Open in app

Sign in

Write

Sign in

Intro to x86–64 : TryHackMe Room Walkthrough

Kindawingingit
6 min readApr 27, 2021

Today we are going to solve a beginner-friendly TryHackMe room for reverse engineering. Reverse engineering is a process or method through the application of which one attempts to understand through deductive reasoning how a device, process, system, or piece of software accomplishes a task with very little insight into exactly how it does so.

In this room, we are going to use radare2 to reverse engineer a couple of ELF executables. The room gives a good introduction about how to use radare2. Radare2 is a great tool for reverse engineering. You can read about radare2 on my blog here. The credit for making this lab goes to tryhackme. The room is rated Easy. Let’s start hacking!

You can try the room here.

Task 1,2,3:

Start the machine and use the ssh credentials to log in to the machine. The credentials are

user : tryhackme and password : reismyfavl33t.

Task 4:

After logging in to the home directory and running the ls command, we see different directories.

We navigate to the if-statements directory and use radare2 to analyze the if2 binary.

The assembly code for the program is:

1)What is the value of var_8h before the popq and ret instructions?

From the code, we can see that the value of 0x63 is stored in var_8h. It is compared with the eax register and then the result of and of 0x64 and 0x63 was stored in var_8h. The answer of which is 0x96.

2)What is the value of var_ch before the popq and ret instructions?

We can see that the value of 0x00 is stored in var_ch. There is an instruction that adds 0x4b0 to var_ch but that instruction never gets executed because of the first if comparison and the jump statement. Hence the value of var_ch is 0x00.

3)What is the value of var_4h before the popq and ret instructions?

The value of 0x3e8 is stored in var_4h initially, but a value of 0x3e7 is subtracted from it which makes the value of var_4h 0x01.

4)What operator is used to change the value of var_8h, input the symbol as your answer(symbols include +, -, *, /, &, |):

The value of var)8h was changed by using the and instruction, hence the answer is &.

Task 5:

The assembly code of the program is:

1)What is the value of var_8h on the second iteration of the loop?

var_8h is initialized to 0x16 and in the loop arithmetic shift right of bit is applied in the loop. By the end of the second iteration of the loop, arithmetic shift right is applied twice on the value of 0x16 which gives the value of 0x05.

2)What is the value of var_ch on the second iteration of the loop?

var_ch is initialized to 0x14 and in the loop and operation is performed on it with 0x02. On performing and gate on 0x14 and 0x02 we get 0x00, which means the value of var_ch will be 0x00 throughout the execution of the program.

3)What is the value of var_8h at the end of the program?

The counter for the loop is var_4h which is initialized to 0x04 and is updated by multiplying itself with 3 as long as it is less than 0x63. This means the loop will run 3 times. So the value of var_8h at the end of third iteration is 0x02.

4)What is the value of var_ch at the end of the program?

0x00.

Task 6:

The binary checks if the password entered is wrong or not. The binary asks takes input and compares it with another string.

By analyzing the binary and running afl on it gives us all the procedures of the binary. We can see that it calls the symp.imp.strcmp procedure which is used for comparing strings and also the sym.imp.strtok procedure which is used to make tokens from a string.

The first thing we see when we use visual mode in radare2 is the stack and we notice that it has a strange string.

The important part of the program can be found here

We can see that the program calls strcmp procedure once and the strtok procedure a couple of times. Basically, it takes the input and breaks it into tokens by using “.” as a delimiter.

This is the code for it

And then it checks the tokens with strings “127”,”0" and “1” which we saw from the stack. It calculates the value of the offset for the string dynamically. The code for that is

The correct password for the binary is “127.0.0.1”.

Task 7:

Running the binary shows that it is very similar to crackme1 as it also asks for a password and checks whether if it is the correct password or not.

By using radare2 we can see that this binary has sym.imp.fread and sym.imp.fopen procedures which are used to open and read files. But sym.imp.strcpy is nowhere to be found.

By analyzing the stack we see the file name which it accesses.

By accessing the file we get a password from it.

But unfortunately, that password doesn’t work for the binary. On analyzing the code we can see that it implements its own method of comparing the strings. It takes each character from both the strings and compares them. If they don’t match it prints the “Wrong password”.

During debugging we can see that it takes the string from the install-files/secret.txt in reverse order. The code for this is

The password for this is “dwperuc3sv”.

I had fun solving this room and would highly recommend this to anyone wanting to begin reverse engineering. Thanks for reading.

Cybersecurity
Ethical Hacking
Tryhackme
Tryhackme Walkthrough
Ctf Writeup

--

--

Kindawingingit

Written by Kindawingingit

14 Followers

A cyber-security enthusiast who is trying to look cool by learning some tech related jargons.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams