CMU Bomb Lab with Radare2 — Phase 5

5 min readJul 13, 2019

Ok, I lied about cheating through everything in this challenge. We will 100% do Phase 5 properly since it focuses on basic reverse engineering. As you may have heard, r2 is great at RE.

If you missed the other posts in this series, here they are:

CMU Bomb Lab with Radare2 — Phase 1

Hello world. In the interests of putting more Radare2 content out there, here’s a noob friendly intro to r2, for those…

medium.com

CMU Bomb Lab with Radare2 — Phase 2

Reverse Engineering with r2

medium.com

CMU Bomb Lab with Radare2 — Phase 3

Welcome back! This series would get boring if all we did was patch instructions, so let’s try actually doing this…

medium.com

CMU Bomb Lab with Radare2 — Phase 4

Phase 4 is my least favourite phase, but it’s not so bad when your goal is cheating.

medium.com

Start off as we always do. Load the binary, analyze it, print sym.phase_5. At a glance it’s another mess, but if you break it up into parts, the solution is easily scriptable in 10–15 lines of Python.

|     0x0040107a       e89c020000        call sym.string_length
|     0x0040107f       83f806 cmp        eax, 6 ; r12
| ,=< 0x00401082       744e              je 0x4010d2
| |   0x00401084       e8b1030000        call sym.explode_bomb

Our solution is 6 chars. No problem.

| .. — ->  0x0040108b  0fb60c03      movzx ecx, byte [rbx + rax]
| ::||     0x0040108f  880c24        mov byte [rsp], cl
| ::||     0x00401092  488b1424      mov rdx, qword [rsp]
| ::||     0x00401096  83e20f        and edx, 0xf
| ::||     0x00401099  0fb692b02440. movzx edx, byte [rdx + obj.array.3449]
| ::||     0x004010a0  88540410      mov byte [rsp + rax + 0x10], dl
| ::||     0x004010a4  4883c001      add rax, 1
| ::|| ; r12
| ::||     0x004010a8  4883f806      cmp rax, 6
| `====<   0x004010ac  75dd          jne 0x40108b

Let’s look at the key parts.

0x0040108b — rbx and rax are being used to index through
0x00401096 — a binary & is applied to edx
0x00401099 — rdx is used as an index for an array?
0x004010a8 — Check to see if we’re done

We’re getting dangerously close to doing math, so let’s start debugging and placing breakpoints to figure out what’s going on. I bet you were wondering when we’d talk breakpoints. Well here we go.

Break points

Breakpoints are set in Debug mode from the r2 command line with db [address]. If you do not specify a function or address, db will place a breakpoint at the cursor. You can also set breakpoints in Visual and Graph with F2. Resume/Continue code execution with the dc — (D)ebug (C)ontinue Execution. Obviously that’s a handy command when you’re working with breakpoints and you’ll be using it often.

Visual and Graph mode let you toggle a cursor, which allows you to move around and run commands without having to seek or specify and address. Press the c key to toggle the cursor on/off.

It’s worth mentioning r2 has a Visual mode designed for debugging. Not only does it show you the stack and registers, you can use the cursor c and TAB to select different panes, and p to change the pane’s content.

Don’t forget your cursor works between r2 panes. Use TAB to change pane, then p to change the content

Let’s recap that for those with ADD:

db [address]               # Set breakpoint at specified address
F2                         # Set a breakpoint at cursor
dc                         # Continue code execution
c                          # Toggle cursor in Visual/Graph mode
TAB                        # Switch panes in Visual/Graph mode
p                          # Change print mode in Visual/Graph mode

Add abcdef as your Phase 5 solution in answers.txt, load the binary in r2’s Debug mode, run analysis, thendcu sym.phase_5. Now switch to Visual mode with v, cycle the print mode with p until you see the disassembled function, toggle your cursor with c, then finally move down to the movzx edx, byte [rdx + obj.array.3449] and press F2 to place a breakpoint. Press dc to continue until the breakpoint.

It looks like rdx is being used to select a single character in the object array. Use ps @ obj.array.3449 to print the array

So essentially, our input has a binary &applied to it, and the result is used as an index to select a character from an array. Something like:

array = “maduiersnfotvbyl”
final = ""for letter in user_input:
    index = letter & 0xF
    final += array[index]

sym.phase_5 calls a few functions after the loop. Notice that sym.strings_not_equal takes two arguments, our string, and flyers. Disassemble sym.strings_not_equal to see that the two strings are compared, and the function returns 0 if they match.

The goal is to find a password which, after having a binary & applied, indexes with the array to matchflyers. All you really need is to iterate over the target password and brute force for valid characters

#!/usr/bin/env python2
import stringarray = "maduiersnfotvbyl"
final = ""
for c in "flyers":
    for w in string.ascii_lowercase:
       index = ord(w) & 0xF
       lookup = array[index]
       if lookup == c:
           final += w
           break
print("Phase 5 password: " + final)

Two more levels to go. By now you’re starting to get a feel for how r2 works and the ideas behind the design. It doesn’t reinvent the wheel, but it’s still an incredibly robust framework that can easily compete with commercial and government tools.

Next: CMU Bomb Lab with Radare2 — Phase 6