Reverse Engineering -Tryhackme Room
this is my writeup for the Reverse Engineering room on tryhackme
the link
at the start of the room we have some guidelines to follow
then we have 3 crackme challenges we have to solve in order to complete the room
NOTE : all the challenges have the same goal , to find the correct password
Crackme1:
lets start by the most basic thing , run strings tool against the binary and see if the password is hardcoded in the strings
indeed it is , what an easy task ha ? :D
password : hax0r
Crackme2:
well , its not always easy XD , if we run strings against crackme2 we wont find any hardcoded password , so what is the next step?
now lets debug it using GDB
type ‘break main’ to toggle a break point in the main function , the run the program by typing ‘r’
lets now start stepping through the program by typing ‘ni’ until it asks us for input
call 0x5555555545f0 : this is where we will break until we specify input , just type in anything and continue stepping
now notice the address 0x555555554758 , it compares our input which is in eax with the hex value of 0x137c which is 4988 in decimal , so this is it ! we got the password :D
Crackme3:
now the last crackme and the most challenging one of them , lets try another tool for this , i will use IDA to solve this challenge , lets open it in ida
this is the main function , it it just asking us for input by calling scanf and jumping to function short loc_797 , lets see what the function holds
all what it does is comparing the value of rbp+var_28 to 2 and jump to another function if it is less or equal to 2, but let me tell you this jump will not be taken because the rbp+var_28 is set to 0 in the previous function and 0 is not greater or equal to 2 :D
lets see where it goes next
it will go to the function loc_768 lets trace it , now we know that rbp+var_28 is 0 already so at the first instruction eax will be 0 , to know the value of rbp+rax+var_20 and rbp+rax+var23 lets debug the program and set a breakpoint at this function
now lets examine the two locations
rbp+rax+var_20
rbp+rax+var23
so rbp+rax+var_20 is owr input because i typed 123 when i was asked for input
and rbp+rax+var23 is just the three letters azt , hmmmmmmm looks interesting XD
now lets understand what is happening , look back to the function
movzx edx, [rbp+rax+var_20]
so now edx has the first byte of our input which is 1
movzx eax, byte ptr [rbp+rax+var_23]
so now eax has the first byte of the weird string which is a
cmp dl, al
dl is the lowest byte of edx and al is the lowest byte of eax , so it is clear now
it will compare the first byte of our input with the first byte of the weird string and if you trace the rest of the code you will see that it is looping again , the solution is the 3 characters we found :D
