CC: Radare2 Tryhackme Writeup
By Shamsher khan This is a Writeup of Tryhackme room “CC: Radare2”
Room link: https://tryhackme.com/room/ccradare2
Note: This room is Free
Task 1: Intro
This room assumes that you have basic x86 assembly knowledge. If you do not I highly recommend doing the Intro to x86–64 room before completing this done.
This room is also not designed to be a 100% teach everything on radare2. It is designed to teach you how some of the more common things in radare2 are used.
The included zip file has all the binaries you will need for this exercise.
With that out of the way let’s get started!
Task 2: Command Line Options
A quick intro to some of the commonly used command line flags for radare2, some of these flags will be extremely useful for later tasks. Include all parts of the flag including the -. All flags can be found in the help menu
Q.1: What flag to you set to analyze the binary upon entering the r2 console (equivalent to running aaa once your inside the console)
Answer: -A
Q.2: How do you enable the debugger?
Answer: -d
Q.3: How do you open the file in write mode?
Answer: -w
Q.4: How do you enter the console without opening a file
Answer: -
Task 3: Analyzation
Once inside the radare console you have a myriad of options to analyze your binary. Generally all analyzation commands start with the letter a. If you want to list all possible commands that can be done with your starting letter(s) you add a question mark to the end. For example a? would output ab,aa,ac along with a description on what each command does.
Q.1: What command “Analyzes Everything” (all functions and their arguments: Same as running with radare with -A)
Answer: aaa
Q.2: What command does basic analysis on functions?
Answer: af
Q.3: How do you list all functions?
Answer: afl
Q.4: How many functions are in the example1 binary?
Answer: 12
Q.5: What is the name of the secret function in the example1 binary?
Answer: secret_func
Task 4: Information
i is a command that shows general information of the binary. Like a it has many sub commands each with varying degrees of specificity.
Q.1: What command shows all the information about the file that you’re in?
Answer: ia
Q.2: How do you get every string that is present in the binary?
Answer: izz
Q.3: What if you want the address of the main function?
Answer: im
Q.4: What character do you add to the end of every command to get the output in JSON format?
Answer: j
Q.5: How do you get the entrypoint of the file?
Answer: ie
Q.6: What is the secret string hidden in the example2 binary?
Answer: goodjob
Task 5: Navigating Through Memory
-s is the command that is used to navigate through the memory of your binary. With it and its variations you can you can get information about where you are in the binary as well as move to different points in the binary.
Note: For user created functions that aren’t main, you will have to add sym. before them for example sym.user_func
Q.1: How do you print out the the current memory address your located at in the binary?
Answer: s
Q.2: What command do you use to go to a specific point in memory with the syntax <command> <address>?
Answer: s
Q.3: What command would you run to go 5 bytes forward?
Answer: s+ 5
Q.4: What about 12 bytes backward?
Answer: s- 12
Q.5: How do you undo the previous seek?
Answer: s-
Q.6: How would go to the memory address of the main function?
Answer: s main
Q.7: What if you wanted to go to the address of the rax register?
Answer: sr rax
Task 6: Printing
p is a command that shows data in a myriad of formats. The command is useful for when you want to get information about what is happening in memory, and get some of the data that's contained in memory as well. With the p command it is also useful to know about the @ symbol in radare. The @ symbol is used to specify that something is an address in memory, for example if you wanted to specify you were talking about the memory address of the main function you would use <command>@main
Q.1: How would you print the hex output of where you currently are in memory?
Answer: px
Q.2: How would you print the disassembly of where you’re currently at in memory?
Answer: pd
Q.3: What if you wanted the disassembly of the main function?
Answer: pd @ main
Q.4: What command prints out the emoji hexdump? (this is not useful at all I just find it funny)
Answer: pxe
Q.5: What if you decided you were too good for rows and you wanted the disassembly in column format?
Answer: pC
Q.6: What is the value of the first variable in the main function for the example 3 binary?
Answer: 1
Q.7: What about the second variable?
Answer: 5
Task 7: The Mid-term
Congrats on getting to this point, you now know enough to pass the mid-term exam. The questions in this task will all be related to commands that were in previous tasks so if you skipped one, I recommend going back and doing it. As you probably guessed from the file name all exercises in this task will be done using the midterm binary file.
Q.1: How many functions are in the binary?
Answer: 13
Q.2: What is the value of the hidden string?
Answer: you_found_me
Q.3: What is the return value of secret_func()?
Answer: 4
Q.4: What is the value of the first variable set in the main function(in decimal format)?
Answer: 12
Q.5: What about the second one(also in decimal format)?
Answer: 192
Q.6: What is the next function in memory after the main function?
Answer: midterm_func
Q.7: How do you get a hexdump of four bytes of the memory address your currently at?
Answer: px 4
Task 8: Debugging
Recall that in the task “Command Line Options” you learned that the -d flag has radare enter debug mode. Debug mode allows you to set breakpoints and offers a lot of options to not only navigate through your binary, but to analyze the data that goes in and out of the registers as well.
Q.1: How do you set a breakpoint?
Answer: db
Q.2: What command is used to print out the values of all the registers?
Answer: dr
Q.3: How do you run through the program until the program either ends or you hit the next breakpoint?
Answer: dc
Q.4: What if you want to step through the binary one line at a time?
Answer: ds
Q.5: How do you go forth 2 lines in the binary?
Answer: ds 2
Q.6: How do you list out the indexes and memory addresses of all breakpoints?
Answer: dbi
Task 9: Visual Mode
While visual mode is by no means necessary and won’t inherently teach you anything new about the binary you’re currently running. It allows the assembly to more human readable and provides a lot of options to enhance the visual appeal of radare and can definitely improve efficiency. Therefore I would state it’s a valuable tool that you should know how to use. All commands involving visual mode start with v
Q.1: How do you enter “graph mode” which allows everything to be organized in nice readable boxes?(A personal favorite of mine. Also note that the second character is uppercase)
Answer: vV
Q.2: What character do you press to run normal radare commands inside visual mode?
Answer: :
Q.3: How do you go back to the regular radare shell(leaving visual mode)?
Answer: q
Q.4: What if you want to step through the binary inside Visual mode?
Answer: s
Q.5: How do you add a comment?
Answer: ;
Task 10: Write Mode
Occasionally you might end up in a situation where a task is impossible to solve with the current instructions. For example take this code
int val = 4;if(val == 5){printf(“%s”,”You win!”);}
You will never be able to get it to print out You win! because under normal circumstances val will never be set equal to 5. This is where write mode comes in, it allows you to change instructions so you can get certain conditions to execute. All commands involving write mode start with w
Q.1: How do you write a string to the current memory address.
Answer: w
Q.2: What command lists all write changes?
Answer: wc
Q.3: What command modifies an instruction at the current memory address?
Answer: wa
Task 11: The Final Exam
Congratulations on making it to this point. You should now be able to solve a crackme! Use all the tools you’ve learned and get that password! The binary to use for this task is the_final_exam!
Q.1: What is the password that outputs the you win! message?
Answer: oekZ_Z_j
You can find me on:
LinkedIn:- https://www.linkedin.com/in/shamsher-khan-651a35162/
Twitter:- https://twitter.com/shamsherkhannn
Tryhackme:- https://tryhackme.com/p/Shamsher
For more walkthroughs stay tuned…
Before you go…
Visit my other walkthrough’s:-
and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!
