Skip to main content

Phase 1 (25 pts)

The Binary Bomb category was initially not on my focus list as I was focusing mainly on web and forensics related challenges.

However, after playing through the initial stages, I was hooked up by it and thus spent hours cracking the binary bomb. Let's get started!

Problem Statement#

Welcome to the CyberDawgs Binary Bomb challenge series! The "bbomb" binary contains a series of mini reversing challenges broken into 9 phases. Each phase becomes incresingly more difficult, but it is not required to solve a phaseto move onto the next. Simply press enter for a phase's input to skip it. Additionally,known phase solutions can be stored in a file named "flags.txt". See the binary's welcomemessage for the format and requirements. When submitting to this scoreboard, wrap the phase's solution in DawgCTF{}
Happy reversing!
Starting off easy... reversing (things) is fun!
Author: treap_teap

Binary#

The bbomb binary was provided. It can be downloaded here.

SHA1: 196d4cf3c1bfb0a577bd7efe4a7d02610a17e364

Solution#

Firstly, we try running the binary to see if there is anything which stands out. starting instructions

Next, we load the binary into Ghidra to perform some basic static analysis.

Ghidra Analysis#

From the decompiled code, we can roughly understand that the main function goes through the 9 different phases and will check the return value.

If the return value is 0, then it will trigger the explode() function while a value of 1 will trigger success in the defuse() function.

Main Ghidra

Breaking Phase 1#

Let's look at what Ghidra tells us!

phase1(undefined8 param_1,undefined4 param_2,undefined4 param_3,undefined4 param_4,      undefined4 param_5,undefined4 param_6,undefined4 param_7,undefined4 param_8,char *param_9)
{  char *__s;  size_t index;  size_t len_of_target;  undefined8 in_R8;  undefined8 in_R9;  undefined4 extraout_XMM0_Da;  undefined in_stack_ffffffffffffffb8;  undefined4 result;  int counter;    puts(      "\nStarting off easy... reversing (things) is fun! (Wrap all flags in DawgCTF{} when submitting to the scoreboard)"      );  result = 1;  __s = (char *)calloc(0x29,1);  getInput(extraout_XMM0_Da,param_2,param_3,param_4,param_5,param_6,param_7,param_8,1,param_9,           &DAT_001028d1,__s,in_R8,in_R9,in_stack_ffffffffffffffb8);  counter = 0;  len_of_target = strlen(__s);  while( true ) {    index = strlen("Gn1r7s_3h7_Gn15Rev3R");    if (index <= (ulong)(long)counter) break;    index = strlen(__s);    if (index <= (ulong)(long)counter) break;    if ("Gn1r7s_3h7_Gn15Rev3R"[counter] != __s[(long)((int)len_of_target - counter) + -1]) {      result = 0;    }    counter = counter + 1;  }  len_of_target = strlen("Gn1r7s_3h7_Gn15Rev3R");  if ((long)counter != len_of_target) {    result = 0;  }  free(__s);  return result;}

From the code, it is evident that the programme is accepting a certain input string. It assigns the length of the string "Gn1r7s_3h7_Gn15Rev3R" into index. Then, it performs a loop which increments counter and breaks once the counter reaches the index.

Throughout the loop, it performs some form of checking. We can clean it up and essentially boils down to this:

if ("Gn1r7s_3h7_Gn15Rev3R"[counter] != inputStr[len_of_target - counter -1])     {      result = 0; // Remember that we want the result to remain as 1    }

A glorifed reverse string checker indeed! Using CyberChef, we can easily solve this by reversing the string.

Flag#

DawgCTF{R3veR51nG_7h3_s7r1nG}