CTF-Writeups/TryHackMe/Intro_to_x86-x64.md
2020-11-28 00:38:19 +05:00

5.3 KiB

TryHackMe-Intro to x86-x64

Username : zx password : reismyfavl33t

SSH into the machine with these credentials.

Task 2

Executing intro binary will produce this result

tryhackme@ip-10-10-213-153:~/introduction$ ./intro 
value for a is 1 and b is 2
value of a is 2 and b is 1

To debug this we use radare .

r2 -d intro

tryhackme@ip-10-10-213-153:~/introduction$ r2 -d intro
Process with PID 1507 started...
= attach 1507 1507
bin.baddr 0x55ebd6a73000
Using 0x55ebd6a73000
asm.bits 64
 -- Ask not what r2 can do for you - ask what you can do for r2
[0x7fdc18484090]> 

Using command aa will scan for all symbols and entry points in the executable.

[0x7fdc18484090]> aa
[x] Analyze all flags starting with sym. and entry0 (aa)
[0x7fdc18484090]> 

Finding list of functions in radare is command afl that returns a list of functions in a binary

Now to analyze a function we use a command pdf @function_name which stands for print disassembly function

Here left column instruction which is starting from 0x55ebd6a7366a are memory addresses of instructions

Middle column are instructions 4883ec08 encoded in bytes which is machine code.

Right column is the human readable instruction subq $8, %rsp

%rsp stack pointer (holds the recent memory address) %rbp frame pointer (points to frame of function being executed)

Simple Instruction Example

An assembly instruction looks like this

movq $3 rax (movq for 64 bit) movl $3 rax (movl for 32 bit)

In assembly constatns are represented by this $3

Here the instruction will move a value 3 into a register named rax.

To move value from register to register

movq %rax %rbx

There are some more instructions in assebmly like

addq  (add instruction)
subq  (subtract instruction)
imulq (multiply instruction)
andq  (perform AND operation)
orq   (perform OR operation)
xorq  (perform XOR operation

If Statements

if (x == 3 ): return 3 else: return 0

Like we see in programming if else statements that have a conidition that needs to be true and if it's true what instruction it performs or if it's false what will it do so assembly it's something like this

cmpq %rax %rbx This will just compare the values of two registers

Now after we compare these values it would not do anything until we tell it what instruction is to be performed so we issue a jump instruction which can goto different part of code from a point where that instruction occurs

movq $10 rax
cmp %rax %rbx
je equal

equal:

What this block of instruction will do is assign rax register a value of 10

rax = 10

then will compare rax and rbx it would not do anything until we perform a jump compare (je equal) if they are equal

if rax == rbx

Then it will jump to next block instruction which we have named equal it's more like a function

So now let's do some room tasks

I have loaded up the binary in radare

Then selecting main function and adding two breakpoints with db [instruction_memory_address]

When we'll run the binary it will hit at the breakpoint and two see the instructions uptil that point we'll use dr command

Now for doing these tasks we have to use if2 binary

Now add a breakpoint at

0x55feb072c630 816dfce70300. subl $0x3e7, var_4h

db 0x55feb072c630 (this is before the return and pop instruction)
dc
px @ rbp-0x4
px @ rbp-0x8
  1. What is the value of var_8h before the popq and ret instructions? You'll get in the offset 60 which is in hex so after converting it to decimal it would be

    96

  2. what is the value of var_ch before the popq and ret instructions?

    We can see that only value 0 is assigned to var_ch and no further instructions and done on it until pop and return instruction

0

  1. What is the value of var_4h before the popq and ret instructions?

    1

  2. What operator is used to change the value of var_8h, input the symbol as your answer(symbols include +, -, *, /, &, |):

0x55feb072c623      8365f864       andl $0x64, var_8h

&

Loops

  1. What is the value of var_8h on the second iteration of the loop? 5

  2. What is the value of var_ch on the second iteration of the loop? 0

  1. What is the value of var_8h at the end of the program?

    2

  2. What is the value of var_ch at the end of the program?

    0

Crackme 1

Now we know the password is 127 in between you can see . and .01 so by this it is referring to localhost which is 127.0.0.1

127.0.0.1

Crackme 2

Here we see a text file which being read form the binary on reading the file we see vs3curepwd but when entered it isn't the right password ,so I got stuck but through "reversing" the text that was the right password