# Reversing ELF ## Task 1 Crackme1 Let's start with a basic warmup, can you run the binary? ### What is the flag? ``` chmod +x crackme1 binwalk crackme1 ./crackme1 ``` ![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MP5sPEvNSZu_9Ydxj25%2F-MP5sSC3p-qfAnP-ozTK%2Fimage.png?alt=media\&token=20f844f5-791a-440c-8191-76da4096d0bd) {% hint style="success" %} flag{not\_that\_kind\_of\_elf} {% endhint %} ## Task 2 Crackme2 Find the super-secret password! and use it to obtain the flag ### What is the super secret password ? ``` chmod +x crackme2 binwalk crackme2 strings crackme2| grep pass ./crackme2 super_secret_password ``` ![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MP5sPEvNSZu_9Ydxj25%2F-MP5t8BmE3yj62nU9phK%2Fimage.png?alt=media\&token=883d78f4-4958-4858-87da-9c001beafb30) {% hint style="success" %} super\_secret\_password {% endhint %} ### What is the flag ? {% hint style="success" %} flag{if\_i\_submit\_this\_flag\_then\_i\_will\_get\_points} {% endhint %} ## Task 3 Crackme3 Use basic reverse engineering skills to obtain the flag ### What is the flag? ``` chmod +x crackme3 binwalk crackme3 strings crackme2| more echo "ZjByX3kwdXJfNWVjMG5kX2xlNTVvbl91bmJhc2U2NF80bGxfN2gzXzdoMW5nNQ==" |base64 -d ``` ![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MP5sPEvNSZu_9Ydxj25%2F-MP5un9SJ_sMd9t1NNw0%2Fimage.png?alt=media\&token=f052fa0b-274c-41ca-8895-a68198253781) {% hint style="success" %} f0r\_y0ur\_5ec0nd\_le55on\_unbase64\_4ll\_7h3\_7h1ng5 {% endhint %} ## Task 4 Crackme4 Analyze and find the password for the binary? ### What is the password ? ``` radare2 -d ./crackme4 password [0x7faf1ff3c090]> aa [0x7faf1ff3c090]> afl [0x7faf1ff3c090]> pdf @sym.get_pwd [0x7faf1ff3c090]> db 0x00400678 [0x7faf1ff3c090]> dc [0x00400678]> pdf @sym.get_pwd [0x00400678]> px @rbp-0x4 ``` ![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MP5v6gnbqxMig1GEjOQ%2F-MP5x6cdGi9pLJyIskcL%2Fimage.png?alt=media\&token=f56f130f-f9da-4ef9-a4df-b974b764e7d8) {% hint style="success" %} my\_m0r3\_secur3\_pwd {% endhint %} ## Task 5 Crackme5 What will be the input of the file to get output Good game ? ### What is the input ? ``` chmod +x crackme5 ./crackme5 ``` ![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MP5xVIAkX3laZLbWjVg%2F-MP5xwvDXXgr0uz_xGF9%2Fimage.png?alt=media\&token=8410a13b-e5cb-4531-883d-3e3a0c3e0c1e) ``` radare2 -d ./crackme5 aaa afl pdf @main db 0x0040082c dc px @rsi ``` ![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MP6LwVc3p5IksLRsRHN%2F-MP6P2JGPIAu0NeHZ_2X%2Fimage.png?alt=media\&token=ae44574a-245a-45fe-aa83-e7ee51b1c61c) ![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MP6LwVc3p5IksLRsRHN%2F-MP6NqZgXcSjhtrbbtv8%2Fimage.png?alt=media\&token=73ef92f5-2ad2-41ef-b536-5650c8bf7e42) {% hint style="success" %} OfdlDSA|3tXb32\~X3tX\@sX\`4tXtz {% endhint %} ## Task 6 Crackme6 Analyze the binary for the easy password ### What is the password ? ``` radare2 -d ./crackme6 aaa afl pdf @main pdf @sym.compare_pwd pdf @sym.my_secure_test db 0x004006e1 0x31 0x33 0x33 0x37 0x5f 0x70 0x77 0x64 ``` ![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MP6P9rF78cUATn-k__F%2F-MP6TDxIsGmRprIO8H4J%2Fimage.png?alt=media\&token=413ab4f4-4752-4453-ad7b-647fca903387) ![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MP6P9rF78cUATn-k__F%2F-MP6TeOmEYVOyYet8u4F%2Fimage.png?alt=media\&token=54569195-39c6-4b13-9648-bb4d1605f3ce) ![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MP6P9rF78cUATn-k__F%2F-MP6arLraArhgx4MHtxX%2Fimage.png?alt=media\&token=6899315b-6195-4dc9-955e-11c0b4a84566) {% hint style="success" %} 1337\_pwd {% endhint %} ## Task 7 Crackme7 Analyze the binary to get the flag ### What is the flag ? ``` Ghidra ``` ![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MP6P9rF78cUATn-k__F%2F-MP6_6eG-WV0-7FgA3wZ%2Fimage.png?alt=media\&token=3463b955-0af4-4159-bad8-d5a9f32a8ba3) ``` python print(int('0x7a69',16)) ``` ![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MP6P9rF78cUATn-k__F%2F-MP6aDS5kgc8mWcwWYyG%2Fimage.png?alt=media\&token=0092a52d-637a-4191-bb4b-d549f3c13753) ![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MP6P9rF78cUATn-k__F%2F-MP6_eYsIacjDHBLvWYh%2Fimage.png?alt=media\&token=c943b0e1-c495-47f5-976d-9d4d04bb67df) {% hint style="success" %} 31337 {% endhint %} ## Task 8 Crackme8 Analyze the binary and obtain the flag ### What is the flag ? ``` python print(int('-0x35010ff3',16)) -889262067 ``` ![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MP6av0aMVLcNu87ay8u%2F-MP6c87Ka1YLJ6xkM6A2%2Fimage.png?alt=media\&token=c89aa9a0-5626-40e8-818d-cd8446b540b9) {% hint style="success" %} flag{at\_least\_this\_cafe\_wont\_leak\_your\_credit\_card\_numbers} {% endhint %}