DEV Community

a.infosecflavour
a.infosecflavour

Posted on

TryHackMe- Compiled

Strings can only help you so far.

Honestly, I really enjoyed this introduction. Simply did.

Hey!πŸ‘‹ Do you want to have a grasp of reverse engineering? Then continue to read this post about TryHackMe Compiled challenge.🫢

After downloading the file, the first step was to rename the file- to ease my work 😺.
Then, my Sherlock Holmes spirit made me want to find out what type of file was that.πŸ‘‡

file
We can see it is an Executable and Linker File.
After that, I want to give it 777 rwx rights, in order to be able to execute it.

777

Let's run it.πŸ€“

run

It's asking us for a password. My first instinct is to try a buffer overflow. 🐸

buffer

Let's try to see if the password is hidden somewhere in the strings.

strings

Somewhere there is written Password and it seems we have a great hint.

Let's see what our beloved software reverse engineering framework Ghidra has to show.

decompile

We'll work only with Decompile part, as the Defined Strings tab show us the same content as earlier ☝️.

🎯Now, let's break the code down:

  1. We are asked to provide an input
  2. The input shall contain DoYouEven and a string (that's why we have %s❗).

    Given that at the end we have CTF, the requested password should end with CTF. The input is stored in local_28. local_28 in our case is an array of 32 char elements. (look at the char local_28 [32] declaration)πŸ’‘ local_28 is the name assigned to the array.

  3. The condition (-1 < iVar1) checks if iVar1 is greater than -1.

  4. strcmp compares the string in local_28 with "__dso_handle"

  5. if both conditions (point 3 and point 4) are true, then the message "Try again!" is returned

  6. strcmp compares the string in local_28 with "_init".

  7. if the strings are identical, then message "Correct!" is printed.

strcmp is a function used to compare strings.
strcmp returns 0 when the strings are identical.❗

Addendum to point 2😺:
We can break DoYouEven%sCTF into 2 parts:

  • DoYouEven
  • %sCTF

The scan function (__isoc99_sscanf("DoYouEven%sCTF", local_28) extracts the portion of local_28 between DoYouEven and the first occurence of CTF. Also, %s captures any character, but does not take into account the whitespace❕

Let's test it do a test with the string containing CTF:

test

and now the string without CTF
pass

Bingo!🀩 We got our answer!

Top comments (0)