This is part of a series of walk-throughs for the CMU Binary Bomb Lab. You can find Phase 1 here

Phase 2 is where things start to get a little interesting. Taking a quick look at the body of the phase_2 function as we did in the first phase, there’s some useful information to be obtained here:

There’s a few useful bits of information in here, first is the glaringly obvious function name:

0x08048b5b e878040000 call sym.read_six_numbers

So it’s not a stretch to think that this phase takes six numbers as its input. The function itself confirms this:

Since scanf() is being called with a template string, checking the string at the memory location might give some insight into how the user input string is being processed.

[0x080488e0]> psz @ 0x08049b1b %d %d %d %d %d %d

So six decimals is what we’re looking for. Looking at the CMP instruction indicates that if there are less than 5 numbers supplied, the bomb will explode.

Going back to phase_2, the next important part is the next CMP instruction before the explode_bomb call.

Writing out the pseudocode for this is helpful, the ESI register indicates we’re probably dealing with an array of some sort. EBP-0x18 is where the series of numbers is stored and EBX is a counter starting at 1 and ending at 6, which appears to be a loop.

This means the pseudocode is likely something like this:

function phase_2(number_array) { if (number_array[0] != 1) { explode_bomb() } *esi = num_array; for (ebx = 1; ebx < 6; ebx++) { *eax = ebx+1 eax = eax * (*esi) + (ebx*4) - 4 if (*(esi+ebx*4) != eax) { explode_bomb() } } }

Doing a little more cleanup:

function phase_2(number_array) { if (number_array[0] != 1) { explode_bomb() } for (x=1; x <= 5; x++) { current = number_array[x-1] * x+1 if (number_array[x] != current) { explode_bomb() } } }

So the first number needs to be 1, and the subsequence numbers should be equal to the previous number * (current position +1). This makes the sequence:

1 (1*2) (2*3) (6*4) (24*5) (120*6)

= 1 2 6 24 120 720

Boom! done.

## Be First to Comment