Reverse Engineering Using Radare2 (Part 2)

2 April 2023 7 minutes Author: Endpool

Reverse engineering with Radare2

This article is a continuation of the first article “Reverse Engineering Using Radare2 (Reverse Engineering)”, which provided a basic introduction to the tool. It is highly recommended to start there if you have not already done so, as the first part covers the very basics. the goal is to understand the principle of its operation; for example, to discover undocumented capabilities (including software bookmarks), modify or reproduce a device, application or other object with similar functions, but without direct copying. It is usually used if the creator of the original object did not provide information about the structure and method of creation (production) of the object. Owners of such objects may claim that reverse engineering violates their rights under copyright and patent law.

Reverse engineering in software is the ability to disassemble (disassemble) a program to see how it functions. Reengineering allows you to take apart a program or software and rebuild it without access to the source code. This can also be used to fix bugs in older games or to find exploits in some programs. In general, I will not be afraid of this word, the framework is slowly catching up with our beloved (and quite difficult to get) IDA. For now, let’s consider its features, which have been developed at the moment.

You can download this app from GitHub (crackme executable)

If you’ve already gone ahead and run this app, you’ll see that it asks us for a password.

If we try to enter a password, even if it is incorrect, we will see a message saying that we have failed.

There are several ways to solve this problem. We can try brute-forcing the password by sending the program many different combinations of letters until we randomly compute the password. The standard password is approximately 8 characters long. It is reasonable to assume that the password consists of upper and lower case letters and possibly even numbers. According to this calculator, it would take approximately 15 years to brute force such a password. I don’t have that much time to wait, so I’m going to use Radare2 to crack the password. Just like in the previous lesson, we will start by using rabin2 to get some information about this program. Let’s run it with the -I option to see what we’re dealing with.

Conclusion:

Just like last time, we see that we’re dealing with an x64 Linux file that was written in C. This information is interesting, but it doesn’t really help us find out what the password is. Maybe the lines from the executable file will give us the key. We can view them using rabin2. We usually use the -z flag, but it shows a lot of output. We can use the -zqq flag to show only lines.

The obtained conclusion:

Here we can see many interesting things! We see the message that says “You failed” that we got when we entered the wrong password. We can also see “Congratulations” which we can assume we will get when we enter the correct password. We also see the line “radare2”. We can assume that this could be a password. It may not be so, but it won’t hurt to try.

Great, we recognized the password! Sometimes it’s not that simple, the password string can be locked or encrypted. In cases like this, we have to reverse-engineer to find out the encryption method, but as we can see, we got lucky this time.

However, we are now being asked for a different password so that we can continue with this challenge. Checking the strings again, I don’t see anything that looks like a password anymore, so we need to keep digging. Let’s load the file into radare2 and analyze it using “aaa”. This command will analyze all the features that the program has.

We should also look for the main function, since this is where the program starts.

Now that we’re in the main function, we’ll switch to radare2 graphics mode. This will help us see how the program is running and see where the checks for these passwords are performed. Use the “VV” command to switch to graphics mode.

You should see an ascii graph of radare2. You can move around the graph using the HJKL keys as in Vim or the cursor keys. If you look at the first block in the graphic, you can see the validation of our first password. You can see in the last few lines that the string “radare2” is taken and compared to the user input using the strcmp function. Then a check is made to see if the strings are the same or not. If they are not the same, then we follow the green line t (which means the condition is true) down to this block of code:

We can see in the upper block that the program is comparing some value to zero. If it is zero, then the expression “Flag is: r2{%s %s %s}” is displayed. This should be our flag after completing the task. Unfortunately, a string output format is used instead of a static string, so just looking at this entry we don’t know what the flag will be. If this variable in the first block is zero, it prints the message “You failed”. So the conclusion from this is that some variable that determines whether a flag will be received will be changed once we implement all the correct passwords. Let’s jump to the top and see what happens if we get the first password right.

So this block prints the string “Congratulations”, then prints the second password prompt “What’s the second password?”, then it takes our input string using scanf and passes it through the atoi function. The atoi function is used to convert a string to a number, so the second password must be a number! We can see that in the block the output of atoi is compared to the value of 0xf. Now if you don’t know the decimal value of that hex number off the top of your head, radare2 has another great tool for you! Open a new terminal and use the rax2 command to convert the value 0xf to a decimal number.

So, the second password is 15! Let’s try it and see if it works.

It seems that we still need to enter a third password. Let’s move on to the next block of code in radare2 and see what we need to do. This is similar to the previous password check we did. You can see that the third password is requested, the user input is passed through atoi and compared to the value 0x539. If we pass it through rax2, we find that it is the decimal equivalent of 1337. So we insert it as the last password and get:

Perfectly! It gave us our flag! If this was a real Capture the Flag, then we would need to enter this value to get the points. We were able to get the passwords without having to run the program multiple times and we didn’t even have to guess the passwords at all. The reverse engineering of the program, the algorithm of its operation, gave us all the necessary information. Reverse engineering is a very handy tool to use in any setting because you can apply it to learn about everything a program does. I hope that the introduction to radare2 was useful for those who want to start in this field.

 

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.