sym.compare_pwd and print assembly of compare_pwd function and see what’s going on there.
0x004006dd 488b45f8 mov rax, qword [var_8h]
0x004006e1 4889c7 mov rdi, rax ; int64_t arg1
0x004006e4 e894feffff call sym.my_secure_testAnother function is being called and that’s my_secure_test. We shall seek to my_secure_test and print the assembly of that function. You will notice it is comparing on the al register
0x00400594 0fb600 movzx eax, byte [rax]
0x00400597 3c31 cmp al, 0x31We shall manually take the hex value which compares to the one stored on al register which are: (0x31, 0x33, 0x33, 0x37, 0x5f, 0x70, 0x77, 0x64) Now we have to convert the hex values to their corresponding strings. On this case let’s keep everything as beginner friendly as we can. So we shall still use radare2 to convert but also you can use a simple python script Append a question mark before the hex and it would convert it to different format. We shall grab the string because that’s what we want.
[0x0040057d]> ? 0x31
int32 49
uint32 49
hex 0x31
octal 061
unit 49
segment 0000:0031
string "1" <-----take this value
fvalue 49.0
float 0.000000f
double 0.000000
binary 0b00110001
ternary 0t1211
[0x0040057d]>Take the values one after the other till 0x64
[0x0040057d]> ? 0x64
int32 100
uint32 100
hex 0x64
octal 0144
unit 100
segment 0000:0064
string "d"
fvalue 100.0
float 0.000000f
double 0.000000
binary 0b01100100
ternary 0t10201Well… Again you can automate this process by using python. If you noticed we would be having (I have removed Password) as our password. Try running with it and you’ll have solved the challenge.
Crackme7
Once you have the elf we can run it to as intended so as we can know what the program is supposed to do.
As we can see you are required to choose one of the three numbers. Well let’s run the program on Radare2 so as we can have deep understanding of the program.
eek on the main function and you will see there is a comparison and if it is true it would call a function which prints the flag.
0x08048665 3d697a0000 cmp eax, 0x7a69
│ ││││ │╭─< 0x0804866a 7517 jne 0x8048683
│ ││││ ││ 0x0804866c 83ec0c sub esp, 0xc
│ ││││ ││ 0x0804866f 68bc880408 push str.Wow_such_h4x0r_ ; 0x80488bc ; "Wow such h4x0r!" ; const char *s
│ ││││ ││ 0x08048674 e8f7fcffff call sym.imp.puts ; int puts(const char *s)
│ ││││ ││ 0x08048679 83c410 add esp, 0x10
│ ││││ ││ 0x0804867c e825000000 call sym.giveFlageaxis being compared to 0x7a69 which is a hex value. If you convert it to decimal you will find it is (Removed). Going back to the program and using 31337 instead of 1,2 or 3 it would display the flag.
Crackme8
We will now run the program as usual
This one of the best challenges in this series of challenges.We are given an elf file which we have to reverse it. We would start by seeing if we can get something juicy by using strings. Well we don’t have anything which can help us there. Let’s use ltrace to see if the program compares the input we give with any hard coded string.
We are given an elf file which we have to reverse it. We would start by seeing if we can get something juicy by using strings. Well we don’t have anything which can help us there. Let’s use ltrace to see if the program compares the input we give with any hard coded string.
Once again it doesn’t. We shall open it with Radare2 and analyze then seek to main function.
I use Ghidra to decompile the binary and started looking at the decompiled source code for the main function. I can see that the input is passed to a function called atoi() before the input is checked if it is equal to -0x35010ff3.
The atoi() function is a function in the C programming language that converts a string into an integer numerical representation. I can convert the -0x35010ff3 value to decimal, which is (Removed) and then pass it as the password to the binary to get the flag.
