CC: Radare2
Date: 02, June, 2021
Author: Dhilip Sanjay S
Click Here to go to the TryHackMe room.
Command Line Options
What flag to you set to analyze the binary upon entering the r2 console (equivalent to running aaa once your inside the console)
Answer: -A
How do you enable the debugger?
Answer: -d
How do you open the file in write mode?
Answer: -w
How do you enter the console without opening a file?
Answer: -
Analyzation
What command "Analyzes Everything" (all functions and their arguments: Same as running with radare with -A)
Answer: aaa
What command does basic analysis on functions?
Answer: af
How do you list all functions?
Answer: afl
How many functions are in the example1 binary?
Answer: 12
Steps to Reproduce:
What is the name of the secret function in the example1 binary?
Answer: secret_func
Information
What command shows all the information about the file that you're in?
Answer: ia
How do you get every string that is present in the binary?
Answer: izz
What if you want the address of the main function?
Answer: im
What character do you add to the end of every command to get the output in JSON format?
Answer: j
How do you get the entrypoint of the file?
Answer: ie
What is the secret string hidden in the example2 binary?
Answer: goodjob
Steps to Reproduce:
Navigating Through Memory
How do you print out the the current memory address your located at in the binary?
Answer: s
What command do you use to go to a specific point in memory with the syntax?
Answer: s
What command would you run to go 5 bytes forward?
Answer: s+5
What about 12 bytes backward?
Answer: s-12
How do you undo the previous seek?
Answer: s-
How would go to the memory address of the main function?
Answer: s main
What if you wanted to go to the address of the rax register?
Answer: sr rax
Printing
How would you print the hex output of where you currently are in memory?
Answer: px
How would you print the disassembly of where you're currently at in memory?
Answer: pd
What if you wanted the disassembly of the main function?
Answer: pdf @ main
What command prints out the emoji hexdump? (this is not useful at all I just find it funny)
Answer: pxe
What if you decided you were too good for rows and you wanted the disassembly in column format?
Answer: pC
What is the value of the first variable in the main function for the example 3 binary?
Answer: 1
Steps to Reproduce:
Value
1
is being moved tovar_4h
:
What about the second variable?
Answer: 5
Steps to Reproduce: Value
5
is being moved tovar_8h
The Mid-term
How many functions are in the binary?
Answer: 13
Steps to Reproduce:
What is the value of the hidden string?
Answer: you_found_me
Steps to Reproduce:
What is the return value of secret_func()?
Answer: 4
Steps to Reproduce:
What is the value of the first variable set in the main function(in decimal format)?
Answer: 12
Steps to Reproduce: Hex
0xc
-> Decimal12
What about the second one(also in decimal format)?
Answer: 192
Steps to Reproduce: Hex
0xc0
-> Decimal192
What is the next function in memory after the main function?
Answer: midterm_func
Steps to Reproduce:
Look at the next memory after main function.
First column denotes the memory locations
After
0x00000660
(main), the next function location is0x00000679
(sym.midterm_func)
How do you get a hexdump of four bytes of the memory address your currently at?
Answer: px 4
Debugging
How do you set a breakpoint?
Answer: db
What command is used to print out the values of all the registers?
Answer: dr
How do you run through the program until the program either ends or you hit the next breakpoint?
Answer: dc
What if you want to step through the binary one line at a time?
Answer: ds
How do you go forth 2 lines in the binary?
Answer: ds 2
How do you list out the indexes and memory addresses of all breakpoints?
Answer: dbi
Visual mode
How do you enter "graph mode" which allows everything to be organized in nice readable boxes
Answer: vV
What character do you press to run normal radare commands inside visual mode?
Answer: :
How do you go back to the regular radare shell(leaving visual mode)?
Answer: q
What if you want to step through the binary inside Visual mode?
Answer: s
How do you add a comment?
Answer: ;
Write Mode
How do you write a string to the current memory address.
Answer: w
What command lists all write changes?
Answer: wc
What command modifies an instruction at the current memory address?
Answer: wa
The Final Exam
What is the password that outputs the you win! message?
Answer: oekZ_Z_j
Steps to Reproduce:
If
youdidit
was compared withyoudidit
, then the message must be printed.But the value in the user input seems to be changed at the breakpoint (at strcmp)
Registers having different value (even on entering
youdidit
) as input:
By performing hex subtraction:
So we need to subtract the value
a0a0a0a0a0a0a0a
from the original hex value ofyoudidit
:
Convert the hex value
6f656b5a5f5a5f6a
to ascii:
Run the binary to verify the password:
Last updated