TryHackMe: Advent of Cyber [Day 22] If Santa, Then Christmas

Room: Advent of Cyber

Difficulty: Beginner

“McSkidy has been faring on well so far with assembly — they got some inside knowledge that the Christmas monster is weaponizing if statements. Can they get ahead of the curve?

These programs have been compiled to be executed on Linux x86–64 systems.

Check out the supporting material here.

The questions below relate to the if2 binary.”

This challenge seems to be an extension of Day 21. Start by downloading the attached file. Once again, make sure you have Radare2 installed.

git clone

Question #1 What is the value of local_8h before the end of the main function?

Open up the if2 file in debugging mode with Radare2:

r2 -d if2

Then type aaa to start analyzing it:

After that’s complete, use afl | grep main to quickly get to the main function:

Use pdf @main to get a closer look at the assembly code:

Both questions for today ask about variables at the end of the function, so we can set a breakpoint there to look at both of them:

db 0x00400b71

pdf @main (to double check it was set correctly)

Now, run the program with dc and it will stop where we just put the breakpoint (the little white “b”).

Next use px @rbp-0x8 to display the answer for Question #1. You get this information by looking at the top of the output for pdf @main. The location of the variables are both in light blue.

Question #2 What is the value of local_4h before the end of the main function?

This one is easy because we’ve already done most of the legwork.

px @rbp-0x4

I do still struggle with reverse engineering, so shout out to the source material for guiding me through this yet again.

Happy Hacking! ❤




CTF Writeups to facilitate cyber education.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Pickle Rick CTF Walkthrough -TryHackMe

What's up in Vietnam

Why Blender Is the Best Software for the 3D Workflow

(REST API using Spring Boot) Part-1 Setting up and creating basic controller

Distributed Computing — Is Decentralised good??

What’s new in the Google’s Associate Android Developer Certification exam

Aukey Hd-p7 Manual Download

Using Trello for Hurricane Michael Cleanup

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


CTF Writeups to facilitate cyber education.

More from Medium


VulnHub — The Planets: Mercury CTF

Laboratory General Description

UTCTF 2021 — RF is Spooky