TryHackMe: Advent of Cyber [Day 22] If Santa, Then Christmas

3 min readOct 20, 2020


Room: Advent of Cyber

Difficulty: Beginner

“McSkidy has been faring on well so far with assembly — they got some inside knowledge that the Christmas monster is weaponizing if statements. Can they get ahead of the curve?

These programs have been compiled to be executed on Linux x86–64 systems.

Check out the supporting material here.

The questions below relate to the if2 binary.”

This challenge seems to be an extension of Day 21. Start by downloading the attached file. Once again, make sure you have Radare2 installed.

git clone

Question #1 What is the value of local_8h before the end of the main function?

Open up the if2 file in debugging mode with Radare2:

r2 -d if2

Then type aaa to start analyzing it:

After that’s complete, use afl | grep main to quickly get to the main function:

Use pdf @main to get a closer look at the assembly code:

Both questions for today ask about variables at the end of the function, so we can set a breakpoint there to look at both of them:

db 0x00400b71

pdf @main (to double check it was set correctly)

Now, run the program with dc and it will stop where we just put the breakpoint (the little white “b”).

Next use px @rbp-0x8 to display the answer for Question #1. You get this information by looking at the top of the output for pdf @main. The location of the variables are both in light blue.

Question #2 What is the value of local_4h before the end of the main function?

This one is easy because we’ve already done most of the legwork.

px @rbp-0x4

I do still struggle with reverse engineering, so shout out to the source material for guiding me through this yet again.

Happy Hacking! ❤




CTF writeups to facilitate cyber education and help me earn CPEs