Skip to main content

re.onosend.ai

Tag: Ghidra

To all tags

0x06 - crackme02 by noracodes

binary crackme02.64
sha256 7bfdbae26d4295bd934a0bc7ddc55a1bfa62fd4e08e43c4fc2cf106480c7fa78

This short crackme is another from noracodes collection. I built it on my own machine, so the SHA256 above will likely be different for you. Running file reveals that this is a 64-bit, non-stripped binary like we’ve seen before:

crackme02.64: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=b575162a0fce3682ceb91760b033f943d0db2532, for GNU/Linux 3.2.0, not stripped

Looking at strings with rabin2shows us something that looks suspicious:

/posts/crackme-0x06/ map[name:onosend.ai]

0x05 - CSAW 2019 beleaf

Today’s sample was one of the RE challenges during CSAW 2019. CSAW is a beginner-friendly CTF, but I found this challenge was not so simple.

binary beleaf
sha256 bb28a152966bed0a369f30149a912982ea33b408794bfbd82e73c87ff4e184ff

Running file reveals that this is a 64-bit position-independent ELF executable,and that it is stripped. This means debugging information has been removed, as well as symbols and other stuff that would help us reverse this sample :(

file beleaf
beleaf: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=6d305eed7c9bebbaa60b67403a6c6f2b36de3ca4, stripped

As we can see from readelf, the symbol table has been removed:

/posts/crackme-0x05/ map[name:onosend.ai]

0x03 - rev by helithumper

binary rev
sha256 2b704c51b17fe6ed1461f4068eb7d8824a7a66d37eae56dc9adcf0d2cbd0cce2

This is a very straightforward one by helithumper, called rev. It’s another 64-bit, non-stripped ELF:

❯ file rev
rev: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=e4dbcb1281821db359d566c68fea7380aeb27378, for GNU/Linux 3.2.0, not stripped

❯ nm rev
0000000000004010 B __bss_start
                 U calloc@@GLIBC_2.2.5
0000000000004010 b completed.7963
                 w __cxa_finalize@@GLIBC_2.2.5
0000000000004000 D __data_start
0000000000004000 W data_start
00000000000010c0 t deregister_tm_clones
0000000000001130 t __do_global_dtors_aux
0000000000003da0 d __do_global_dtors_aux_fini_array_entry
0000000000004008 D __dso_handle
0000000000003da8 d _DYNAMIC
0000000000004010 D _edata
0000000000004018 B _end
0000000000001334 T _fini
0000000000001170 t frame_dummy
0000000000003d98 d __frame_dummy_init_array_entry
00000000000021ec r __FRAME_END__
0000000000003f98 d _GLOBAL_OFFSET_TABLE_
                 w __gmon_start__
0000000000002080 r __GNU_EH_FRAME_HDR
0000000000001000 t _init
0000000000003da0 d __init_array_end
0000000000003d98 d __init_array_start
0000000000002000 R _IO_stdin_used
                 U __isoc99_scanf@@GLIBC_2.7
                 w _ITM_deregisterTMCloneTable
                 w _ITM_registerTMCloneTable
0000000000001330 T __libc_csu_fini
00000000000012d0 T __libc_csu_init
                 U __libc_start_main@@GLIBC_2.2.5
0000000000001175 T main
                 U puts@@GLIBC_2.2.5
00000000000010f0 t register_tm_clones
                 U __stack_chk_fail@@GLIBC_2.4
0000000000001090 T _start
                 U strlen@@GLIBC_2.2.5
0000000000004010 D __TMC_END__
00000000000011ea T validate

Since this binary isn’t stripped, we of course have some symbols available to us. There is a function called validatewhich sounds interesting, and we also have main:

/posts/crackme-0x03/ map[name:onosend.ai]

0x04 - crackme01e by noracodes

binary crackme01e.64
sha256 f01baae9fbf1aaf67ea4fb79b85c6e31777f1056f8125b541f50bb4de97d33c7

This sample is just a variant of the last crackme I solved by noracodes, the original writeup of which can be found here. Again, this was built locally on my machine so the SHA256 will be different if you build it yourself.

And again, this is built using the same make process and so it’s a 64-bit ELF which is not stripped.

❯ file ./crackme01e.64
./crackme01e.64: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=cad300e0d35281b03b8dbf9fe9aabc29551ceed9, for GNU/Linux 3.2.0, not stripped

Let’s try the same trick that worked last time, and just check for suspicious looking strings:

/posts/crackme-0x04/ map[name:onosend.ai]

0x02 - crackme01 by noracodes

binary crackme01.64
sha256 f4100598da4381f16322e55a4a2716f6f8a52879804f406d933008b7669d8f00

This evening’s sample is crackme01.64, which is the first in a collection of crackmes included in a great tutorial by noracodes, which can be found here. This sample was built locally on my machine, so the SHA256 will almost certainly be different for you:

❯ file crackme01.64
crackme01.64: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=09321964d66c4fcf4295babb61fe33daed332352, for GNU/Linux 3.2.0, not stripped

The binary is not stripped, so we have some symbols to work with:

/posts/crackme-0x02/ map[name:onosend.ai]