TryHackMe: Reversing ELF

~ xio
5 min readSep 5, 2021

--

tryhackme Reversing ELF write-up

  • Name: Reversing ELF
  • Description: Room for beginner Reverse Engineering CTF players.
  • Room: tryhackme.com

Crackme1

Question : Let’s start with a basic warmup, can you run the binary?

file crackme1

Using the chmod command, I can make the file executable and then run the ELF binary

chmod +x crackme1

./crackme1

Crackme2

Question : Use basic reverse engineering skills to obtain the flag

In order to get the flag, the challenge provides an ELF binary that requires a password.

./crackme2 password

The strings command can be used to retrieve the password for the binary.

Crackme3

Question : Use basic reverse engineering skills to obtain the flag

To retrieve the flag, an ELF binary is provided that requires a password. You can retrieve the password using the same method as crackme2, but with an additional step.

strings ./crackme3

The flag appears to be encoded with base64

Crackme4

Question: Analyze and find the password for the binary?

The following message appears when I run the ELF binary without a password for this challenge

This time the string is hidden and we used strcmp

The ELF binary uses the strcmp function, based on this hint. To debug the binary, I used the gdb debugger.

gdb crackme4

list all the functions in the binary file.

(gdb) info functions

According to the displayed message it appears the application input is compared with the password by this function

Set breakpoint in strcmp@plt

(gdb) b *0x0000000000400520

With the breakpoint set, I can now run the binary in gdb with some test input.

Next, I can view the current state of the registers with gdb.

(gdb) info registers

Looking at the output above I can see the name of the register, the registers value in hexadecimal format and the registers value in the format gdb thinks most appropriate (hex for pointers, decimal for the others). I can see that the general purpose registers rax and rdx have memory address values. I can use gdb to print the strings at these addresses.

Crackme5

What will be the input of the file to get output Good game?

For this ELF binary, I am tasked with providing some input that will output the message Good game.

gdb crackme4

list all the functions in the binary file.

(gdb) info functions

Unlike Crackme4, the binary now uses strcmp_ instead of strcmp@plt

b *0x00000000004006d6

run

info registers

read registers rax and rdx

x/s 0x7fffffffdf50

x/s 0x7fffffffdf70

Crackme6

Analyze the binary for the easy password

Running the ELF binary without a password presents a message that tells me to look at the source code.

For this challenge I will be using Ghidra, a software reverse engineering (SRE) suite of tools. I loaded the crackme6 binary into Ghidra, which decompiles the binary and provides me with the source code. I began by looking at the main function.

Ghidra is one of many open source software (OSS) projects developed within the National Security Agency. Complete source code for Ghidra along with build instructions have been added to the repository. Please read the updated CONTRIBUTING guide to find out more about how you can join the community.

I can see that the input taken for the password is passed to a function called compare_pwd, the source code for which can be seen below.

This function takes the password and passes it to another function called my_secure_test. Looking at the source code for this function reveals a block of if else statements that check if each letter in the input corresponds to a specified string value.

Reassembling these specified string values into one string provides the flag 1,3,3,7,etc...

Crackme7

Analyze the binary to get the flag

Looking at the source code for the main function, I can see that the number entered by the user is checked by if else statements and then performs an action based on the value entered.

This option runs a method called giveFlag(), which I found to be hidden. I need to enter 0x7a69 in its decimal form, which is 31337, to trigger this option.

Crackme8

Analyze the binary and obtain the flag

This is another ELF binary that requests a password in order to get the flag. I can see that the input is passed to a function called atoi() before the input is checked if it is equal to -0x35010ff3.

./crackme8 -889262067

thank you 🌏🔥

--

--