[Binary bomb]

[yellow phase]

yellow is easy just run the binary inside of gdb. And watch out for the cmp
instructions because they will compare a static value with the input value.

   1 gdb-peda$ disassemble yellow
   2 Dump of assembler code for function yellow:
   3    0x08049719 <+0>:     push   ebp
   4    0x0804971a <+1>:     mov    ebp,esp
   5    0x0804971c <+3>:     sub    esp,0x8
   6    0x0804971f <+6>:     call   0x80496e8 <yellow_preflight>
   7    0x08049724 <+11>:    movzx  eax,BYTE PTR ds:0x804c24c
   8    0x0804972b <+18>:    cmp    al,0x38                          <-- ascii == num 8
   9    0x0804972d <+20>:    jne    0x804977c <yellow+99>
  10    0x0804972f <+22>:    movzx  eax,BYTE PTR ds:0x804c24d
  11    0x08049736 <+29>:    cmp    al,0x34                          <-- ascii == num 4
  12    0x08049738 <+31>:    jne    0x804977c <yellow+99>
  13    0x0804973a <+33>:    movzx  eax,BYTE PTR ds:0x804c24e
  14    0x08049741 <+40>:    cmp    al,0x33                          <-- ascii == num 3
  15    0x08049743 <+42>:    jne    0x804977c <yellow+99>
  16    0x08049745 <+44>:    movzx  eax,BYTE PTR ds:0x804c24f
  17    0x0804974c <+51>:    cmp    al,0x37                          <-- ascii == num 7
  18    0x0804974e <+53>:    jne    0x804977c <yellow+99>
  19    0x08049750 <+55>:    movzx  eax,BYTE PTR ds:0x804c250
  20    0x08049757 <+62>:    cmp    al,0x31                          <-- ascii == num 1
  21    0x08049759 <+64>:    jne    0x804977c <yellow+99>
  22    0x0804975b <+66>:    movzx  eax,BYTE PTR ds:0x804c251
  23    0x08049762 <+73>:    cmp    al,0x30                          <-- ascii == num 0
  24    0x08049764 <+75>:    jne    0x804977c <yellow+99>
  25    0x08049766 <+77>:    movzx  eax,BYTE PTR ds:0x804c252
  26    0x0804976d <+84>:    cmp    al,0x36                          <-- ascii == num 6
  27    0x0804976f <+86>:    jne    0x804977c <yellow+99>
  28    0x08049771 <+88>:    movzx  eax,BYTE PTR ds:0x804c253
  29    0x08049778 <+95>:    cmp    al,0x35                          <-- ascii == num 5
  30    0x0804977a <+97>:    je     0x804978b <yellow+114>
  31    0x0804977c <+99>:    mov    eax,ds:0x804c124
  32    0x08049781 <+104>:   shl    eax,0xa
  33    0x08049784 <+107>:   mov    ds:0x804c124,eax
  34    0x08049789 <+112>:   jmp    0x80497a1 <yellow+136>
  35    0x0804978b <+114>:   mov    DWORD PTR [esp],0x804a1f4
  36    0x08049792 <+121>:   call   0x80487b4 <puts@plt>
  37    0x08049797 <+126>:   mov    DWORD PTR ds:0x804c124,0x0
  38    0x080497a1 <+136>:   leave
  39    0x080497a2 <+137>:   ret
  40 End of assembler dump.

As stated above you have to watch the compare instructions and which
values they are comparing against each other. In here this would be:

solution :  843...65


[green phase]

   1 gdb-peda$ disassemble green_preflight
   2 Dump of assembler code for function green_preflight:
   3    0x080498d4 <+0>:     push   ebp
   4    0x080498d5 <+1>:     mov    ebp,esp
   5    0x080498d7 <+3>:     sub    esp,0x18
   6    0x080498da <+6>:     mov    DWORD PTR [esp],0x804a2cc
   7    0x080498e1 <+13>:    call   0x8048744 <printf@plt>
   8    0x080498e6 <+18>:    mov    eax,ds:0x804c220
   9    0x080498eb <+23>:    mov    DWORD PTR [esp+0x8],eax
  10    0x080498ef <+27>:    mov    DWORD PTR [esp+0x4],0x14
  11    0x080498f7 <+35>:    mov    eax,DWORD PTR [ebp+0x8]
  12    0x080498fa <+38>:    mov    DWORD PTR [esp],eax
  13    0x080498fd <+41>:    call   0x8048704 <fgets@plt>
  14    0x08049902 <+46>:    leave
  15    0x08049903 <+47>:    ret
  16 End of assembler dump.
  17 gdb-peda$

   1 gdb-peda$ disassemble green
   2 Dump of assembler code for function green:
   3    0x08049904 <+0>:     push   ebp
   4    0x08049905 <+1>:     mov    ebp,esp
   5    0x08049907 <+3>:     sub    esp,0x38
   6    0x0804990a <+6>:     mov    eax,gs:0x14
   7    0x08049910 <+12>:    mov    DWORD PTR [ebp-0x4],eax
   8    0x08049913 <+15>:    xor    eax,eax
   9    0x08049915 <+17>:    mov    DWORD PTR [ebp-0x8],0x1
  10    0x0804991c <+24>:    lea    eax,[ebp-0x14]
  11    0x0804991f <+27>:    mov    DWORD PTR [esp],eax
  12    0x08049922 <+30>:    call   0x80498d4 <green_preflight>
  13    0x08049927 <+35>:    mov    DWORD PTR [esp+0x8],0x8
  14    0x0804992f <+43>:    lea    eax,[ebp-0x14]
  15    0x08049932 <+46>:    mov    DWORD PTR [esp+0x4],eax
  16    0x08049936 <+50>:    mov    DWORD PTR [esp],0x804a2c0
  17    0x0804993d <+57>:    call   0x80487d4 <strncmp@plt>
  18    0x08049942 <+62>:    test   eax,eax
  19    0x08049944 <+64>:    jne    0x804998e <green+138>
  20    0x08049946 <+66>:    mov    DWORD PTR [esp],0x804a2fc
  21    0x0804994d <+73>:    call   0x80487b4 <puts@plt>
  22    0x08049952 <+78>:    mov    eax,DWORD PTR [ebp-0x8]
  23    0x08049955 <+81>:    and    eax,0x1
  24    0x08049958 <+84>:    test   eax,eax
  25    0x0804995a <+86>:    sete   al
  26    0x0804995d <+89>:    movzx  eax,al
  27    0x08049960 <+92>:    mov    DWORD PTR [ebp-0x8],eax
  28    0x08049963 <+95>:    mov    DWORD PTR [esp],0x7a120
  29    0x0804996a <+102>:   call   0x8048724 <usleep@plt>
  30    0x0804996f <+107>:   mov    DWORD PTR [esp],0x804a33c
  31    0x08049976 <+114>:   call   0x80487b4 <puts@plt>
  32    0x0804997b <+119>:   mov    eax,DWORD PTR [ebp-0x8]
  33    0x0804997e <+122>:   and    eax,0x1
  34    0x08049981 <+125>:   test   eax,eax
  35    0x08049983 <+127>:   sete   al
  36    0x08049986 <+130>:   movzx  eax,al
  37    0x08049989 <+133>:   mov    DWORD PTR [ebp-0x8],eax
  38    0x0804998c <+136>:   jmp    0x804999a <green+150>
  39    0x0804998e <+138>:   mov    eax,ds:0x804c12c
  40    0x08049993 <+143>:   add    eax,eax
  41    0x08049995 <+145>:   mov    ds:0x804c12c,eax
  42    0x0804999a <+150>:   mov    eax,DWORD PTR [ebp-0x8]
  43    0x0804999d <+153>:   test   eax,eax
  44    0x0804999f <+155>:   jne    0x80499ad <green+169>
  45    0x080499a1 <+157>:   mov    eax,ds:0x804c12c
  46    0x080499a6 <+162>:   sar    eax,1
  47    0x080499a8 <+164>:   mov    ds:0x804c12c,eax
  48    0x080499ad <+169>:   mov    eax,DWORD PTR [ebp-0x4]
  49    0x080499b0 <+172>:   xor    eax,DWORD PTR gs:0x14
  50    0x080499b7 <+179>:   je     0x80499be <green+186>
  51    0x080499b9 <+181>:   call   0x8048784 <__stack_chk_fail@plt>
  52    0x080499be <+186>:   leave
  53    0x080499bf <+187>:   ret
  54 End of assembler dump.
  55 gdb-peda$

set breakpoint at *green+57 (call of strcmp function to check if input an password are the same):

run programm untill strcmp is called. If we recall our memorys about functioncalls we know that
the function args are pushed to the stack in reverse order so peda tells us these are the args for
the strcmp call:

   1 arg[0]: 0x804a2c0 ("dcaotdae")
   2 arg[1]: 0xbffff694 ("AAAA\n")
   3 arg[2]: 0x8

arg0 is the first string to compare. arg1 is our AAAA string and arg2 is 0x8 which is the third arg
for the length of the string. if we look closer to the disassembly we can find a call to
strcmp function. This is the function description of the man page:

SYNOPSIS

DESCRIPTION

RETURN VALUES

in the disassembly we can see the call is made to strncmp, which takes three
Arguments, str1, str2 and a size parameter

   1    0x0804993d <+57>:    call   0x80487d4 <strncmp@plt>

and the arguments passed are as we said:

arg[0]: 0x804a2c0 ("dcaotdae")
arg[1]: 0xbffff694 ("AAAA\n")
arg[2]: 0x8

so len seems to be eight bits. lets just try to overflow the
len parameter with a combination of arg0 and arg1:

   1 dirk@reversingbox32:~/reversing$ ./bomb
   2 ---------------------------------------- -- -- -- ---
   3      ___  ___    ___  ___    ___  ___
   4     /  / /  /   /  / /  /   /  / /  /
   5    /__/ /__/   /__/ /__/   /__/ /__/
   6      HOURS      MINUTES     SECONDS
   7 +--------------------------------------- -- -- -- --+
   8 |                                                   |
   9 |      ,   DR. VON NOIZEMAN'S NUCLEAR BOMB   ,      |
  10 |     /!\ AUTHORIZED ACCESS ONLY - KEEP OUT /!\     |
  11 |                                                   |
  12 |       [1] YELLOW [2] GREEN [3] BLUE [4] RED       |
  13 |                                                   |
  14 +---------------------------------------------------+
  15   MENU SELECTION: 2
  16   ENTER UNLOCK PASSWORD 2: dcaot....AA
  17   UNLOCK PASSWORD 2 ACCEPTED, LOCK DISENGAGED
  18   ACTION OVERRIDDEN FROM USER NOIZEV, LOCK RE-ENGAGED
  19   PRESS ENTER TO RETURN TO MENU

seems to work :)


[blue phase]

   1 gdb-peda$ disassemble blue
   2 Dump of assembler code for function blue:
   3    0x080499f1 <+0>:     push   ebp
   4    0x080499f2 <+1>:     mov    ebp,esp
   5    0x080499f4 <+3>:     sub    esp,0x18
   6    0x080499f7 <+6>:     call   0x80499c0 <blue_preflight> <-- recieves input
   7    0x080499fc <+11>:    mov    DWORD PTR [ebp-0x4],0x804c160
   8    0x08049a03 <+18>:    mov    eax,DWORD PTR [ebp-0x4]
   9    0x08049a06 <+21>:    mov    eax,DWORD PTR [eax+0x4]
  10    0x08049a09 <+24>:    mov    DWORD PTR [ebp-0x8],eax
  11    0x08049a0c <+27>:    mov    DWORD PTR [ebp-0xc],0x0
  12    0x08049a13 <+34>:    jmp    0x8049a84 <blue+147>
  13    0x08049a15 <+36>:    mov    DWORD PTR [ebp-0x10],0x0
  14    0x08049a1c <+43>:    mov    eax,DWORD PTR [ebp-0xc]
  15    0x08049a1f <+46>:    movzx  eax,BYTE PTR [eax+0x804c24c]
  16    0x08049a26 <+53>:    movsx  eax,al
  17    0x08049a29 <+56>:    mov    DWORD PTR [ebp-0x14],eax
  18    0x08049a2c <+59>:    cmp    DWORD PTR [ebp-0x14],0x4c < -- cmp first input char with ascii 'L'
  19    0x08049a30 <+63>:    je     0x8049a40 <blue+79>
  20    0x08049a32 <+65>:    cmp    DWORD PTR [ebp-0x14],0x52 < -- cmp first input char with ascii 'R'
  21    0x08049a36 <+69>:    je     0x8049a4a <blue+89>
  22    0x08049a38 <+71>:    cmp    DWORD PTR [ebp-0x14],0xa  < -- cmp input ascii 'nl' == newline
  23    0x08049a3c <+75>:    je     0x8049a55 <blue+100>
  24    0x08049a3e <+77>:    jmp    0x8049a5e <blue+109>
  25    0x08049a40 <+79>:    mov    eax,DWORD PTR [ebp-0x4]
  26    0x08049a43 <+82>:    mov    eax,DWORD PTR [eax]
  27    0x08049a45 <+84>:    mov    DWORD PTR [ebp-0x4],eax
  28    0x08049a48 <+87>:    jmp    0x8049a71 <blue+128>
  29    0x08049a4a <+89>:    mov    eax,DWORD PTR [ebp-0x4]
  30    0x08049a4d <+92>:    mov    eax,DWORD PTR [eax+0x8]
  31    0x08049a50 <+95>:    mov    DWORD PTR [ebp-0x4],eax
  32    0x08049a53 <+98>:    jmp    0x8049a71 <blue+128>
  33    0x08049a55 <+100>:   mov    DWORD PTR [ebp-0x10],0x1
  34    0x08049a5c <+107>:   jmp    0x8049a71 <blue+128>
  35    0x08049a5e <+109>:   mov    DWORD PTR [ebp-0x10],0x1
  36    0x08049a65 <+116>:   mov    DWORD PTR [esp],0x804a3bb
  37    0x08049a6c <+123>:   call   0x80487b4 <puts@plt>
  38    0x08049a71 <+128>:   cmp    DWORD PTR [ebp-0x10],0x0
  39    0x08049a75 <+132>:   jne    0x8049a8a <blue+153>
  40    0x08049a77 <+134>:   mov    eax,DWORD PTR [ebp-0x4]
  41    0x08049a7a <+137>:   mov    eax,DWORD PTR [eax+0x4]
  42    0x08049a7d <+140>:   xor    DWORD PTR [ebp-0x8],eax
  43    0x08049a80 <+143>:   add    DWORD PTR [ebp-0xc],0x1
  44    0x08049a84 <+147>:   cmp    DWORD PTR [ebp-0xc],0xe
  45    0x08049a88 <+151>:   jle    0x8049a15 <blue+36> < -- i think this should be the loop comparsion
  46    0x08049a8a <+153>:   mov    DWORD PTR [esp],0x804a3c0
  47    0x08049a91 <+160>:   call   0x8048744 <printf@plt>
  48    0x08049a96 <+165>:   mov    eax,ds:0x804c240
  49    0x08049a9b <+170>:   mov    DWORD PTR [esp],eax
  50    0x08049a9e <+173>:   call   0x8048734 <fflush@plt>
  51    0x08049aa3 <+178>:   mov    DWORD PTR [esp],0x1
  52    0x08049aaa <+185>:   call   0x80487a4 <sleep@plt>
  53    0x08049aaf <+190>:   mov    DWORD PTR [esp],0x804a3eb
  54    0x08049ab6 <+197>:   call   0x80487b4 <puts@plt>
  55    0x08049abb <+202>:   mov    DWORD PTR [esp],0x7a120
  56    0x08049ac2 <+209>:   call   0x8048724 <usleep@plt>
  57    0x08049ac7 <+214>:   mov    eax,ds:0x804a384
  58    0x08049acc <+219>:   cmp    DWORD PTR [ebp-0x8],eax
  59    0x08049acf <+222>:   jne    0x8049aec <blue+251>
  60    0x08049ad1 <+224>:   mov    DWORD PTR [esp],0x804a3fc
  61    0x08049ad8 <+231>:   call   0x80487b4 <puts@plt>
  62    0x08049add <+236>:   mov    eax,ds:0x804c140
  63    0x08049ae2 <+241>:   sub    eax,0x1
  64    0x08049ae5 <+244>:   mov    ds:0x804c140,eax
  65    0x08049aea <+249>:   jmp    0x8049af9 <blue+264>
  66    0x08049aec <+251>:   mov    eax,ds:0x804c140
  67    0x08049af1 <+256>:   add    eax,0x1
  68    0x08049af4 <+259>:   mov    ds:0x804c140,eax
  69    0x08049af9 <+264>:   leave
  70    0x08049afa <+265>:   ret
  71 End of assembler dump.

Lets try this input First:

LLRR

   1 dirk@reversingbox32:~/reversing$ ./bomb
   2 ---------------------------------------- -- -- -- ---
   3      ___  ___    ___  ___    ___  ___
   4     /  / /  /   /  / /  /   /  / /  /
   5    /__/ /__/   /__/ /__/   /__/ /__/
   6      HOURS      MINUTES     SECONDS
   7 +--------------------------------------- -- -- -- --+
   8 |                                                   |
   9 |      ,   DR. VON NOIZEMAN'S NUCLEAR BOMB   ,      |
  10 |     /!\ AUTHORIZED ACCESS ONLY - KEEP OUT /!\     |
  11 |                                                   |
  12 |       [1] YELLOW [2] GREEN [3] BLUE [4] RED       |
  13 |                                                   |
  14 +---------------------------------------------------+
  15   MENU SELECTION: 3
  16   ENTER CIRCUIT TRAVERSAL PATH: LLRR
  17   PROGRAMMING GATE ARRAY... SUCCEEDED
  18   VOLTAGE REROUTED FROM REMOTE DETONATION RECEIVER
  19   PRESS ENTER TO RETURN TO MENU

Works :) . But i read there are many more combinations to
solve this level. But i am too lazy to write a script to
analyze.


[red phase]

The red phase first calls the red_preflight function, which then
calls libc rand() function. This is the function description:

The rand() function computes a sequence of pseudo-random integers in
the range of 0 to RAND_MAX (as defined by the header file <stdlib.h>).
The srand() function sets its argument seed as the seed for a new
sequence of pseudo-random numbers to be returned by rand(). These
sequences are repeatable by calling srand() with the same seed value.

If no seed value is provided, the functions are automatically seeded
with a value of 1.

In compliance with the C standard, these functions operate on int arguments.
Since the underlying algorithm already uses 32-bit calculations, this causes
a loss of precision. See random() for an alternate set of functions that retains
full 32-bit precision.

So this tells us that calling rand() without calling srand() is useless for random
numbers because srand uses the return value of rand to generate the random seed.
Since srand is not called the rand() output allways stays the same.

This is the disassembly:

   1 gdb-peda$ disassemble red
   2 Dump of assembler code for function red:
   3    0x08049831 <+0>:     push   ebp
   4    0x08049832 <+1>:     mov    ebp,esp
   5    0x08049834 <+3>:     sub    esp,0x18
   6    0x08049837 <+6>:     call   0x80497a4 <red_preflight>
   7    0x0804983c <+11>:    mov    DWORD PTR [ebp-0x4],0x804a29c
   8    0x08049843 <+18>:    mov    DWORD PTR [ebp-0x8],0x0
   9    0x0804984a <+25>:    jmp    0x80498ba <red+137>
  10    0x0804984c <+27>:    mov    eax,DWORD PTR [ebp-0x8]
  11    0x0804984f <+30>:    movzx  edx,BYTE PTR [eax+0x804c24c]
  12    0x08049856 <+37>:    mov    eax,ds:0x804c26c
  13    0x0804985b <+42>:    and    eax,0x1f
  14    0x0804985e <+45>:    add    eax,DWORD PTR [ebp-0x4]
  15    0x08049861 <+48>:    movzx  eax,BYTE PTR [eax]
  16    0x08049864 <+51>:    cmp    dl,al
  17    0x08049866 <+53>:    je     0x8049877 <red+70>
  18    0x08049868 <+55>:    mov    eax,ds:0x804c128
  19    0x0804986d <+60>:    add    eax,0x1
  20    0x08049870 <+63>:    mov    ds:0x804c128,eax
  21    0x08049875 <+68>:    jmp    0x80498ca <red+153>
  22    0x08049877 <+70>:    mov    eax,ds:0x804c26c
  23    0x0804987c <+75>:    mov    edx,eax
  24    0x0804987e <+77>:    shr    edx,0x5
  25    0x08049881 <+80>:    mov    eax,ds:0x804c268
  26    0x08049886 <+85>:    shl    eax,0x1b
  27    0x08049889 <+88>:    or     eax,edx
  28    0x0804988b <+90>:    mov    ds:0x804c26c,eax
  29    0x08049890 <+95>:    mov    eax,ds:0x804c268
  30    0x08049895 <+100>:   mov    edx,eax
  31    0x08049897 <+102>:   shr    edx,0x5
  32    0x0804989a <+105>:   mov    eax,ds:0x804c264
  33    0x0804989f <+110>:   shl    eax,0x1b
  34    0x080498a2 <+113>:   or     eax,edx
  35    0x080498a4 <+115>:   mov    ds:0x804c268,eax
  36    0x080498a9 <+120>:   mov    eax,ds:0x804c264
  37    0x080498ae <+125>:   shr    eax,0x5
  38    0x080498b1 <+128>:   mov    ds:0x804c264,eax
  39    0x080498b6 <+133>:   add    DWORD PTR [ebp-0x8],0x1
  40    0x080498ba <+137>:   cmp    DWORD PTR [ebp-0x8],0x12
  41    0x080498be <+141>:   jle    0x804984c <red+27>
  42    0x080498c0 <+143>:   mov    DWORD PTR ds:0x804c128,0x0
  43    0x080498ca <+153>:   leave
  44    0x080498cb <+154>:   ret
  45 End of assembler dump.
  46 gdb-peda$

and the red_preflight

   1 gdb-peda$ disassemble red_preflight
   2 Dump of assembler code for function red_preflight:
   3    0x080497a4 <+0>:     push   ebp
   4    0x080497a5 <+1>:     mov    ebp,esp
   5    0x080497a7 <+3>:     sub    esp,0x28
   6    0x080497aa <+6>:     call   0x80487c4 <rand@plt>
   7    0x080497af <+11>:    and    eax,0x7fffffff
   8    0x080497b4 <+16>:    mov    ds:0x804c264,eax
   9    0x080497b9 <+21>:    call   0x80487c4 <rand@plt>
  10    0x080497be <+26>:    mov    ds:0x804c268,eax
  11    0x080497c3 <+31>:    call   0x80487c4 <rand@plt>
  12    0x080497c8 <+36>:    mov    ds:0x804c26c,eax
  13    0x080497cd <+41>:    mov    DWORD PTR [ebp-0x4],0x0
  14    0x080497d4 <+48>:    jmp    0x8049800 <red_preflight+92>
  15    0x080497d6 <+50>:    mov    eax,DWORD PTR [ebp-0x4]
  16    0x080497d9 <+53>:    mov    eax,DWORD PTR [eax*4+0x804c264]
  17    0x080497e0 <+60>:    mov    DWORD PTR [esp+0x4],eax
  18    0x080497e4 <+64>:    mov    DWORD PTR [esp],0x804a234
  19    0x080497eb <+71>:    call   0x8048744 <printf@plt>
  20    0x080497f0 <+76>:    mov    DWORD PTR [esp],0x7a120
  21    0x080497f7 <+83>:    call   0x8048724 <usleep@plt>
  22    0x080497fc <+88>:    add    DWORD PTR [ebp-0x4],0x1
  23    0x08049800 <+92>:    cmp    DWORD PTR [ebp-0x4],0x2
  24    0x08049804 <+96>:    jle    0x80497d6 <red_preflight+50>
  25    0x08049806 <+98>:    mov    DWORD PTR [esp],0x804a25c
  26    0x0804980d <+105>:   call   0x8048744 <printf@plt>
  27    0x08049812 <+110>:   mov    eax,ds:0x804c220
  28    0x08049817 <+115>:   mov    DWORD PTR [esp+0x8],eax
  29    0x0804981b <+119>:   mov    DWORD PTR [esp+0x4],0x15
  30    0x08049823 <+127>:   mov    DWORD PTR [esp],0x804c24c
  31    0x0804982a <+134>:   call   0x8048704 <fgets@plt>
  32    0x0804982f <+139>:   leave
  33    0x08049830 <+140>:   ret
  34 End of assembler dump.
  35 gdb-peda$

So in a bruteforce style attempt to find the right sequence i put breakpoints to these
locations:

Num     Type           Disp Enb Address    What
1       breakpoint     keep y   0x080494ca <main>
        breakpoint already hit 1 time
2       breakpoint     keep y   0x080497a4 <red_preflight>
        breakpoint already hit 1 time
3       breakpoint     keep y   0x0804982f <red_preflight+139>
        breakpoint already hit 1 time

The first one at start of main, the second one at red_preflight start
and the third at the end of red_preflight. So we can step trough the
rest of the red_phase code. To analyze where we have to 'tickle' the right
bits.

So this seems to be our password:

=========================
KDG3DU3....VXJM64
=========================

Done this challange was a blast


exploitation

binbomb_rpi (zuletzt geändert am 2016-12-12 16:23:16 durch Dirk)