I am Rakesh Kumar . Member of TamilCTF Team. In this article we will see a walkthrough of Reverse Engineering Room in TryHackMe. Its is a very easy room. Contact Me : 0xrakeshkumar.
TryHackMe Room Link : Reverse Engineering
Reverse engineering is a process that use to figure out a program’s components and functionalities !!!
There are two types of analysis.
- Static Analysis.
- Dynamic Anaysis.
In simple word,the static analysis is analysis the program or binary without run it.In the dynamic analysis ,we will debug the program and analysis it functionality.
There are some interesting command in linux.
1.file –> Give some basic info of the binary.
2.strings –> Print strings which contain in the binary.
3.ltrace –> A library call tracer .
There are three binaries.
First download the three binaries.
Crackme 1 :
Do some basic analysis.File command tells it is 64 bit binary , dynamically linked and not stripped.
Strings command gives some interesting words . (password is correct, password is incorrect and hax0r )
When we run the binary , it ask me to enter the password . By guessing I enter hax0r.
Then it print the password is correct. We also verify it by ltrace command.It compare the input and hax0r by strcmp library.
Again we do some basic analysis (i.e : file, strings and ltrace ).
But this time nothing interesting in strings command and ltrace .
Let examine the binary with gdb . GDB is GNU Debugger. View the main function by disassemble it.
gdb -q ./crackme2.bin
Actually this time the input is compare with 0×137c by using cmp instruction in assembly.
Run the binary and enter the decimal value of 0×137c ( 4988 ).Then it print the password is valid.
Again we are unlucky , there is nothing interesting in static analysis.
Attached the binary in gdb and analysis it.
gdb -q ./crackme3.bin
This time it compare each byte of input with something by using loop. The cmp instruction is used 3 times . So the password’s length is 3. So we set a breakpoint before cmp intruction .
Run the binary with password as input . Now examine the values .
The x/s command print the value in string format.
$rbp+$rax-0×23 contain azt value.
$rbp+$rax-0×20 contain password value.
So the password is azt. Run the binary with azt as input ,then it print password is correct.
Yeah!!!!. We finally finish the room 🤩.