THM Reversing ELF

:::info [room](https://tryhackme.com/r/room/reverselfiles) ::: # Crackme1 用 IDA 打開後，小改一下程式 ```c #include <stdio.h> #include <string.h> int main() { char s[32]; // [rsp+10h] [rbp-90h] BYREF int v5[27]; // [rsp+30h] [rbp-70h] unsigned int i; // [rsp+9Ch] [rbp-4h] v5[0] = 37; v5[1] = 43; v5[2] = 32; v5[3] = 38; v5[4] = 58; v5[5] = 45; v5[6] = 46; v5[7] = 51; v5[8] = 30; v5[9] = 51; v5[10] = 39; v5[11] = 32; v5[12] = 51; v5[13] = 30; v5[14] = 42; v5[15] = 40; v5[16] = 45; v5[17] = 35; v5[18] = 30; v5[19] = 46; v5[20] = 37; v5[21] = 30; v5[22] = 36; v5[23] = 43; v5[24] = 37; v5[25] = 60; v5[26] = -65; memset(s, 65, 27); for (i = 0; i <= 0x1A; ++i) s[i] += (char)v5[i]; puts(s); return 0; } ``` ``` flag{not_that_kind_of_elf} ``` # Crackme2 直接用 r2 打開看，就可以看到 password ![image](https://hackmd.io/_uploads/HJaCKGTTA.png) ```bash ┌──(kali㉿G)-[/mnt/d/Users/cheng/Downloads] └─$ ./crackme2 super_secret_password Access granted. flag{if_i_submit_this_flag_then_i_will_get_points} ``` # Crackme3 用 r2 打開看發現這次的 password 變成 base64 ， decode 後就是這題答案 ![image](https://hackmd.io/_uploads/Hk9d9GTaA.png) ```bash ┌──(kali㉿G)-[/tmp] └─$ echo "ZjByX3kwdXJfNWVjMG5kX2xlNTVvbl91bmJhc2U2NF80bGxfN2gzXzdoMW5nNQ==" | base64 -d f0r_y0ur_5ec0nd_le55on_unbase64_4ll_7h3_7h1ng5 ``` # Crackme4 觀察後可以發現是用 `strcmp` 做比較用 `ltrace` 追中，即可看到答案 ```bash ┌──(kali㉿G)-[/mnt/d/Users/cheng/Downloads] └─$ ./crackme4 Usage : ./crackme4 password This time the string is hidden and we used strcmp ┌──(kali㉿G)-[/mnt/d/Users/cheng/Downloads] └─$ ltrace ./crackme4 adsf __libc_start_main(0x400716, 2, 0x7ffca957ed28, 0x400760 <unfinished ...> strcmp("my_m0r3_secur3_pwd", "adsf") = 12 printf("password "%s" not OK\n", "adsf"password "adsf" not OK ) = 23 +++ exited (status 0) +++ ``` # Crackme5 同上 ```bash ┌──(kali㉿G)-[/mnt/d/Users/cheng/Downloads] └─$ ./crackme5 adsf Enter your input: asdf Good game ┌──(kali㉿G)-[/mnt/d/Users/cheng/Downloads] └─$ ltrace ./crackme5 adsf __libc_start_main(0x400773, 2, 0x7ffffac06388, 0x4008d0 <unfinished ...> puts("Enter your input:"Enter your input: ) = 18 __isoc99_scanf(0x400966, 0x7ffffac06220, 0, 0x7f324c3504e0 d ) = 1 strlen("d") = 1 strlen("d") = 1 strncmp("d", "OfdlDSA|3tXb32~X3tX@sX`4tXtz2\177", 28) = 21 puts("Good game"Good game ) = 10 +++ exited (status 0) +++ ``` ``` ans:OfdlDSA|3tXb32~X3tX@sX`4tXtz2 ``` # Crackme6 用 IDA 追中到這個 function　是做密碼檢查 ![image](https://hackmd.io/_uploads/Sk1hazaaC.png) 分別把那些數值轉ASCII，得知密碼`1337_pwd` # Crackme7 整個流程大致長這樣 ![image](https://hackmd.io/_uploads/Sy3zk7paA.png) 其中追中到右下角那部分 ![image](https://hackmd.io/_uploads/SyDFkXapR.png) 可以發現拿到 flag 的神奇數字 `0x7a69` ```bash ┌──(kali㉿G)-[/mnt/d/Users/cheng/Downloads] └─$ ./crackme7 Menu: [1] Say hello [2] Add numbers [3] Quit [>] 31337 Wow such h4x0r! flag{much_reversing_very_ida_wow} ``` # Crackme8 分析完程式後，直接 patch 把原本的 `je 0x8048502` 改成 `jne 0x8048502` ![image](https://hackmd.io/_uploads/HJDWbmpTR.png) ```bash ┌──(kali㉿G)-[/mnt/d/Users/cheng/Downloads] └─$ ./crackme8 asdf Access granted. flag{at_least_this_cafe_wont_leak_your_credit_card_numbers} ```