Date: 05/09/2025

Room Link: https://tryhackme.com/room/reverselfiles

My Profile: https://tryhackme.com/p/RayenHafsawy

🧭 Introduction

In this write-up, I demonstrate how I solved 8 ELF binary reversing challenges using static and dynamic analysis techniques — including strings inspection, base64 decoding, and radare2 debugging.

This lab is a perfect example of how understanding program flow, register inspection, and encoding recognition can combine into a complete binary reversing methodology.

🔍 1. Initial Setup

All binaries were provided locally. Before running each one I set the correct permissions:

chmod 777 crackme1
./crackme1

💭 Always make ELF binaries executable before running them — and never skip static analysis before dynamic debugging.

🧩 2. Crackme1 — Running the Binary

I simply executed the binary directly:

chmod 777 crackme1
./crackme1

✅ Result: Flag obtained directly from execution.

🏁 Flag: flag{not_that_kind_of_elf}

🧩 3. Crackme2 — Strings Analysis

I ran strings to inspect readable content inside the binary:

chmod 777 crackme2
./crackme2
strings crackme2

📊 Finding: Password found in plaintext inside the binary.

Password : super_secret_password

🏁 Flag: flag{if_i_submit_this_flag_then_i_will_get_points}

💭 strings is always the first static analysis step — many binaries store passwords or flags in plaintext.

🧩 4. Crackme3 — Base64 Decoding

I ran strings and found a Base64 encoded string:

chmod 777 crackme3
./crackme3
strings crackme3

➡️ I decoded it using the terminal:

echo "ZjByX3kwdXJfNWVjMG5kX2xlNTVvbl91bmJhc2U2NF80bGxfN2gzXzdoMW5nNQ==" | base64 -d

🏁 Flag: f0r_y0ur_5ec0nd_le55on_unbase64_4ll_7h3_7h1ng5

💭 Base64 encoding is one of the most common obfuscation techniques in CTF reversing challenges — always try to decode suspicious strings.

🧩 5. Crackme4 — Radare2 Dynamic Debugging

I loaded the binary in radare2 and performed full analysis:

chmod 777 crackme4
r2 -d ./crackme4
aaa
afl
pdf @main
db 0x004006d5
ood 'argement'
dc
pdf @sym.compare_pwd
px @rdi

📊 Finding: Password extracted from register inspection at the breakpoint.

Password : my_m0r3_secur3_pwd

💭 Setting breakpoints at comparison functions and inspecting registers is the core technique for dynamic binary analysis.

🧩 6. Crackme5 — Register Inspection

I followed the same radare2 approach targeting the comparison breakpoint:

chmod 777 crackme5
strings crackme5
r2 -d ./crackme5
aaa
afl
pdf @main
db 0x0040082f
dc
px @rsi

📊 Finding: Input string extracted from the rsi register.

Input : OfdlDSA|3tXb32~X3tX@sX\`4tXtz

💭 Different registers hold different values at runtime — always check both rdi and rsi at comparison points.

🧩 7. Crackme6 — Helper Function Analysis

I analyzed both the main function and the custom comparison functions:

./crackme6
strings crackme6
r2 -d ./crackme6
aaa
afl
pdf @main
pdf @sym.compare_pwd
pdf @sym.my_secure_test

📊 Finding: Password revealed through function flow analysis.

Password : 1337_pwd

💭 Always list all functions with afl — helper functions like compare_pwd often contain the real logic.

🧩 8. Crackme7 — Main Function Analysis

I disassembled the main function and traced the flag:

./crackme7
strings crackme7
r2 -d ./crackme7
pdf @main

🏁 Flag: flag{much_reversing_very_ida_wow}

🧩 9. Crackme8 — Final Challenge

I applied the full static and dynamic analysis workflow:

./crackme8
strings crackme8
r2 -d ./crackme8
pdf @main

🏁 Flag: flag{at_least_this_cafe_wont_leak_your_credit_card_numbers}

🔗 Attack Path Overview

Crackme1 ➝ Direct execution → Flag
Crackme2 ➝ strings → Plaintext password → Flag
Crackme3 ➝ strings → Base64 decode → Flag
Crackme4 ➝ r2 → Breakpoint → px @rdi → Password
Crackme5 ➝ r2 → Breakpoint → px @rsi → Input string
Crackme6 ➝ r2 → Helper function analysis → Password
Crackme7 ➝ r2 → pdf @main → Flag
Crackme8 ➝ r2 → pdf @main → Flag

🧠 Lessons Learned

ELF binaries can be reversed using static analysis with strings and dynamic debugging with radare2 Many crackmes rely on string comparison logic inside main or helper functions Breakpoints at comparison instructions combined with register inspection are the key to extracting runtime values Encoding techniques like base64, hex, and ROT are commonly used to obfuscate flags Always list all functions with afl before diving into disassembly — helper functions often hold the real logic Practice in binary reversing strengthens understanding of program flow and low-level execution

🎯 Conclusion

This lab demonstrates how a structured reversing methodology — starting with strings, moving to radare2 disassembly, and using breakpoints with register inspection — can systematically solve even obfuscated binary challenges.

💡 The real skill in reversing is not memorizing tools — it is understanding what the program is trying to compare and where that comparison happens.

✍️ About the Author

Rayen Hafsawy Cybersecurity student focused on penetration testing and CTF challenges. 📧 rayenhafsawy@gmail.com

🚀 Follow My Journey

I regularly share write-ups and my cybersecurity journey. More content coming soon 🚀