Introduction

0x41haz is a simple reversing challenge on TryHackMe that focuses on analyzing a Linux ELF binary to recover a hardcoded password. The task is minimal by design, with a small anti-analysis trick that forces you to slow down and inspect the binary properly.

Room link: https://tryhackme.com/room/0x41haz

Downloading the Binary

To get started with 0x41haz, I first downloaded the task file directly from the room. This can be done by clicking the blue download button provided in Task 1.

Once the file was on my system, the first thing I did was identify what kind of binary I was dealing with. For that, I used the file command, which gives a quick overview of the executable format.

death@esther:~$ file 0x41haz-1640335532346.0x41haz 
0x41haz-1640335532346.0x41haz: ELF 64-bit MSB *unknown arch 0x3e00* (SYSV)

At this point, it was clear that the file was an ELF 64-bit binary. However, the output also showed something unusual: MSB *unknown arch 0x3e00*. That immediately stood out and explained why the binary wouldn’t execute in its current state.

Fixing the Binary Header

The issue turned out to be related to the ELF header. With some quick research and reference material, I found that the problem could be resolved by patching the sixth byte in the file header. Specifically, changing its value from 0x02 to 0x01.

To do this, I opened the binary using a hex editor.

hexedit 0x41haz-1640335532346.0x41haz

I navigated to the sixth byte and modified it accordingly.

After making the change, I ran the file command again to verify whether the binary was now recognized correctly.

death@esther:~$ file 0x41haz-1640335532346.0x41haz 
0x41haz-1640335532346.0x41haz: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=6c9f2e85b64d4f12b91136ffb8e4c038f1dc6dcd, for GNU/Linux 3.2.0, stripped

The output now looked clean. The binary was properly identified as a 64-bit x86–64 ELF executable.

Executing the Program

With the header fixed, I copied the binary to a simpler name, granted execution permissions, and ran it.

$ cp 0x41haz-1640335532346.0x41haz testbinary
$ chmod +x testbinary
$ ./testbinary

At runtime, the program prompted me for a password.

That confirmed this was a straightforward reversing challenge, so the next step was to analyze the binary to understand how the password check was implemented.

Reversing with Radare2

For analysis, I used radare2, a command-line reverse engineering framework that I personally find efficient for quick static analysis.

Installation was done as follows:

git clone https://github.com/radareorg/radare2
radare2/sys/install.sh

Once installed, I loaded the binary into radare2.

The first command I ran was a full analysis pass.

aaa

After analysis completed, I navigated to the main function.

s main

From there, I disassembled the function to inspect its logic.

pdf

While reviewing the disassembly, a string pattern stood out during the password comparison logic.

2@@25$gfsT&@L

Retrieving the Flag

With that value identified, I executed the binary again and supplied it as the password.

The program accepted the input and returned the flag.

What is the password?

THM{2@@25$gfsT&@L}