0x41haz - Alhaz
Simple Reversing Challenge 
0x41haz is a reverse engineering challenge where we’re given a binary file and tasked with extracting a hidden password. However, the binary comes with certain protections that make this task more challenging. Our goal? Bypass these protections and retrieve the password!
Analysis
Great! i got the file.
1
2
3
drwxrwxrwx 1 Cyb3rWo9f Cyb3rWo9f 4096 Feb 15 14:51 .
drwxrwxrwx 1 Cyb3rWo9f Cyb3rWo9f 4096 Feb 15 14:45 ..
-rwxrwxrwx 1 Cyb3rWo9f Cyb3rWo9f 14432 Feb 15 15:16 0x41haz-1640335532346.0x41haz
Now, let’s begin with some basic analysis to understand what we’re dealing with.
1
2
file 0x41haz-1640335532346.0x41haz
0x41haz-1640335532346.0x41haz: ELF 64-bit MSB *unknown arch 0x3e00* (SYSV)
Here, i encounter our first obstacle—the file is treated as a shared object rather than a standard executable. This prevents us from using analysis tools like ltrace and radare2, which require an executable binary, To bypass this restriction, we need to modify the sixth byte of the file header, changing
This effectively converts it into an executable format. To achieve this, I used a hex editor:
1
2
3
4
5
6
File: 0x41haz-1640335532346.0x41haz ASCII Offset: 0x00000000 / 0x0000385F (%00)
00000000 7F 45 4C 46 02 01 01 00 00 00 00 00 00 00 00 00 .ELF............
00000010 03 00 3E 00 01 00 00 00 80 10 00 00 00 00 00 00 ..>.............
00000020 40 00 00 00 00 00 00 00 60 31 00 00 00 00 00 00 @.......`1......
^G Help ^C Exit (No Save) ^T goTo Offset ^X Exit and Save ^W Search
^U Undo ^L Redraw ^E Text Mode ^R CharSet ^P Spacing
Then, I ran the file command again to verify the changes, and this time, everything looks good!
1
2
3
4
file 0x41haz-1640335532346.0x41haz
0x41haz-1640335532346.0x41haz: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV),
dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID
[sha1]=6c9f2e85b64d4f12b91136ffb8e4c038f1dc6dcd, for GNU/Linux 3.2.0, stripped
Next, I loaded the binary into radare2 to start analyzing it and hunting for the password.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
r2 0x41haz-1640335532346.0x41haz
[0x00001080]> aaa
INFO: Analyze all flags starting with sym. and entry0 (aa)
INFO: Analyze imports (af@@@i)
INFO: Analyze entrypoint (af@ entry0)
INFO: Analyze symbols (af@@@s)
INFO: Analyze all functions arguments/locals (afva@@@F)
INFO: Analyze function calls (aac)
INFO: Analyze len bytes of instructions for references (aar)
INFO: Finding and parsing C++ vtables (avrr)
INFO: Analyzing methods (af @@ method.*)
INFO: Recovering local variables (afva@@@F)
INFO: Type matching analysis for all functions (aaft)
INFO: Propagate noreturn information (aanr)
INFO: Use -AA or aaaa to perform additional experimental analysis
[0x00001080]> s main
[0x00001165]> pdf
; DATA XREF from entry0 @ 0x109d(r)
┌ 219: int main (int argc, char **argv, char **envp);
│ ; var int64_t var_4h @ rbp-0x4
│ ; var size_t var_8h @ rbp-0x8
│ ; var int64_t var_ah @ rbp-0xa
│ ; var int64_t var_eh @ rbp-0xe
│ ; var int64_t var_16h @ rbp-0x16
│ ; var char *s @ rbp-0x40
│ 0x00001165 55 push rbp
│ 0x00001166 4889e5 mov rbp, rsp
│ 0x00001169 4883ec40 sub rsp, 0x40
│ 0x0000116d 48b8324040.. movabs rax, 0x6667243532404032 ; '[REDACTED]'
│ 0x00001177 488945ea mov qword [var_16h], rax
│ 0x0000117b c745f27354.. mov dword [var_eh], 0x40265473 ; '[REDACTED]'
│ 0x00001182 66c745f64c00 mov word [var_ah], 0x4c ; '[REDACTED]'
then, I executed the binary in a separate terminal, entered the password, and — it worked!
1
2
3
4
5
6
7
8
./0x41haz-1640335532346.0x41haz
=======================
Hey , Can You Crackme ?
=======================
It's jus a simple binary
Tell Me the Password : [REDACTED]
Well Done !!
Since the flag followed the THM{} format. 
Entering the extracted password successfully revealed it 0x41haz — challenge solved!
Happy hacking !
Here are some resources: