Skip to content

CMU Binary Bomb: Phase 2

This is part of a series of walk-throughs for the CMU Binary Bomb Lab. You can find Phase 1 here

Phase 2 is where things start to get a little interesting. Taking a quick look at the body of the phase_2 function as we did in the first phase, there’s some useful information to be obtained here:


There’s a few useful bits of information in here, first is the glaringly obvious function name:

0x08048b5b    e878040000   call sym.read_six_numbers

So it’s not a stretch to think that this phase takes six numbers as its input. The function itself confirms this:

Since scanf() is being called with a template string, checking the string at the memory location might give some insight into how the user input string is being processed.

[0x080488e0]> psz @ 0x08049b1b
%d %d %d %d %d %d

So six decimals is what we’re looking for. Looking at the CMP instruction indicates that if there are less than 5 numbers supplied, the bomb will explode.
Going back to phase_2, the next important part is the next CMP instruction before the explode_bomb call.

Writing out the pseudocode for this is helpful, the ESI register indicates we’re probably dealing with an array of some sort. EBP-0x18 is where the series of numbers is stored and EBX is a counter starting at 1 and ending at 6, which appears to be a loop.

This means the pseudocode is likely something like this:

function phase_2(number_array) {
  if (number_array[0] != 1) {
    explode_bomb()
  }
  *esi = num_array;
  for (ebx = 1; ebx < 6; ebx++) {
    *eax = ebx+1
    eax = eax * (*esi) + (ebx*4) - 4
    if (*(esi+ebx*4) != eax) {
     explode_bomb()
    }
  }

}

Doing a little more cleanup:

function phase_2(number_array) {
  if (number_array[0] != 1) {
    explode_bomb()
  }

  for (x=1; x <= 5; x++) {
    current = number_array[x-1] * x+1
    if (number_array[x] != current) {
      explode_bomb()
    }

  }
}

So the first number needs to be 1, and the subsequence numbers should be equal to the previous number * (current position +1). This makes the sequence:
1 (1*2) (2*3) (6*4) (24*5) (120*6)

= 1 2 6 24 120 720

Boom! done.

Published inReverse EngineeringWalkthroughs

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *