Intro to x86–64 | TryHackMe Writeup

Daniel Kasprzyk
5 min readApr 27, 2021

--

An introduction to reversing simple programs using the radare framework along with some assembly basics like the syntax (AT&T in this case), registers, if statements and loops. The room can be found here: https://tryhackme.com/room/introtox8664 .

This room starts off by getting you to connect to the server. Simply enter the terminal and type in tryhackme@<SERVER_IP>, accept the fingerprint and enter the password which is reismyfavl33t.

The first binary we take a look at is if2 which is found in the if-statement directory. We run r2 -d if1 with these being: r2 to open the file with radare2, -d flag for debugging and if1 for the file we want to open.

Next, once the file is open we run aaa to analyze it, afl to list the functions and finally pdf @main to disassemble the main function. Here we can see what this file is made up of.

Once that’s set up we try to understand the flow of this program. We set 2 breakpoints; 1 at the jge (jump if greater than) and one at jmp (unconditional jump) which is done by typing db and then the memory address. Then we enter the dc command which executes the program right up to the first first breakpoint.

Now that we’ve hit the breakpoint, we can take a look at the registers and what those contain as well as take a peek at the stack and the values it holds. By running dr we can see that the rax register holds the value 3 (which is the var_8h variable). Running px @rbp-0x4 shows us the value of 4 (which is the var_4h variable). This command consists of @rbp showing we’re reading from the stack and 0x4 being the position (the positions of values in the stack can be found at the top of the disassembled main function).

After stepping to the next instruction with ds, we can see that the jge was not executed and instead we moved onto the next instruction which added 5 onto var_8h which equates to 5 + 3 = 8. Taking a peek at our var_8h variable with px @rbp-0x8 shows us the variable did in fact change to 8.

Moving onto the if2 binary to answer the questions we perform the same commands, r2 -d if2 to open the binary then aaa, afl and pdf @main for analysis. We need to find the values of var_8h, var_ch and var_4h before the final 2 instructions which we do by setting a break point just before they are executed and executing the program. From there we can run 3 commands to see the exact values for each variable these being: px @rbp-0x8, @rbp-0xc and @rbp-0x4.

The values for these read in hexadecimal: 0x60 for var_8h which is 96 in decimal, 0x00 for var_ch which is 0 and 0x01 for var_4h which is 1. The last question we know that the & operator was used as the final instruction as the last instruction that modified the var_8h variable can be found below the second jge instruction and uses andl.

Moving onto the next task we take a loop at loops. Here we learn how they work as well as some tips to reversing them. We know that the loop happens at third and fourth to last lines as there is a compare instruction then a jle (jump if less) if the condtion hasn’t been met yet. By setting a breakpoint at the compare instruction and then executing the program, we can then step when needed to inspect the program as we wish.

Upon inspecting the stack on the second iteration, we find that variable var_8h is equal to 0x05 which is 5 and var_ch is equal to 0x00 with this being 0. The next questions ask about the values of these variables at the end of the program which can be found by setting a breakpoint right before the return instruction and then starting the program. We then inspect the stack as usual and find that var_8h is 2 and var_ch is 0.

Now we get to the main tasks of this room. Here we’re reversing the crackme1 binary to uncover the right password. After looking around the main function, I begin to see a few integers along with dots which resemble parts of the localhost IP. I try my luck with that and I am right.

The final task involves us taking a look at the crackme2 binary. The first thing I see when reversing it is a path to a file on the machine which immediately sparks my attention as this leads to a secret.txt file. I then check out the file and it contains a password however this doesn’t seem to work inside the program. After carefully examining the instructions I come to no conclusion so I check the hint which simply says “reversing”. It takes a while for it to click in my mind that I am supposed to reverse the order of the characters.

Doing this completes the room. Here I learnt quite a few things such as some AT&T syntax (as I’ve only used Intel syntax before), some instructions like jumps and moving, translating hexadecimal values to decimal, how values are pushed onto the stack, loops and using radare. This was my first writeup hopefully it went well.

--

--

Responses (1)