Premise

In this video walkthrough, we covered conditional statements in Assembly and used Radare2 to analyze a sample file taken from a TryHackMe contest: Advent of cyber 1 2019 Day 22.

Challenge Link

TryHackMe Advent of Cyber Challenge Description

McSkidy has been faring on well so far with assembly – they got some inside knowledge that the Christmas monster is weaponizing if statements. Can they get ahead of the curve?

These programs have been compiled to be executed on Linux x86-64 systems.

Check out the supporting material here.

The questions below relate to the if2 binary.

Room Answers / Day 22

Use Hydra to bruteforce molly’s web password. What is flag 1? (The flag is mistyped, its THM, not TMH)

Use Hydra to bruteforce molly’s SSH password. What is flag 2?

Conditional Statements in Assembly

First off, I explain that conditional statements in assembly are a bit different from how they work in C. I cover a bunch of different jump instructions, which are essential for controlling the flow of a program:

  • jump: This is an unconditional jump.
  • je: Jumps if the result of a comparison is equal to zero.
  • jne: Jumps if the result is not equal to zero.
  • js: Jumps if the result is negative.
  • jns: Jumps if the result is not negative.
  • jg: Jumps if the result is greater than.
  • jge: Jumps if the result is greater than or equal to.
  • jl: Jumps if the result is less than.
  • jle: Jumps if the result is less than or equal to.
  • ja and jb: These are for unsigned integers and jump if the value is above or below.

My Radare2 Analysis Method

I then show you my go-to commands in Radare2 for analyzing a file. These are the essentials you’ll need:

  • aaa: This command does an initial analysis of the file.
  • pdf main: This one prints out the main function so you can see what’s going on.
  • dr: Use this to display the values of the registers.
  • db: This lets you set breakpoints to stop the program at specific points.
  • dc: Continues the program’s execution to the next instruction.
  • px: This command will print the value of a parameter.

Practical Demo with a TryHackMe Lab

Now for the fun part! I use the f2 binary from the TryHackMe Advent of Cyber 1, Task 22.

First, I look at a C file called f1.c to understand how its if and else statements work to change the variables a and b. Then, I jump into analyzing the compiled f1 binary using Radare2. I show you how to open the file, analyze it, and print the main function.

I set breakpoints where I expect the variable values to change and then use dc to step through the program and dr to check the register values. This lets me demonstrate how the jg (jump if greater) instruction works in assembly by comparing the values in eax and var_4h. I also show you how to check the value of a variable like var_8h using px.

Finally, I use the same method to analyze the f2 binary to figure out the final values of local_8h and local_4h. I set a breakpoint right before the end of the main function and find that the final values are 9 for local_8h and 2 for local_4h.

Technical Commands Used

Here are the technical commands I used in the terminal during the demonstration:

  • ls
  • r2 -d if1
  • aaa
  • pdf main
  • dr
  • db
  • dc
  • ds
  • px

Video Walkthrough

, , , , ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles