Binary Bomb

ECEN 324 - Lab Assignment 2: Defuse a binary bomb.   Introduction: The nefarious Dr. Evil has planted a slew of “binary bombs” on our machines. A binary bomb is a program that consists of a sequence of phases. Each phase expects you to type a particular string on stdin. If you type the correct string, then the phase is defused and the bomb proceeds to the next phase. Otherwise, the bomb explodes by printing "BOOM!!!" and then terminating (and you lose 1/4 point per explosion). The bomb is defused when every phase has been defused.

The textbook appears to be so widely used that there's a lot of help out there when it comes to this lab. We found some notes that I thought were helpful as we reverse engineered our way to diffusion. Thought I should pay if forward by posting some of my own thoughts.

So, our mission was to diffuse Dr. Evil's binary bomb (bomb #39). We used GDB, the GNU debugger to inspect the bomb run by and stepping through the assembly code during each of the 6 steps, cracking each step one at a time. The total project took almost eight hours for us (2 of us) to finish.

------------------- phase_1 -------------------

This step was fairly easy. We could tell it was expecting a string right off the bat, then noticed that the solution string starts at a location 0xXXXXXXX (you'll have to look at the debugger) and compared it to the input string. Thus, the solution to phase_1 is one of the strings in the file. You could just guess and check here, too. Brute force should get the job done at this phase. We determined our string to be 48 characters long. Then we looked in the bomb file and found only one string 48 characters long.

Solution: I am not part of the problem. I am a Republican.

------------------- phase_2 -------------------

This one was rather tricky after an easy step one. First, we found that it was looking for 6 numbers, from the scanf function looking 6 times.  We eventually figured out that it the code consisted of a repeat of 3 decreasing numbers. 10 9 8 10 9 8, for example. That did the trick for us.

Solution: 10 9 8 10 9 8

------------------- phase_3 -------------------

This was the hardest phase for us. We seriously took 2 hours, then took a break for the day, came back the next day and spent another 45 minutes before we got it. I wish I could explain more by my lab partner carried us through this step. Our code was cracked by a single digit number followed by a 3-digit number we had to decipher.

Solution: 6 227

------------------- phase_4 -------------------

On this phase we could immediately tell there would only be one string to defuse this phase. Looking into it a little further, we found that 7 was being stored in %eax and also put into %edx, doing some sort of n^n type deal. Ours was calculating 7^n, so the code was simply n. Not too bad.

Solution: 4

------------------- phase_5 -------------------

This phase was really cool. Basically it was like solving the back of a cereal box. By inputting characters you'll see a code emerge, aka each letter will actually represent another character. For example in our case we eventually found:

  • a-s
  • b-r
  • c-v
  • d-e
  • e-a
  • f-w
  • g-h
  • h-o
  • i-b

And so on... We looked at the numbers each character was being compared against and deciphered our code.

Solution: aepkmq

------------------- phase_6 -------------------

Guess and check! Seriously... this is the only way to get this phase. By looking at the scanf calls and compare methods we could tell that it was expecting six numbers, all over which had to be 6 or less, non-repeating, nonnegative, nonzero numbers. We tried for hours (really) to figure it out and finally got somewhere by guessing and checking. Since we only had six possibilities and numbers can't be reused, these ended up being the best way to decipher the code. After we could tell we got past the first number it made it easier because there were less options for the next number, since the numbers can't repeat. After some good guessing and checking we finally got it.

Solution: 3 2 5 4 1 6

Done! Like I said above it took the two of us almost 8 hours to finish. There's probably people out there who can do it in half that time, but we diffused the bomb and saved the world, so I'm happy. If anyone has any input, corrections or questions just send me an email.

Disclaimer: I'm posting the solutions here to help see general format, and as a personal record (in case I still fail the class). There are at least 60 different bombs one could be assigned, each varying in approach and solution. The chances of these solutions working elsewhere are slim.