This is Part 5 on cracking CMU’s Bomblab with Angr. If you just stumbled upon this, I would recommend starting with part 1 here.

### Phase 5

Let’s disassemble Phase 5:

We see strings_not_equal, like in Phase 1, and also string_length. Also, right after the string_length call there is a comparison with 6, so we can assume that it wants 6 bytes of input. Let’s craft the input again in the same stack frame as the function by setting rdi to our symbolic bitvector of 6 bytes:

Recall how we had to replace strings_not_equal with our own custom implementation back in Phase 1 to avoid state explosion? I recently found out that there was a really simple way of doing this by using the built-in libc ones that Angr already helpfully provides. For instance, strings_not_equal can simply be replaced with the libc strcmp, whose definition can be found here. Similarly, string_length is the same as the libc strlen, which can be found here. So let us replace those using this method, to avoid state explosion:

Finally, we set our success address to be at the ret statement, and the same avoid address as before:

### Almost There?

Let’s try running it!

We indeed got a solution, but those are not ASCII printable characters! Of course, we can pipe the input to the binary with something like pwntools, but this seems to not be the point of the assignment. This is where we introduce the new concept of adding constraints to our input.

We want to constrain our input bytes such that they are in the printable range. For simplicity, I will restrict it further to be smallest range that include the alphanumeric range, which includes a few non-alphanumeric characters as well. This will range from ‘0’ (0x30) to ‘z’ (0x7A), which you can quickly verify by pulling up an ASCII table with man ascii.