Try Hack Me
  • Try Hack Me
  • Rooms
  • Tutorial
    • Welcome to TryHackMe
    • Welcome
    • Tutorial
    • Starting Out In Cyber Sec
    • Welcome
  • Capture The Flag
    • Advent of Cyber
      • Task 1 - 10
      • Task 11 - 20
      • Task 21 - 29
      • PDF - materials
    • Anonymous
    • Mnemonic
    • Bounty Hacker
    • Ignite
    • Pickle Rick
    • Simple CTF
    • Agent Sudo
    • Mr. Robot
  • Advent of Cyber II
    • A Christmas Crisis
    • The Elf Strikes Back!
    • Christmas Chaos
    • Santa's watching
    • Someone stole Santa's gift list!
    • Be careful with what you wish on a Christmas night
    • The Grinch Really Did Steal Christmas
    • What's Under the Christmas Tree?
    • Anyone can be Santa!
    • Don't be sElfish!
    • The Rogue Gnome
    • Ready, set, elf.
    • Coal for Christmas
    • Where's Rudolph?
    • There's a Python in my stocking!
    • Help! Where is Santa?
    • ReverseELFneering
    • The Bits of Christmas
    • The Naughty or Nice List
    • PowershELlF to the rescue
    • Time for some ELForensics
    • Elf McEager becomes CyberElf
    • The Grinch strikes again!
    • The Trial Before Christmas
    • Thank You
  • Linux
    • Linux Fundamentals Part 1
    • Linux Fundamentals Part 2
    • Linux Fundamentals Part 3
    • LinuxCTF - Linux Challenges
    • Learn Linux - wip
    • Find - wip
  • Windows
    • Intro to Windows
  • OSINT
    • Introductory Researching - wip
    • Google Dorking
    • OhSINT
    • Sublist3r
    • Searchlight - IMINT
    • Geolocating Images
  • Crypto
    • Hashing - Crypto 101
    • Encryption - Crypto 101
    • CrackTheHash - wip
  • Network
    • Introductory Networking
    • Nmap
    • Network Services - wip
    • Network Services 2 - wip
    • Networking - wip
    • Nmap - wip
    • TOR
  • Web
    • Web Fundamentals
  • Pentest
    • Pentest questionaire
  • Hardware
    • Dumping Router Firmware
  • HELP
  • Reverse
    • Reversing ELF
Powered by GitBook
On this page
  • Video
  • Resources
  • Challenge

Was this helpful?

  1. Advent of Cyber II

ReverseELFneering

Reverse Engineering

PreviousHelp! Where is Santa?NextThe Bits of Christmas

Last updated 4 years ago

Was this helpful?

Video

Resources

Start radare2: r2 -d ./file1

Analyze the program: aa It analyses all symbols and entry points in the executable

For general help, we can run: ? or if we wish to understand more about a specific feature, we could provide a?

To find a list of the functions run: afl

Let’s examine the assembly code at main by running the command pdf @main Where pdf means print disassembly function.

Initial Data Type

Suffix

Size (bytes)

Byte

b

1

Word

w

2

Double Word

l

4

Quad

q

8

Single Precision

s

4

Double Precision

l

8

When dealing with memory manipulation using registers, there are other cases to be considered:

  • (Rb, Ri) = MemoryLocation[Rb + Ri]

  • D(Rb, Ri) = MemoryLocation[Rb + Ri + D]

  • (Rb, Ri, S) = MemoryLocation(Rb + S * Ri]

  • D(Rb, Ri, S) = MemoryLocation[Rb + S * Ri + D]

Instructions:

  • leaq source, destination: this instruction sets destination to the address denoted by the expression in source

  • addq source, destination: destination = destination + source

  • subq source, destination: destination = destination - source

  • imulq source, destination: destination = destination * source

  • salq source, destination: destination = destination << source where << is the left bit shifting operator

  • sarq source, destination: destination = destination >> source where >> is the right bit shifting operator

  • xorq source, destination: destination = destination XOR source andq source, destination: destination = destination & source

  • orq source, destination: destination = destination | source

A breakpoint specifies where the program should stop executing. db @memory-address and the parameter must be the memory address.

Run the program using dc

To view the contents of the local_ch variable, we use the following instruction px @memory-address

To go step by step use ds

Workflow...

The general formula for working through something like this is:

  • set appropriate breakpoints

  • use ds to move through instructions and check the values of register and memory

  • if you make a mistake, you can always reload the program using the ood command

Challenge

IP Address: 10.10.83.56

Username: elfmceager

Password: adventofcyber

ssh elfmceager@10.10.83.56

What is the value of local_ch when its corresponding movl instruction is called (first if multiple)?

pdf @main
db 0x00400b51
dc
px @rbp-0xc
ds
px @rbp-0xc

1

What is the value of eax when the imull instruction is called?

pdf @main
db 0x00400b66
dc

6

What is the value of local_4h before eax is set to 0?

pdf @main
db 0x00400b69
dc
px @rbp-0x4

6

Radare2 Cheatsheet