Premise
In this video walkthrough, we covered conditional statements in Assembly and used Radare2 to analyze a sample file taken from a TryHackMe contest: Advent of cyber 1 2019 Day 22.
Challenge Link
TryHackMe Advent of Cyber Challenge Description
McSkidy has been faring on well so far with assembly – they got some inside knowledge that the Christmas monster is weaponizing if statements. Can they get ahead of the curve?
These programs have been compiled to be executed on Linux x86-64 systems.
Check out the supporting material here.
The questions below relate to the if2 binary.
Room Answers / Day 22
Use Hydra to bruteforce molly’s web password. What is flag 1? (The flag is mistyped, its THM, not TMH)
Use Hydra to bruteforce molly’s SSH password. What is flag 2?
Conditional Statements in Assembly
First off, I explain that conditional statements in assembly are a bit different from how they work in C. I cover a bunch of different jump instructions, which are essential for controlling the flow of a program:
jump
: This is an unconditional jump.je
: Jumps if the result of a comparison is equal to zero.jne
: Jumps if the result is not equal to zero.js
: Jumps if the result is negative.jns
: Jumps if the result is not negative.jg
: Jumps if the result is greater than.jge
: Jumps if the result is greater than or equal to.jl
: Jumps if the result is less than.jle
: Jumps if the result is less than or equal to.ja
andjb
: These are for unsigned integers and jump if the value is above or below.
My Radare2 Analysis Method
I then show you my go-to commands in Radare2 for analyzing a file. These are the essentials you’ll need:
aaa
: This command does an initial analysis of the file.pdf main
: This one prints out the main function so you can see what’s going on.dr
: Use this to display the values of the registers.db
: This lets you set breakpoints to stop the program at specific points.dc
: Continues the program’s execution to the next instruction.px
: This command will print the value of a parameter.
Practical Demo with a TryHackMe Lab
Now for the fun part! I use the f2
binary from the TryHackMe Advent of Cyber 1, Task 22.
First, I look at a C file called f1.c
to understand how its if
and else
statements work to change the variables a
and b
. Then, I jump into analyzing the compiled f1
binary using Radare2. I show you how to open the file, analyze it, and print the main function.
I set breakpoints where I expect the variable values to change and then use dc
to step through the program and dr
to check the register values. This lets me demonstrate how the jg
(jump if greater) instruction works in assembly by comparing the values in eax
and var_4h
. I also show you how to check the value of a variable like var_8h
using px
.
Finally, I use the same method to analyze the f2
binary to figure out the final values of local_8h
and local_4h
. I set a breakpoint right before the end of the main function and find that the final values are 9 for local_8h
and 2 for local_4h
.
Technical Commands Used
Here are the technical commands I used in the terminal during the demonstration:
ls
r2 -d if1
aaa
pdf main
dr
db
dc
ds
px