Strings can only help you so far.
Honestly, I really enjoyed this introduction. Simply did.
Hey!π Do you want to have a grasp of reverse engineering? Then continue to read this post about TryHackMe Compiled challenge.π«Ά
After downloading the file, the first step was to rename the file- to ease my work πΊ.
Then, my Sherlock Holmes spirit made me want to find out what type of file was that.π
We can see it is an Executable and Linker File.
After that, I want to give it 777 rwx rights, in order to be able to execute it.
Let's run it.π€
It's asking us for a password. My first instinct is to try a buffer overflow. πΈ
Let's try to see if the password is hidden somewhere in the strings.
Somewhere there is written Password and it seems we have a great hint.
Let's see what our beloved software reverse engineering framework Ghidra has to show.
We'll work only with Decompile part, as the Defined Strings tab show us the same content as earlier βοΈ.
π―Now, let's break the code down:
- We are asked to provide an input
The input shall contain DoYouEven and a string (that's why we have %sβ).
Given that at the end we have CTF, the requested password should end with CTF. The input is stored in local_28. local_28 in our case is an array of 32 char elements. (look at the char local_28 [32] declaration)π‘ local_28 is the name assigned to the array.The condition (-1 < iVar1) checks if iVar1 is greater than -1.
strcmp compares the string in local_28 with "__dso_handle"
if both conditions (point 3 and point 4) are true, then the message "Try again!" is returned
strcmp compares the string in local_28 with "_init".
if the strings are identical, then message "Correct!" is printed.
strcmp is a function used to compare strings.
strcmp returns 0 when the strings are identical.β
Addendum to point 2πΊ:
We can break DoYouEven%sCTF into 2 parts:
- DoYouEven
- %sCTF
The scan function (__isoc99_sscanf("DoYouEven%sCTF", local_28) extracts the portion of local_28 between DoYouEven and the first occurence of CTF. Also, %s captures any character, but does not take into account the whitespaceβ
Let's test it do a test with the string containing CTF:
and now the string without CTF
Bingo!π€© We got our answer!
Top comments (0)