Solving TryHackMe’s Malware and Reverse Engineering Challenges — Reversing ELF
This is the latest update of my TryHackMe’s Reverse Engineering and Malware Series. So without further a do, lets solve these challenges together.
crackme1
This is not even a challenge, just execute the program.
crackme2
This challenge can be solved via extracting strings from the binary as shown below.
crackme3
This challenge is also based on string extraction from binary as shown below —
After extracting the strings, notice the base64 encoded string. Just decode it.
crackme4
For this binary, I am going to use cutter.
Navigate to main() function and not the compare_pwd() function.
Double click on the compare_pwd to analyze it. Note three variables holding bytes. The given input is compared against these bytes. But they are not in plain text.
Set a breakpoint on strcmp to get the string in plain text on runtime.
Then run the program.
Give any random value.
Then click on below highlighted item to execute the program until the main function.
Again click on it run the program until the break point is hit.
Now we have this variables on runtime.
Right click on them and select ‘Edit stack value’
Copy the value.
And using xxd convert them into ascii character as shown below —
Then combine them and we get — my_m0r3_secur3_*** the last three characters are for you to combine.
crackme5
Open the binary is ghidra and first thing we notice in main() function is list of various individual characters.
Let’s convert them into ascii and combine them. To get them in Ascii just hover your mouse over them as shown below.
Combine them and we got the password —
crackme6
Open the binary in any decompiler and note the main() function logic —
Analyze the compare_pwd() function.
Analyze the my_secure_test() function.
From above, the program checks the individual characters of the input. If all characters matches then the function returns 0 means success else -1 means failed. For example it checks whether the input’s first character is ‘1’ or not. Second character is ‘3’ or not and so on. Observing this logic combine all the characters and we got the correct input value as shown below —
crackme7
Open the binary in any decompiler.
Note the else if (var_14h == 0x7a69) So we have to somehow make this condition to true so the program will call giveFlag() function and provide us the flag.
Let’s analyze the whole flow of the program —
The input must be unsigned integer.
We can not give ‘1’ as we need to break out of this loop and reach our target conditional statement.
Input must be 0x7a69 to make this condition true. Convert this into decimal as we can only give unsigned integer as input.
And provide this value to program and get the flag.
crackme8
Open the binary in any decompiler.
The program converts the given input into integer. The given input must be equivalent of -0x35010ff3
Give this as input and get the flag.
Thanks for reading and keep cracking. I’ll come back with one more challenge solved, in case of suggestion or correction please reach out to me —
Found above post informative? Learned something new? Why not support me. Kindly support my work via ko-fi -> https://ko-fi.com/zinjacoder
