> For the complete documentation index, see [llms.txt](https://pedroaovieira.gitbook.io/thm/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://pedroaovieira.gitbook.io/thm/advent-of-cyber-ii/reverseelfneering.md). # ReverseELFneering ## Video {% embed url="" %} ## Resources Start radare2: `r2 -d ./file1` Analyze the program: `aa` It analyses all symbols and entry points in the executable For general help, we can run: `?` or if we wish to understand more about a specific feature, we could provide `a?` To find a list of the functions run: `afl` Let’s examine the assembly code at main by running the command `pdf @main` Where `pdf` means print disassembly function. | Initial Data Type | Suffix | Size (bytes) | | :---------------: | :----: | :----------: | | Byte | b | 1 | | Word | w | 2 | | Double Word | l | 4 | | Quad | q | 8 | | Single Precision | s | 4 | | Double Precision | l | 8 | When dealing with memory manipulation using registers, there are other cases to be considered: * (Rb, Ri) = MemoryLocation\[Rb + Ri] * D(Rb, Ri) = MemoryLocation\[Rb + Ri + D] * (Rb, Ri, S) = MemoryLocation(Rb + S \* Ri] * D(Rb, Ri, S) = MemoryLocation\[Rb + S \* Ri + D] Instructions: * **leaq** source, destination: this instruction sets destination to the address denoted by the expression in source * **addq** source, destination: destination = destination + source * **subq** source, destination: destination = destination - source * **imulq** source, destination: destination = destination \* source * **salq** source, destination: destination = destination << source where << is the left bit shifting operator * **sarq** source, destination: destination = destination >> source where >> is the right bit shifting operator * **xorq** source, destination: destination = destination XOR source andq source, destination: destination = destination & source * **orq** source, destination: destination = destination | source A breakpoint specifies where the program should stop executing. `db @memory-address` and the parameter must be the memory address. Run the program using `dc` To view the contents of the local\_ch variable, we use the following instruction `px @memory-address` To go step by step use `ds` #### Workflow\... The general formula for working through something like this is: * set appropriate breakpoints * use ds to move through instructions and check the values of register and memory * if you make a mistake, you can always reload the program using the ood command [Radare2 Cheatsheet](https://scoding.de/uploads/r2_cs.pdf) ## Challenge **IP Address:** 10.10.83.56 **Username:** elfmceager **Password:** adventofcyber ``` ssh elfmceager@10.10.83.56 ``` ![](/files/-MOpi0oGoUqYQXpgsmFI) ![](/files/-MOqRQiUGLSJldgCRvch) What is the value of **local\_ch** when its corresponding movl instruction is called (first if multiple)? ![](/files/-MOqRiisksLlYx80uhml) ![](/files/-MOqRzCuSDAI20dQB0dX) ``` pdf @main db 0x00400b51 dc px @rbp-0xc ds px @rbp-0xc ``` ![](/files/-MOqT5EXlwuaU3pA9qVL) {% hint style="success" %} 1 {% endhint %} What is the value of **eax** when the imull instruction is called? ``` pdf @main db 0x00400b66 dc ``` {% hint style="success" %} 6 {% endhint %} What is the value of **local\_4h** before **eax** is set to 0? ``` pdf @main db 0x00400b69 dc px @rbp-0x4 ``` ![](/files/-MOqW4OqowK2Squ1UJJD) {% hint style="success" %} 6 {% endhint %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://pedroaovieira.gitbook.io/thm/advent-of-cyber-ii/reverseelfneering.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.