TryHackMe: Advent of Cyber [Day 21] Reverse Elf-ineering

Samantha
4 min readOct 10, 2020

--

Room: Advent of Cyber

Difficulty: Beginner

“McSkidy has never really touched low level languages — this is something they must learn in their quest to defeat the Christmas monster.

Download the archive and apply the command to the following binary files: chmod +x file-name

Please note that these files are compiled to be executed on Linux x86–64 systems.

The questions below are regarding the challenge1 binary file.”

Question #1 What is the value of local_ch when its corresponding movl instruction is called(first if multiple)?

If you aren’t great at Reverse Engineering, the Source Material is a great resource. I will admit it’s not really my favorite CTF category.

I started by use the file command on both of the files from the .zip folder, just to check them out:

The instructions say that “challenge1” contains what we need. Also, the materials note that you will be using Radare2, which I did not have installed. If you need it:

git clone https://github.com/radare/radare2

Also, you may need to change the permissions of the files in order to be able to execute them.

chmod 777 <filename>

I ran file1 just to see what it said:

Looks like it’s just giving us the value of three different variables:

a = 4

b = 5

c = 9

Then I attempted to run challenge1:

Seems like it doesn’t really do anything. To open up the program in debugging mode with Radare2, use:

r2 -d challenge1

Next, type in aa to start analyzing the program.

After that use afl | grep main to find the main function:

In order to examine the assembly code of main, type pdf @main:

We can utilize breakpoints to stop the program from executing at our preferred locations, which will make it easier to find the information we are looking for.

We are looking for the ch instruction, which you can see at the top of the program called “var_ch” (in deep blue). It is called on the third line down, so let’s put a breakpoint there and then re-display the assembly code.

db 0x00400b51

pdf @main

We can make things easier on ourselves by adding the required breakpoints for the next two questions ahead of time.

The next one we need is when imul is used (0x00400b62), and then the third one is before eax is set to 0 (0x00400b69).

You should now have three breakpoints, like so:

Now, run the program using dc, it should tell you that it hit the first breakpoint. Display the assembly code again to double check (it should be highlighted in green with rip over it).

Now, we can use px @rbg-0xc to navigate to what we need.

This correlates with the memory location displayed for var_ch in light blue at the top of pdf @main.

Because we set the breakpoint before the instruction was carried out, move forward by typing ds and then use px @rbg-0xc again:

Question #2 What is the value of eax when the imull instruction is called?

Continue to execute by using dc, and you will hit the next breakpoint:

Remember to move one line forward with ds again, then use dr to show the register values:

Question #3 What is the value of local_4h before eax is set to 0?

Run dc again to get to our final breakpoint:

Query the memory location for 4h with px @rbp-0x4 (we didn’t need to move forward with this one):

This one was a struggle for me because I am not very adept at this sort of thing (I’m working on it), but with the help of the source material and some furious Googling, I was able to eventually make it through!

Looks like tomorrow’s challenge has something similar in store…

Happy Hacking! ❤

--

--

Samantha

CTF Writeups to facilitate cyber education.