Defusal — HackTheBox

Description

"BOMB HAS BEEN PLANTED". The usual defusal kit isn't working, and something about the device's output seems... unusual. The only way to stop the explosion is buried deep within the firmware. Analyze the schematics, uncover the hidden logic, and defuse the bomb before it's too late.

Provided files:

• Defusal — ELF 32-bit AVR executable for ATmega2560 (Arduino Mega), not stripped, with debug info (60KB)
• circuit.png — Schematic: Arduino Mega + 4×4 keypad + 16×2 LCD + 8×8 LED matrix (MAX7219)
• C4-BOMB.mp4 — Video intro (not needed for the solution)

Analysis

Reconnaissance

The firmware is not stripped — all symbols are available: correctPassword, print_flag, inputPassword, keys, rowPins, colPins. Libraries: Keypad, LiquidCrystal, LedControl.

Schematic

Arduino Mega is connected to:

• 4×4 matrix keypad (rows: D5,D4,D3,D2; cols: D9,D8,D7,D6) — password input
• 16×2 LCD (HD44780) — displays "C4 Explosive v.1 / Enter Password:"
• 8×8 LED matrix (MAX7219/LedControl) — flag is output here (this is the "unusual output")

Firmware Data Structure

.data section (0x800200):

• colPins/rowPins — keypad configuration
• keys — keyboard layout "123A456B789C*0#D"
• 296 bytes of LED data (37 frames × 8 bytes) at address 0x80021E
• Password "7355608" at address 0x8003B1

Password

correctPassword — Arduino String, initialized by global constructor from string "7355608" (length 7). This is the bomb defusal code from CS:GO.

print_flag Function (0x0ABC)

1. Copies 296 bytes (37 frames) to stack
2. Outputs "Bomb has been DEFUSED!" to LCD
3. For each frame: XOR first 7 bytes with password "7355608" (0x37,0x33,0x35,0x35,0x36,0x30,0x38)
4. Sends 8 bytes to LED matrix via LedControl::setRow() (each byte = row 8×8, MSB = left LED)
5. ~1 sec pause between frames

Solution

...