Disable the bomb with Radare2

Good day,% username%! Today we will go to study the countless possibilities of the framework for the reverse - radare2. In the form of the test subject, I took the first bomb that fell from the site of Carnegie Mellon University.

What is it all about?

Radare2 (aka r2) is an open source cross-platform framework for exploring binary files (initially, by the way, a hex editor). The main competitor of this is the well-known IDA Ilfak, but, alas, for the student it is expensive, and the free version with x86-64 is not friendly. And the radar seems to be cooler .
A binary bomb or just a bomb is an executable file for training that receives a certain number of lines, and, in case all lines are tested, congratulates the young analyst. These are the so-called levels or phases, we have 6 of them.

A little more about the framework

Radare2, as already mentioned, is a framework, not just a disassembler. It includes a bunch of different tools like debugger, hex editor, compiler, search for ROP gadgets and much more. For non console lovers, it also has two raw frontends, the WebUI ( $ r2 -c "=H" file ) and Bokken .
Manual as usual is in man, as well as for each command by adding after it "?". For example, “pd?” Will give descriptions of commands starting with pd.

Some links on the topic:

• Off site
• Free book
• Github
• Blog
• Cheatsheet . UPD: and another one in pdf
• Migration guide for hard-core ideas
• IRC channel on freenode

Here we go!

In addition to the executable file itself, we were kindly provided with a file with source codes. However, all that is there - initialization of input, call phases, and funny comments. The remaining functions are drawn from the corresponding headers, which we do not have.

After starting r2, he meets us with a random phrase. Then he sets the current entry-point pointer and waits for the command. The -A flag when opening a file immediately analyzes it.
The same can be done with a block of commands starting with a ), for example afl - gets a list of functions from a binary. ~ - analogue grep-a (filter). We will look for our functions from him.

 $ r2 -A bomb -- In soviet Afghanistan, you debug radare2! [0x00400c90]> afl~phase 0x00400ee0 28 3 sym.phase_1 0x004015c4 149 8 sym.phase_defused 0x00400efc 71 8 sym.phase_2 0x00400f43 139 8 sym.phase_3 0x0040100c 86 7 sym.phase_4 0x00401062 146 9 sym.phase_5 0x004010f4 272 26 sym.phase_6 0x00401242 81 5 sym.secret_phase 

Level 1

Miraculously, all the functions from the source in place, but at the same time also found the secret phase. Let's finally see the contents of the first level. You can do this by moving the pointer to a specific address of the function, and then output the required number of opcodes for disassembling.

 [0x00400c90]> s 0x00400ee0 #    's' -   [0x00400ee0]> pd 8 #  8     

Since The output of r2 from the box is just perfect, for clarity, I will post assembler listings in the form of pictures.

Please note that the radar provided us with XREFs (that’s where the control can be transferred from) with jump mnemonics. In addition, I substituted a line at the specified address and, most importantly, in the form of ascii arrows, showed transitions in the block.

Even without delving into it, it becomes clear that the first line we need is “Border relations with Canada”. And by itself, when fed to her bomb, she lets us into the second phase.

 $ ./bomb Welcome to my fiendish little bomb. You have 6 phases with which to blow yourself up. Have a nice day! Border relations with Canada have never been better. Phase 1 defused. How about the next one? 

Level 2

The second variant of the output of the disassembled function is using absolute addressing / labels. For example, the second phase - it will look like this:

 [0x00400ee0]> pdf @ 0x00400efc 

or if the address is not known:

 [0x00400ee0]> pdf @ sym.phase_2 

Our ultimate goal is not to detonate a bomb, i.e. Do not make calls to call sym.explode_bomb , so we will make a start from this. Therefore, both je jumps should always work with us.
The first thing that stands in our way is a call to sym.read_six_numbers . Accordingly, after this call at the top of the stack should be one. Let's see what happens in this function.

Previously, r2 parsed files for functions based on the ret opcode, which often led to the output of several functions (for example, if there are exit () system calls). In such cases, when the radar incorrectly determines the function, you can do it manually.

 [0x00400ee0]> s 0x0040149e #       [0x0040149e]> af+ sym.read_six_numbers `?vi $$-sym.read_six_numbers` rsn #   rsn,    sym.read_six_numbers   . 

By the way, in this example, another command was used as the argument of the first one using paired brackets `` .
Nothing interesting happens in the function itself; it takes 6 numbers from the read string and writes them in order to the passed pointer. Then makes sure that the numbers are greater than 5.
In C, it would look something like this:

 void read_six_numbers(char *str, long long *p) { if (sscanf(str, "%d %d %d %d %d %d", p, p+1, p+2, p+3, p+4, p+5) <= 5) explode_bomb(); } 

')
Let's go back to our phase_2 function. A pointer to an array is passed a pointer to the top of the stack ( mov rsi, rsp ). Therefore, the first number in the line should be - 1.
As you can see there are a lot of transitions. The IDA user would most likely press the space bar and look at the transition graph. You will not believe, but here they are too. Like vim, there is visual-mode (command V ) and in it there is the same transition graph, also on command V (or VV at once). Exit from each mod - q

It is displayed perfectly, with a minimum of intersections (compared to previous versions). You can move this miracle with arrows, or vim-like 'hjkl' . If you do not like the location of the blocks, you can also move the hotkeys Shift + 'hjkl' . This moves the selected block (blue), you can select it Tab / Shift-Tab .
In the first block, a pointer to the second number is written in rbx , and in rbp - at the end of the array of numbers. And control is thrown on a cycle in which neighboring numbers are compared in pairs.

 mov eax, dword [rbx - 4] ;     eax add eax, eax ;   cmp dword [rbx], eax ;    je 0x400f25 ;  ,   call sym.explode_bomb ;  ,    add rbx, 4 ;      cmp rbx, rbp ; ,      jne 0x400f17 ;  ,     jmp 0x400f3c ;   

It turns out that we need to enter a sequence of powers of two from 1 to 32. Excellent, but still check that this is what you need.

 $ ./bomb ... Phase 1 defused. How about the next one? 1 2 4 8 16 32 That's number 2. Keep going! 

Level 3

Probably now a person far from an assembler, in epileptic seizures, is trying to get a cross on the edge of the window. In fact, there is nothing to be afraid of, just like this is the most common switch-case block.
Numbers are read in the same way as in the previous case, only without calling a function and only two. They are stored in [rsp + 8] and [rsp + 0xc], respectively.
Then there are checks that both numbers are read successfully, as well as the first argument is not more than 7. After that, the switch goes to the address 0x402470 with an offset (the number entered) * 8.
It is not difficult to guess that the addresses of the case tags are there. In order not to be unfounded, let's see what really lies there. This can be done using the px command groups. In this case, we are interested in 8-byte words ( Q uad-word).

 [0x0040149e]> pxQ 72 @ 0x402470 0x00402470 0x0000000000400f7c sym.phase_3+57 0x00402478 0x0000000000400fb9 sym.phase_3+118 0x00402480 0x0000000000400f83 sym.phase_3+64 0x00402488 0x0000000000400f8a sym.phase_3+71 0x00402490 0x0000000000400f91 sym.phase_3+78 0x00402498 0x0000000000400f98 sym.phase_3+85 0x004024a0 0x0000000000400f9f sym.phase_3+92 0x004024a8 0x0000000000400fa6 sym.phase_3+99 

Actually, as expected, although not quite consistently. Next comes the verification of our second number with the magic one that was written in eax with the switch. Since the input in decimal basis will have to be converted from hex. You can calculate it using rax2 (analog calculator) through a shell call, as well as directly, through the built-in calculator (hotkey - ? ), Without creating new programs. And, in order not to constantly press enter, you can group commands just like in a bash.

 [0x0040149e]> !rax2 0xcf 207 [0x0040149e]> ?vi 0x2c3; ?vi 0x100; ?vi 0x185; ?vi 0xce; ?vi 0x2aa; ?vi 0x147; ?vi 0x137 707 256 389 206 682 327 311 

Total possible solutions will be:

• 0 207
• 1,311
• 2,707
• 3,256
• 4,389
• 5,206
• 6,682
• 7,327

And once again make sure, on an arbitrary version, that everything works:

 $ ./bomb ... That's number 2. Keep going! 4 389 Halfway there! 

Level 4

Recursion appears at this level. In addition to the built-in ASCII-graphs, it is also possible to get graphs as files for the dot utility, and then, for example, convert to png.

 [0x0040149e]> ag sym.func4 > func4.dot [0x0040149e]> dot -Tpng -o func4.png func4.dot 

If all this is translated into C, it will look almost not so scary.

 void phase_4(char *str) { int x, y; if (sscanf(str, "%d %d", &x, &y) != 2 || x > 14 || func4(x, 0, 14) || y != 0) explode_bomb(); } int func4(int x, int y, int z) { unsigned diff = (z - y)/2; int p = y + diff; if (p > x) { func4(x, y, p-1); return diff * 2; } else if (p < x) { func4(x, p + 1, z); return diff * 2 + 1; } return 0; } 

The simplest and most obvious solution is that the func4 function returns 0 when it does not go inside an else-if. User input controls only x , and p = 7 at the first entry. Accordingly, when x = 7, the function simply returns 0, without recurrent calls. The second variable is strictly set to zero. We will see this.

 $ ./bomb in.tmp ... Halfway there! 7 0 So you got that one. Try this one. 

Level 5

It will be more difficult with this, a lot of code is piled up here.
In 0x00401073 the canary is written on the stack. Similar information about the binary can be obtained using the i command. For example, i ~ canary will return true in this case.
After that, the return value of string_length is compared with 6 and the hard-to-analyze spaghetti code begins. Dealing without a debugger with this is long and difficult, so it would be a sin not to use it. To do this, open the file with the debug flag or at startup:

 $ r2 -Ad bomb 

or simply reopening the file:

 [0x0040149e]> ood 

The address of the pointer will automatically change to the first opcode in the entry-point, which is already loaded into memory. As usual we set breakpoints and continue execution to them.

 [0x7f2960b99d80]> db sym.phase_5 #  s sym.phase_5; db $$ [0x7f2960b99d80]> dc #    1  

Then there are 2 ways to analyze: the first is to use the d / db command block, the second is to switch to Visual-mode. The first method is not so visual, so let's stop on the second.
As before, go to Visual-mode, and then select the required debug-layout for debugging hotkeys p / P.
You can mix by code using n / N - next / previous function; j / k is the next previous opcode.
And the most interesting: b / F2 - set breakpoint, s / F7 - step in 1 opcode, S / F8 - step in 1 opcode without entering the call, F9 - continue until breakpoint.

In total, after feeding several lines to the debugger, it is not difficult to guess what is happening there.
For each character from our string modulo 16, the corresponding character is taken from the string char *s = "maduiersnfotvbyl" and the resulting string is compared to "flyers".
Actually, our task is to find such characters whose indices in str give the search string.
A string of flyers can be obtained uniquely: {s [0x9], s [0xe], s [0xf], s [0x5], s [0x6], s [0x7]}. I think that not everyone keeps the ASCII table in his head, so you can again refer to the rax2 utility for help. With the -s option, it converts from hex to string. Since characters are taken modulo 16, then for aesthetics, you can choose printable values.

 $ rax2 -s 49 4e 4f 45 46 47 INOEFG 

 $ ./bomb ... So you got that one. Try this one. INOEFG Good work! On to the next... 

The last one

Since the article was too big, I will not consider all the phases. In particular, I will omit the 6th phase, because there is a lot of painstaking understanding without the direct participation of the framework. Let it remain the most inquisitive homework.
Getting into the secret phase is not so easy, so simplify your life by patching the binary. We will have to reopen the file, issuing write permissions with the -w flag, or rediscover it using oo + without leaving r2.

 $ r2 -Aw bomb -- Did you ever ordered a pizza using radare2? [0x00400c90]> s 0x00400ec6 # call sym.phase_6 [0x00400ec6]> wa call sym.secret_phase #    [0x00400ec6]> pdf @ sym.secret_phase; pdf @ sym.fun7 

Again, a recursive function appears and this time it is not so easy to bypass it, because without recursive calls the desired value is as simple as it was last time, not to receive. ASCII graph can simplify life again.

The analysis gives approximately the following analogue in C:

 void secret_phase() { long num = strtol(read_line()) - 1; if (num > 0x3e8 || fun7((long*)(0x6030f0), num) != 2) explode_bomb(); puts("Wow! You've defused the secret stage!"); phase_defused(); } int fun7(long *array, int num) { if (array == 0) return -1; if (*array <= num) { if (*array == num) return 0; // 1 else { return 2 * fun7(array + 1, num); // 2 } } else { return 2 * fun7(array + 2, num) + 1; // 3 } } 

So, to get exactly two at the output of fun7 , we need to first call ret on line 2 , then at 3 and finally at 1 . There remains only one mystery - that is stored at 0x6030f0 .

Here 8-byte variables are stored in blocks of 4. The first is used to compare with our number; the second and third are pointers to the following characters for comparison; the fourth is just padding, not used.
Now you can expand all the conditions and find the desired variable.

• 2 ret : num <0x24
• 3 ret : num> 0x08
• 1 ret : num == 0x16

 $ ./bombSec in.tmp ... Good work! On to the next... 22 Wow! You've defused the secret stage! Congratulations! You've defused the bomb! 

Ehu, we made it! Humanity can live in peace . Despite the fact that the article came out a bit too big, quite a lot of framework features were not covered, so those interested can still discover a lot for themselves. Also, I will be glad to hear ideas for possible continuation.