In this post, I will cover a dynamic solution for the second phase of the CMU Binary Bomb, which is a lot of fun and teaches you how some C basics, such as switch statements, recursion, linked lists, end up as assembly.
Phase 2 of the Bomb
We’ll start by loading the binary in radare2, in debug mode.
We’ll continue until
I’ll not spoil the solution for
phase_1, even though it’s fairly easy to get to it.
If we look at the code of
phase_2, we’ll notice that it reads six numbers and then compares them with some values in a loop.
We’re going to make this phase solve itself, because we’re too
lazy smart to do any manual work (or any work, for that matter).
Go Solve Yourself
We’re going to set two breakpoints. One at the
cmp instruction within the loop, at
0x8048b7e, and one right after the loop, at
Now comes the fun part. In radare2, you can add commands to be executed whenever a breakpoint is hit via
dbc. We’ll force our values, which reside at
esi + ebx*4 to always be equal to the value in
dbc statement adds two commands to be executed whenever the breakpoint at
cmp is hit.
dr* as radare2 commands, to force “sync” the registers when the breakpoint is hit.
*(esi+ebx*4)=`dr eax` writes at
esi + ebx*4 (our input) the value of
eax (the desired value). Thus, the comparison will always be true until the loop ends.
dbc statement prints the resulting
esi at the end of the loop, which will be the valid input for defusing this phase of the bomb.
There is one last element that is out of place: execution will still break inside the loop at every iteration. We want our commands to be executed at that point, but without breaking. We can set this breakpoint to be a tracepoint instead.
Now we should be set. Just
dc and enjoy.
We’re done with this phase. Those are the defusal numbers.
Hope you’ve enjoyed reading. Have fun with the bomb!