The exercise of this week is a bomb! A binary one, of course. The bomblab is an exercise from the UCR that I found here. I ended up finding more bombs like this one in other sites and, for me, this exercise is more challenging that the previous crackme‘s.
So, this is what the bomblab looks like. Awesome, right?
If you list the functions present in the binary, you will be presented with a considerable number of functions. Seeking to the main function, you can identify 6 phases:
- phase_strcmp
- phase_funcall
- phase_password
- phase_quick
- phase_jump
- phase_defused
Phase 1
The phase that you see in the previous image must be phase_strcmp. At this point, if you try to be lazy (just like me) and list all the string present in the binary, hoping to see something you will list lots of strings. If you read all the string, you will probably find the answer. But let’s get our hands dirty.
First one, it’s easy. You can see the answer in clear text. You can also confirm with the list of the strings in the binary, that this one is present. Let’s not waste more time with this one and proceed.
Aside note: Radare2 Allows you to use the usual commands from bash, so to search for this string, you can type iz | grep mother.
Phase 2
Rock? Paper? Scissors? Choose one!
For the second phase, the first function being called is phase_funcall. Not much happens here, only the 3 options and our input are saved somewhere in the stack, so the next function can use all these values.
After this, func_game is called. The three options are rearranged in another stack’s location, and be very careful because this order matters a lot. I advise you to write down the order in which this options are saved. It will save you lots of time.
First, this func_game function defines by which order the options are tested. Then, strings_not_equal is called to check if your input is one of the three options, first by the size of the word and, if that matches, char by char.
If your input matches one of the options, this function will exit with 0 in eax register, otherwise, eax will hold 1. So far so good. Now, func_game will check if the option that you choose is the third one, suing ebx register as a counter. If it it, you will proceed to the next phase. Remember, the goal is to skip the explode_bomb function call.
Phase 3
Password? Maybe admin… Nope, bomb exploded 🙂
For this phase, a password is required. When you enter the phase_password function, on the first line you can see an object being moved to eax register. Checking what it is we end up finding that’s a string. It sure looks like the solution and of course we’ll try it right away and… we fail! Let’s not get ahead ourselves. Let’s proceed with the analysis.
We can see the strings_equal function being called . In this one, we see our string and the solution being measured. After the second call to strlen, there is reason for our failure. The size of the solution will be decremented by 1, which means that our password must not have that last char “!” in order to pass the compare condition. The rest of the code is just for checking if every char matches.
One last thing. At the end of this function, eax will have 1 if the strings match, 0 otherwise (The opposite of strings_not_equal, of course).
Phase 4
The 4th phase starts by calling the read_six_number function, which will ensure that you provided six numbers matching the format ‘%d %d %d %d %d %d’. If you don’t follow the format… BOOM!
After this, it gets tricky. When you return to phase_quick you discover that the numbers provided are part of a sequence, where the step is incremental.
Having said that, the first number does not matter. The second must be the first number plus one, the third number must be the previous plus two and so on. It was fun cracking this one.
Phase 5
Last one!
If you check one of the arguments passed to sscanf function, you will notice the format ‘%d %d’. So, our input must be composed by two numbers. Then, you’re presented with a switch-case which has 9 cases, including the default one, the explode_bomb. That ugly jump at 0x08049295 address is just the jump to one of the lines below, according the value that you gave and which is saved in eax.
Secret Phase
If you take a closer look, in every phase and a few lines before the read function, the obj.cur_phase is incremented. This “variable” keeps track of the phase where we are. phase_defused contains the code to the secret phase, but will only be reachable if the obj.cur_phase is 8, which never happens. So there is no way of this piece of code being executed without changing the code.
This time, I won’t do that. Maybe later on, I will update this article in order to make this function executable.
Solution for BombLab
Did you get all the solutions? Let’s see…
Phase 1 – What is your mother’s maiden name
Phase 2 – paper
Phase 3 – P@s$wOrd
Phase 4 – 1 2 4 7 11 16 (could be different numbers)
Phase 5 – 0 603 (or 1 562, 2 642, 3 364, 4 687, 5 712, 6 326 or even 7 807)
That wasn’t so difficult. This BombLab is nailed!