CMU Bomb Lab with Radare2 — Phase 5
Ok, I lied about cheating through everything in this challenge. We will 100% do Phase 5 properly since it focuses on basic reverse engineering. As you may have heard, r2 is great at RE.
If you missed the other posts in this series, here they are:
Start off as we always do. Load the binary, analyze it, print sym.phase_5
. At a glance it’s another mess, but if you break it up into parts, the solution is easily scriptable in 10–15 lines of Python.
| 0x0040107a e89c020000 call sym.string_length
| 0x0040107f 83f806 cmp eax, 6 ; r12
| ,=< 0x00401082 744e je 0x4010d2
| | 0x00401084 e8b1030000 call sym.explode_bomb
Our solution is 6 chars. No problem.
| .. — -> 0x0040108b 0fb60c03 movzx ecx, byte [rbx + rax]
| ::|| 0x0040108f 880c24 mov byte [rsp], cl
| ::|| 0x00401092 488b1424 mov rdx, qword [rsp]
| ::|| 0x00401096 83e20f and edx, 0xf
| ::|| 0x00401099 0fb692b02440. movzx edx, byte [rdx + obj.array.3449]
| ::|| 0x004010a0 88540410 mov byte [rsp + rax + 0x10], dl
| ::|| 0x004010a4 4883c001 add rax, 1
| ::|| ; r12
| ::|| 0x004010a8 4883f806 cmp rax, 6
| `====< 0x004010ac 75dd jne 0x40108b
Let’s look at the key parts.
- 0x0040108b —
rbx
andrax
are being used to index through - 0x00401096 — a binary
&
is applied toedx
- 0x00401099 —
rdx
is used as an index for an array? - 0x004010a8 — Check to see if we’re done
We’re getting dangerously close to doing math, so let’s start debugging and placing breakpoints to figure out what’s going on. I bet you were wondering when we’d talk breakpoints. Well here we go.
Break points
Breakpoints are set in Debug mode from the r2 command line with db [address]
. If you do not specify a function or address, db
will place a breakpoint at the cursor. You can also set breakpoints in Visual and Graph with F2
. Resume/Continue code execution with the dc
— (D)ebug (C)ontinue Execution. Obviously that’s a handy command when you’re working with breakpoints and you’ll be using it often.
Visual and Graph mode let you toggle a cursor, which allows you to move around and run commands without having to seek or specify and address. Press the c
key to toggle the cursor on/off.
It’s worth mentioning r2 has a Visual mode designed for debugging. Not only does it show you the stack and registers, you can use the cursor c
and TAB
to select different panes, and p
to change the pane’s content.
Let’s recap that for those with ADD:
db [address] # Set breakpoint at specified address
F2 # Set a breakpoint at cursor
dc # Continue code execution
c # Toggle cursor in Visual/Graph mode
TAB # Switch panes in Visual/Graph mode
p # Change print mode in Visual/Graph mode
Add abcdef
as your Phase 5 solution in answers.txt, load the binary in r2’s Debug mode, run analysis, thendcu sym.phase_5
. Now switch to Visual mode with v
, cycle the print mode with p
until you see the disassembled function, toggle your cursor with c
, then finally move down to the movzx edx, byte [rdx + obj.array.3449]
and press F2
to place a breakpoint. Press dc
to continue until the breakpoint.
It looks like rdx
is being used to select a single character in the object array. Use ps @ obj.array.3449
to print the array
So essentially, our input has a binary &
applied to it, and the result is used as an index to select a character from an array. Something like:
array = “maduiersnfotvbyl”
final = ""for letter in user_input:
index = letter & 0xF
final += array[index]
sym.phase_5
calls a few functions after the loop. Notice that sym.strings_not_equal
takes two arguments, our string, and flyers
. Disassemble sym.strings_not_equal
to see that the two strings are compared, and the function returns 0 if they match.
The goal is to find a password which, after having a binary &
applied, indexes with the array to matchflyers
. All you really need is to iterate over the target password and brute force for valid characters
#!/usr/bin/env python2
import stringarray = "maduiersnfotvbyl"
final = ""
for c in "flyers":
for w in string.ascii_lowercase:
index = ord(w) & 0xF
lookup = array[index]
if lookup == c:
final += w
break
print("Phase 5 password: " + final)
Two more levels to go. By now you’re starting to get a feel for how r2 works and the ideas behind the design. It doesn’t reinvent the wheel, but it’s still an incredibly robust framework that can easily compete with commercial and government tools.
Next: CMU Bomb Lab with Radare2 — Phase 6
Links
Unorganized Random Tips for r2
MalwareTech’s (the guy who stopped WannaCry) Binary Challenges