# "Reversing ELF" (from TryHackMe) writeups ###### tags: `Reverse Engineering`, `writeups`, `ELF` ### Crackme1  This is just a warmup task. After downloading the task file on Linux, we should add permission for it to run it. The flag will be reveal when we run the file.  ### Crackme2  After running the task file, we can see this *output*!  Seem like we need a password to get the flag so I will print all readable characters in this file *(shown below)* ``` ┌──(oreo㉿0r3o)-[~/Documents/CTF] └─$ strings index.crackme2 /lib/ld-linux.so.2 libc.so.6 _IO_stdin_used puts printf memset strcmp __libc_start_main /usr/local/lib:$ORIGIN __gmon_start__ GLIBC_2.0 PTRh j3jA [^_] UWVS t$,U [^_] Usage: %s password super_secret_password Access denied. Access granted. ;*2$"( GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.9) 5.4.0 20160609 crtstuff.c __JCR_LIST__ deregister_tm_clones __do_global_dtors_aux completed.7209 __do_global_dtors_aux_fini_array_entry frame_dummy __frame_dummy_init_array_entry conditional1.c giveFlag __FRAME_END__ __JCR_END__ __init_array_end _DYNAMIC __init_array_start __GNU_EH_FRAME_HDR _GLOBAL_OFFSET_TABLE_ __libc_csu_fini strcmp@@GLIBC_2.0 _ITM_deregisterTMCloneTable __x86.get_pc_thunk.bx printf@@GLIBC_2.0 _edata __data_start puts@@GLIBC_2.0 __gmon_start__ __dso_handle _IO_stdin_used __libc_start_main@@GLIBC_2.0 __libc_csu_init memset@@GLIBC_2.0 _fp_hw __bss_start main _Jv_RegisterClasses __TMC_END__ _ITM_registerTMCloneTable .symtab .strtab .shstrtab .interp .note.ABI-tag .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.dyn .rel.plt .init .plt.got .text .fini .rodata .eh_frame_hdr .eh_frame .init_array .fini_array .jcr .dynamic .got.plt .data .bss .comment ``` As you can see, **super_secret_password** should be the password. Then, we run it like usage description.  ### Crackme3  Like crackme2, this file requires a password to get the flag.  We use the *strings* command again then get the output  We can see a base64 string in this image. It should be the encoded password  Hmmm... maybe the base64-decoded string is the flag?!? ### Crackme4 >  If we run the file, we get a message >  In this case, I used **gdb** in my Linux VM. After that I run the command *info functions* to show all function in this program. >  We can see that the address of the *strcmp* is the blue string on the same line with *"strcmp@plt"*. At this point, we add a breakpoint at this function and then run it > In debugging, we use breakpoint to make the program pause at a specified point. This is helpful for programmer to debug the program since The program will run until hit the breakpoint. >  At this point, the password that we are finding is in stored in registers. Use *info registers* command to view. >  Both **rax** and **rdx**, which are general purpose registers, have memory address value. Therefore, to see it we run command like below and get the password. >  ### Crackme5 >  The approach is similar to Crackme4 and this is the result: >  > Don't worry if you see things line *\377\177* like the image above. They don't have meaning in text. ### Crackme6 >  In this task, I use IDA as the hint. To view pseudocode, we select the function and use F5 key (default setting). This is pseudocode of the *compare_pwd* >  We can see the function *my_secure_test* as the condition so we need to check that function. >  We find that the password in presented in ASCII numbers. There are multiple ASCII converters to find the **password** ### Crackme7 >  View the pseudocode of the *main* function in IDA, we can see that if we input *31337*, the *giveFlag* function will be executed to print out the flag. >  Result: >  ### Crackme 8 With the same approach with Crackme7, we view the *main* function Result: >