Welcome to the final part of cracking CMU’s Bomblab with Angr. If you are new here, I would recommend starting with part 1 here.

### Secret Phase

We knew about the secret phase because we literally saw the string “Wow! You’ve defused the secret stage!” from Angr’s output for Phase 1, because the string was located right after the compare string for Phase 1in memory. If we do info func in GDB, we indeed see a secret_phase and fun7 function.

Let’s check fun7 first:

Nothing out of the ordinary here, it is entirely self contained, so we can blackbox it.

Let’s now disassemble secret_phase:

Pretty standard, no new gotchas here. We can start executing after the strtol function call, and then set a symbolic int to rax:

The success address will be right before ret as usual. In order to get the result, we cast the symbolic output to an int.

### Full Solution Script

If we run it, we get the following:

We got the answer fairly quickly! If you had done Bomblab before and did the secret phase, you would remember that fun7 was a tricky little recursive function, but Angr just crushed it so easily!

Now, we get to the question of how the secret stage can actually be triggered. Unfortunately, I could not really find a way to do this symbolically with Angr due to the state explosion problem. This is because there is quite a big gap between when the input is set, and when the condition to go into the secret phase is satisfied.

To make it clearer about what I mean, I decided to just tell you how it works, because ultimately this is a series on learning about Angr and not learning how to reverse. Basically, read_line keeps track of a global variable num_input_strings which increments by 1 each time it is called. It then uses this as an index into a global buffer, and this buffer is used to store the input by the user for each stage. When num_input_strings is 6 (i.e we cleared all stages) we perform the following check in phase_defused:

It just happens that the global buffer used by Phase 4 is the one that is pointed to by the rdi argument for sscanf, 0x603870. This is the most clear if you use dynamic analysis to inspect the value of the buffer after setting a breakpoint at this point, where you will see your Phase 4 input in the buffer.

The format string used for sscanf is as follows:

So we only continue down if we extract all three tokens, and with the third token being “DrEvil”:

This means that all we need to do to trigger the secret phase is to change our Phase 4 input from 7 0  to 7 0 DrEvil!

Trying it out on the actual binary:

Hooray, we did it!

Through this series, we learned about what symbolic execution is, how path explosion is the main pitfall for symbolic execution, and various strategies for combating it. I personally learned a lot by doing this and felt much more comfortable with Angr than when I initially started out. I hope that you found this useful, and as always feedback and comments are greatly appreciated!