Defusing the Binary Bombs!

My write-up to CMU bomb labs…..

Introduction

The exercise is basically an ELF-executable. It contains 6 phases . To pass through each phase one has to input the correct string within the given interval or else the bomb defuses.In order to get an idea of the functions in the executable , type :

>> objdump -t bomb

This loads displays its symbol table and thus we get an idea of the functions.

One has to enter the correct string for each phase upon which one moves to the next phase .Entering the wrong string causes the bomb to defuse.

Phase 1 :

The first bomb was basic string comparison. The function phase_1 :

The strings_not_equal function checks for equality of inputted string with the parameter string .

One can easily see on examining its parameter one can easily that it is the password

Writing this to a text file and running the bomb with the text file as input :


Thus Phase 1 is passed.

Phase 2 :

The disassembly of phase 2 is as follows :

Examining the function read_six_number():

We see it pretty much does nothing other than checking if there are 6 numbers in the input string separated by space.

After the execution of the above function the stack( for a random input say 1 2 3 4 5 6) is as follows :

the line phase_2 +14 checks whether the first four bytes of rsp that is the first digit we entered is one. If yes , it jumps to phase_2 + 52 where the second digit we enters is loaded into rbx.

The following lines check if the current digit is double the previous :

Thus from our analysis we note 3 main points :

  • The input should contain 6 numbers separated by space.
  • The first digit is one
  • Each digit is double the previous one.

Thus the password is : 1 2 4 8 16 32

Let’s give it a try :

And Voila!

Phase 3 :

This phase is pretty simple .The disassembly of phase_3 is as follows:

We can see that the input for scanf must contain two integers :

In line phase_3+39 it checks whether the first digit is 7 . If so it jumps to the phase_3 +99 where it checks if the second digit is equal to 0x147 or 327 .

Thus the password is : 7 327

Trying it out :

And we passed phase 3…

Phase 4

We can see from the parameters of scanf that we have to enter two integers:

In Line 34 it is checked whether the first digit is less than or equal to 14. Line 69 checks if second digit is equal to 0.

Thus we see 1st digit is less than 14 and 2nd digit is equal to zero.If the first digit is less than 14 then func4 is called with 0xe(in edx), 0x0(in esi) and 1st digit of our input (in edi) passed as arguments .Lets enter into func4 :

0xe(16) is passed as one of the arguments. After the execution of lines till func4+17 16 is right shifted by one unit .So value of ecx becomes 7. That is compared with the first digit of our input (which is stored in edi). Analyzing the code we find that first it is checked whether ecx less than or equal to edi.If false then it is checked if it is greater than or equal to edi. If it is either less than or greater than edi the function is called again recursively. We see that the function exits only if ecx is exactly equal to edi .Till then the function is called recursively. With each function call the ecx value is shifted to right by 1 bit .i.e the possible values of ecx are : 7 , 3 ,1 and 0 .

Thus the possible values of 1st digit for which the bomb will be defused is : 7,3,1 and 0 . Thus the possible values for the passwords are :

‘7 0’, ‘3 0’, ‘1 0’and ‘0 0’
Let us try these..I am trying the second one for now :

So we successfully move on to phase_5 .

Phase 5

The function initially checks if the length of input is 6 (line 29)

Phase 5 basically performs the following checks.

  • Checks if length of input string is 6.(line 17-29)
  • Generates a word based on our input .(line 41-70)
  • Checks if the word so generated is equal to the word in location 0x40245e (‘flyers’)(line 76-100)

Let’s go into the details of each.

STEP 1 :Length of string is checked in string_length function.It should be equal to 6

STEP 2 :Next is word generation.

Let us take our input to be ‘bb23n5’. There is a string in memory location 0x4024b0 :

Each character of our input is and-ed with 0xf . The result will be two digit number.Let the the last digit of the result be i. The new word is formed by taking the ith letter of the above string. This is repeated for 6 times .

In my example , the first character is ‘b’ .On and-ing it with fifteen we get 0x62 which is the ascii value of ‘b’. The value of i is 2 in this case. The ith letter(starting from0) is ‘d’ in the given string. Thus the 1st letter of the newly formed word is ‘d’. This is done for all 6 characters.

STEP 3 :

The newly formed word is compared with word in memory location 0x40245e (‘flyers’)

A bit of analysis and we find that the values of i should be {0x9,0xf,0xe,0x5,0x6,0x7}.So the passphrase is such that the last digit of the ascii character is in the following set . Looking up values in the ascii table , two of the possible values of passphrase are :‘ionefg’,’Yonuvw’

Giving it a try……

Phase 6

Disassembling phase_6 we see first it reads 6 numbers . So we have to enter 6 numbers :

Line 23 to 93 reads each number we entered one by one .It checks if each number we enters is less than 5 :

Then it compares each digit with the rest of the digits to see if it is uniques .i.e no number should be repeated in the input.

Now our input is modified in such a way that each number is replaced by its difference with the number 7:

Going through the code we see that at a certain point an unknown memory address is moved to edx at line 143:

Examining that memory address we see that it is a linked list.

Now we understand the code more .We see that it arranges the elements of the node according to the input given by the user :


It compares the number from the second row I gave above while examining the memory address and the numbers of our input and arranges them in the same order as the modified input.

It then get the last bits of the linked list after rearrangement and checks whether the last four bytes of each are in descending order.

Taking a look at the linked list we see that in order to be arranged in descending order the order in which it should be arranged is : 3 4 5 6 1 2 .Thus our input should be its difference from 7 .i.e 4 3 2 1 6 5 . Trying it out :

Now we move on to the secret phase.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s