ReverseEngineering
Crackme 1
$ r2 -d crackme1.bin
Process with PID 1586 started...
= attach 1586 1586
bin.baddr 0x557057800000
Using 0x557057800000
asm.bits 64
[0x7f8d71014090]> e asm.syntax=att
[0x7f8d71014090]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for vtables
[TOFIX: aaft can't run in debugger mode.ions (aaft)
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information
[x] Use -AA or aaaa to perform additional experimental analysis.
[0x7f8d71014090]> afl
0x557057800660 1 42 entry0
0x557057a00fe0 1 4124 reloc.__libc_start_main
0x557057800690 4 50 -> 40 sym.deregister_tm_clones
0x5570578006d0 4 66 -> 57 sym.register_tm_clones
0x557057800720 5 58 -> 51 sym.__do_global_dtors_aux
0x557057800650 1 6 sym.imp.__cxa_finalize
0x557057800760 1 10 entry.init0
0x557057800880 1 2 sym.__libc_csu_fini
0x557057800884 1 9 sym._fini
0x557057800810 4 101 sym.__libc_csu_init
0x55705780076a 6 165 main
0x5570578005e0 3 23 sym._init
0x557057800610 1 6 sym.imp.puts
0x557057800620 1 6 sym.imp.__stack_chk_fail
0x557057800000 6 292 -> 318 map._root_Desktop_CTF_TryHackMe_ReverseEngineering_crackme1.bin.r_x
0x557057800630 1 6 sym.imp.strcmp
0x557057800640 1 6 sym.imp.__isoc99_scanf
[0x7f8d71014090]> pdf @ main
; DATA XREF from entry0 @ 0x55705780067d
┌ 165: int main (int argc, char **argv, char **envp);
│ ; var int64_t var_18h @ rbp-0x18
│ ; var int64_t var_14h @ rbp-0x14
│ ; var int64_t var_10h @ rbp-0x10
│ ; var int64_t var_eh @ rbp-0xe
│ ; var int64_t var_8h @ rbp-0x8
│ 0x55705780076a 55 pushq %rbp
│ 0x55705780076b 4889e5 movq %rsp, %rbp
│ 0x55705780076e 4883ec20 subq $0x20, %rsp
│ 0x557057800772 64488b042528. movq %fs:0x28, %rax
│ 0x55705780077b 488945f8 movq %rax, var_8h
│ 0x55705780077f 31c0 xorl %eax, %eax
│ 0x557057800781 488d3d0c0100. leaq str.enter_password, %rdi ; 0x557057800894 ; "enter password"
│ 0x557057800788 e883feffff callq sym.imp.puts ; int puts(const char *s)
│ 0x55705780078d 8b053d010000 movl str.hax0r, %eax ; [0x5570578008d0:4]=0x30786168 ; "hax0r"
│ 0x557057800793 8945ec movl %eax, var_14h
│ 0x557057800796 0fb705370100. movzwl 0x5570578008d4, %eax ; [0x5570578008d4:2]=114
│ 0x55705780079d 668945f0 movw %ax, var_10h
│ 0x5570578007a1 488d45f2 leaq var_eh, %rax
│ 0x5570578007a5 4889c6 movq %rax, %rsi
│ 0x5570578007a8 488d3df40000. leaq 0x5570578008a3, %rdi ; "%s"
│ 0x5570578007af b800000000 movl $0, %eax
│ 0x5570578007b4 e887feffff callq sym.imp.__isoc99_scanf ; int scanf(const char *format)
│ 0x5570578007b9 488d55ec leaq var_14h, %rdx
│ 0x5570578007bd 488d45f2 leaq var_eh, %rax
│ 0x5570578007c1 4889d6 movq %rdx, %rsi
│ 0x5570578007c4 4889c7 movq %rax, %rdi
│ 0x5570578007c7 e864feffff callq sym.imp.strcmp ; int strcmp(const char *s1, const char *s2)
│ 0x5570578007cc 8945e8 movl %eax, var_18h
│ 0x5570578007cf 837de800 cmpl $0, var_18h
│ ┌─< 0x5570578007d3 7513 jne 0x5570578007e8
│ │ 0x5570578007d5 488d3dca0000. leaq str.password_is_correct, %rdi ; 0x5570578008a6 ; "password is correct"
│ │ 0x5570578007dc e82ffeffff callq sym.imp.puts ; int puts(const char *s)
│ │ 0x5570578007e1 b800000000 movl $0, %eax
│ ┌──< 0x5570578007e6 eb11 jmp 0x5570578007f9
│ │└─> 0x5570578007e8 488d3dcb0000. leaq str.password_is_incorrect, %rdi ; 0x5570578008ba ; "password is incorrect"
│ │ 0x5570578007ef e81cfeffff callq sym.imp.puts ; int puts(const char *s)
│ │ 0x5570578007f4 b800000000 movl $0, %eax
│ │ ; CODE XREF from main @ 0x5570578007e6
│ └──> 0x5570578007f9 488b4df8 movq var_8h, %rcx
│ 0x5570578007fd 6448330c2528. xorq %fs:0x28, %rcx
│ ┌─< 0x557057800806 7405 je 0x55705780080d
│ │ 0x557057800808 e813feffff callq sym.imp.__stack_chk_fail ; void __stack_chk_fail(void)
│ └─> 0x55705780080d c9 leave
└ 0x55705780080e c3 retqCrackme 2
Crackme 3
Last updated