TryHackMe — Advent of Cyber 2 — Day 17

Good afternoon everyone,

Today we will be tackling the first reverse engineer challenge. As I have only done this roughly 3 times. Should be a good review and learning lesson for me. The walkthrough on TryHackMe’s site has them doing it with radare2 so I’ll give that a shot.

We have to get into the machine with the given creds and get the needed files.

We got the challenge1 file and made sure it was an executable real quick.

challenge1: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=884f57a67cddb0fc0104f1d556ab051183952324, not stripped

Anyhow lets load it up into radare2 and let it run.

Once it completes, we can start the analysis

Question 1: What is the value of local_ch(var_ch in mine) when its corresponding movl instruction is called (first if multiple)?

We can see the answer right there at the 0x00400b51 instruction. But we can verify if we set a breakpoint at 0x00400b51 and look at @rbp-0xc.

Question 2: What is the value of eax when the imull instruction is called?

Here we can look at main again and see where the imull instructions are located, set a breakpoint and checkout the value of var_8h

Final Question: What is the value of local_4h before eax is set to 0?

Again, we can look at main and see we need to set the breakpoint at 0x00400b69, let it run and take a look at var_4h

Here we get the value of eax before it is set to 0. I mainly following directions on this and still struggled. I need more practice, if you know of a good place to get more practice with this, drop a note.

As always, best of luck. If you enjoy my content, feel free to add me on LinkedIn and let me know you saw the blog.

Until next time,

-3lduderino