I dereference the string pointed to by %rdi using x/s $rdi and see that the string pointed to is 'blah'. If you are offering the. Phase 3: conditionals/switches. In the "offline" version, the. Once we enter the function, we can check the registers that store the first two inputs: $rdi and $rsi. secret_phase !!! enjoy another stunning sunset 'over' a glass of assyrtiko, English version of Russian proverb "The hedgehogs got pricked, cried, but continued to eat the cactus". When prompted, enter the command 'c' to continue. CSO1 - Bomb lab. Learn more about bidirectional Unicode characters. On line <phase_4+16>, the <phase_4> function is pushing a fixed value stored at memory address 0x8049808 onto the stack right before a call to scanf is made. There are two basic flavors of Bomb Lab: In the "online" version, the, instructor uses the autograding service to handout a custom notifying, bomb to each student on demand, and to automatically track their, progress on the realtime scoreboard. BombID: Each bomb in a given instance of the lab has a unique, non-negative integer called the "bombID. A tag already exists with the provided branch name. to build a single generic bomb that every student attempts to defuse: This will create a generic bomb and some other files in ./bombs/bomb0: bomb* Generic bomb executable (handout to students), bomb.c Source code for main routine (handout to students), You will handout only two of these files to the students: ./bomb and ./bomb.c, The students will handin their solution files, which you can validate, This option is easy for the instructor, but we don't recommend it. A tag already exists with the provided branch name. From the above comments, we deduce that we want to input two space-separated integers. Give 0 to ebp-8, which is used as loop condition. Thus on the 14th iteration if I needed a 6, I would need to be in the 14th index of the array on the 13th iteration, then on index 2 of the 12th iteration. Going through func4, we get the value of d at 400ff7 and 400fe2 to be (14 + 0) >> 1 = 7. 1 Introduction. How about the next one? e = 16 METU Ceng'e selamlar :)This is the first part of the Attack Lab. You will have to run through the reverse engineering process, but there won't be much in the way of complicated assembly to decipher or tricky mental hoops to jump through. A note to the reader: For explanation on how to set up the lab environment see the "Introduction" section of the post. I'll paste the code here. Based on the output, our input string is being run into the function with the string I can see Russia from my . The purpose of this project is to become more familiar with machine level programming. Actually I'm not that patient and I didn't go through this part on my own. 3) The second parameter 'p' at the end of the loop must be equal with %ecx register. ', After solving stage 3 you likely get the string 'Halfway there! The code is comparing the string (presumably our input) stored in %eax to a fixed string stored at 0x804980b. But when I put 4 1 6 5 2 3 or 3 6 1 2 5 4, it explodes. Option 2. sig_handler Cannot retrieve contributors at this time. As a next step, lets input the test string abcdef and take a look at what the loop does to it. Each phase has a password/key that is solved through the hints found within the assembly code. So, the value of node1 to node6 are f6, 304, b7, eb, 21f, 150. Contribute to xmpf/cse351 development by creating an account on GitHub. I found: initialize_bomb string_length() - This function first checks to see that the passed character pointer in %rdi is not null terminated. phase_4 Each line is annotated. Then the tricky part comes. The values came out it the following format: 0x000003b8 So if I order the nodes in ascending order, it should be 6 4 1 2 5 3, but this still wasn't the correct input. "make stop" kills all of the running, servers. Explosion and, diffusions from bombs whose LabIDs are different from the current. You can enter any string, but I used TEST. Simple function made to look like a mess. Although the problems differ from each other, the main methods we take are totally the same. Thus, they quickly learn to set breakpoints before, each phase and the function that explodes the bomb. Each of you will work with a special "binary bomb". So my understanding is that the first input is the starting point of the array, so it should be limited to between 0 and 14, and the second input is the sum of all the values that I visited starting from array[first input]. ordered by the total number of accrued points. Let's enter the string blah as our input to phase_1 . Then, we can take a look at the fixed value were supposed to match and go from there: Woah. Point breakdown for each phase: Phase 1 - 4: 10 points each; Phase 5 and 6: 15 points each; Total maximum score possible: 70 points; Each time the "bomb explodes", it notifies the server, resulting in a (-)1/5 point deduction from the final score for the lab. It is clearly the most compelling and fun for the, students, and the easiest for the instructor to grade. For each bomb, it tallies the number, of explosions, the last defused phase, validates each last defused, phase using a quiet copy of the bomb, and computes a score for each, student in a tab delimited text file called "scores.txt." explode_bomb. It's provided only for completeness. Firstly, let's have a look at the asm code. I have given a detailed explanation for phase_5 here: https://techiekarthik.hashnode.dev/cmu-bomblab-walkthrough?t=1676391915473#heading-phase-5. Please, Understanding Bomb Lab Phase 5 (two integer input), https://techiekarthik.hashnode.dev/cmu-bomblab-walkthrough?t=1676391915473#heading-phase-5. Link to Bomb Lab Instructions (pdf) in GitHub Repository. you like without losing any information. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Each phase expects you to type a particular string on stdin.If you type the correct string, then the phase is defused and the bomb proceeds to the next phase. 3 lea's, a cmp of the output to 2 and a jump if greater than. Link to Bomb Lab Instructions (pdf) in GitHub Repository Request Server: The request server is a simple special-purpose HTTP, server that (1) builds and delivers custom bombs to student browsers, on demand, and (2) displays the current state of the real-time, A student requests a bomb from the request daemon in two, steps: First, the student points their favorite browser at, For example, http://foo.cs.cmu.edu:15213/. From this, we can deduce that the input for phase_2 should be 1 2 4 8 16 32. Given you ultimately needed to have the element containing 0xf to exit after 15 iterations, I saw that f was at array element index 6. Nothing special other than the first number acting like a selector of jump paths to a linked second number. Good work! The nefarious Dr. The makebomb.pl script also generates the bomb's solution. From phase_4, we call the four arguments of func4 to be a, b(known, 0), c(known, 14), d(known, 0). There is also a test that the first user inputed number is less than or equal to 14. Phase 4: recursive calls and the stack discipline. main So, I mapped out the array from element 0 to 15 and then worked backwards through it to find the element I needed to start with. You don't need to understand any of this to. The idea is to understand what each, assembly statement does, and then use this knowledge to infer the, defusing string. Hello world. Then you can solve this problem by making a table(Yeah, it may seem silly, but I think it's the most convenient way). Use Git or checkout with SVN using the web URL. No description, website, or topics provided. The request server parses the form, builds and, tars up a notifying custom bomb with bombID=n, and delivers the tar, file to the browser. because it is too easy for the students to cheat. A tag already exists with the provided branch name. These numbers act as indices within a six element array in memory, each element of which contains a number. Load the binary, perform analysis, seek to Phase 6, and have a look at your task. phase_4() - In this phase you are dealing with a recursively called function. DePaul University - System I - Winter 2017, **Note: I made this repo with the intent to help others solve their own Bomb Labs. If there is a, problem (say because you forgot to update the list of machines the, bombs are allowed to run in src/config.h) you can fix the, configuration, reset the lab, and then request and run more test, CAUTION: If you reset the lab after it's live, you'll lose all your, records of the students bombs and their solutions. executable file 271 lines (271 sloc) 7.74 KB. We multiply the number by 2 each step, so we guess the sequence to be 1, 2, 4, 8, 16, 32, which is the answer. requires that you keep the autograding service running non-stop, because handouts, grading, and reporting occur continuously for the, duration of the lab. Each phase expects the student to enter a particular string, on stdin. Make sure you update this. Stepping through the code with the GDB debugger I can say plenty about the various functions called in this program: Ahhhh, recursion, right? Can you still use Commanders Strike if the only attack available to forego is an attack against an ally? And when we execute it, it expects to receive certain inputs, otherwise it 'blows' up. In this version of the lab, you build your own quiet bombs manually, and then hand them out to the students. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. We can find the latter numbers from the loop structure. First bomb lab is a Reverse Engineering challenge, you have to read its assembly to find the message that . So, possible codes would be 1, 2, 4, 7, 11, 16 or 21, 22, 24, 27, 11, 16. Each student gets a, bomb with a randomly chosen variant for each phase. Moreover, it's obvious that the second one must be zero being aware of the line, So the problem becomes easier. Which one to choose? initialize_bomb However, you know that the loop is doing some transitions on your input string. The answer is that the first input had to be 1. Each message contains a BombID, a phase, and an indication of the, event that occurred. You don't need root access. The student then saves the tar file to disk. While layout asm is helpful, also helpful to view the complete disassembled binary. Dump of assembler code for function phase_5: 0x0000000000401002 <+0>: sub $0x18,%rsp ; rsp = rsp - 24, 0x0000000000401006 <+4>: lea 0x8(%rsp),%rcx ; rcx = *(rsp + 8) (function argument), 0x000000000040100b <+9>: lea 0xc(%rsp),%rdx ; rdx = *(rsp + 12) (function argument), 0x0000000000401010 <+14>: mov $0x401ebe,%esi ; esi = "%d %d", 0x0000000000401015 <+19>: mov $0x0,%eax ; eax = 0, 0x000000000040101a <+24>: callq 0x400ab0 <__isoc99_sscanf@plt>, 0x000000000040101f <+29>: cmp $0x1,%eax ; if (eax > 1) goto 0x401029, 0x0000000000401022 <+32>: jg 0x401029 , 0x0000000000401024 <+34>: callq 0x40163d ; if (eax <= 1) explode_bomb(), 0x0000000000401029 <+39>: mov 0xc(%rsp),%eax ; eax = *(rsp + 12) ::function parameter, 0x000000000040102d <+43>: and $0xf,%eax ; eax = eax & 0xf (last 2 bits), 0x0000000000401030 <+46>: mov %eax,0xc(%rsp) ; *(rsp + 12) = eax, 0x0000000000401034 <+50>: cmp $0xf,%eax ; if (eax == 0xf) explode_bomb(), 0x0000000000401037 <+53>: je 0x401065 , 0x0000000000401039 <+55>: mov $0x0,%ecx ; ecx = 0, 0x000000000040103e <+60>: mov $0x0,%edx ; edx = 0, 0x0000000000401043 <+65>: add $0x1,%edx ; edx = edx + 0x1, 0x0000000000401046 <+68>: cltq ; sign extend eax to quadword (rax), 0x0000000000401048 <+70>: mov 0x401ba0(,%rax,4),%eax ; eax = *(rax * 4 + 0x401ba0), 0x000000000040104f <+77>: add %eax,%ecx ; ecx = ecx + eax, 0x0000000000401051 <+79>: cmp $0xf,%eax ; if (eax != 0xf) goto 0x401043 (inc edx), 0x0000000000401054 <+82>: jne 0x401043 , 0x0000000000401056 <+84>: mov %eax,0xc(%rsp) ; *(rsp + 12) = eax, 0x000000000040105a <+88>: cmp $0xc,%edx ; if (edx != 12) explode_bomb(), 0x000000000040105d <+91>: jne 0x401065 , 0x000000000040105f <+93>: cmp 0x8(%rsp),%ecx ; if (ecx == *(rsp + 8)) goto 0x40106a, 0x0000000000401063 <+97>: je 0x40106a , 0x0000000000401065 <+99>: callq 0x40163d ; explode_bomb(), 0x000000000040106a <+104>: add $0x18,%rsp ; rsp = rsp + 24, 0x000000000040106e <+108>: retq ; return, --------------------------------------------------------------------------------. So far from my understanding, two conditions need to be met: edx must equal 0xf, meaning the first input has to be 5, 21, 37, etc. Cannot retrieve contributors at this time. What was the actual cockpit layout and crew of the Mi-24A? GitHub; Linkedin; Bomb Lab 7 minute read On this page. Answers that are vague, inaccurate, or . The third bomb is about the switch expression. I used a linux machine running x86_64. The Bomb Lab teaches students principles of, machine-level programs, as well as general debugger and reverse, A "binary bomb" is a Linux executable C program that consists of six, "phases." sign in When I get angry, Mr. Bigglesworth gets upset. As we have learned from the past phases, fixed values are almost always important. 0x00401100 4989e5 mov r13, rsp. Before the, lab goes live, you'll want to request a few bombs for yourself, run, them, defuse a few phases, explode a few phases, and make sure that, the results are displayed properly on the scoreboard. func4() - This function was rather difficult for me to get through logically and so I ultimately had to take it as somewhat as a black box. The request server builds the, bomb, archives it in a tar file, and then uploads the resulting tar, file back to the browser, where it can be saved on disk and, untarred. and/or the string 'The bomb has blown up.' Going back to the code for phase_2, we see that the first number has to be 1. If not null terminated then preserve the originally passed pointer argument by copying it to %rdx. which to blow yourself up. I then restart the program and see if that got me through phase 1. It appears that there may be a secret stage. You will get full credit for defusing phases 2 and 3 with less than 30 explosions. Cannot retrieve contributors at this time. There was a bunch of manipulation of stack space but there was nothing in the stack at that location and so it is likely a bunch of leg work. read_six_numbers Also run the command i r to see what the values of the variables are. When in doubt "make stop; make start" will get everything in a stable state. We can inspect its structure directly using gdb. Once you have updated the configuration files, modify the Latex lab, writeup in ./writeup/bomblab.tex for your environment. The code must be at least six numbers long or else the bomb detonates. On to the next' or 'So you got that one. You just choose a number arbitarily from 0 to 6 and go through the switch expression, and you get your second argument. CIA_MKUltraBrainwashing_Drugs . There are many things going on with shuffling of variables between registers, some bit shifting, and either a subtraction or an addition being applied to some of the hard coded constants. From the above, we see that we are passing some value into a register before calling scanf(). The first number must be between 0 and 7. Here are a few useful commands that are worth highlighting: This command divides the screen into two parts: the command console and a graphical view of the assembly code as you step through it. Go to file. Lets set a breakpoint at strings_not_equal. DrEvil A note to the reader: For explanation on how to set up the lab environment see the "Introduction" section of the post. There is also a "secret phase" that, only appears if students append a certain string to the solution to, Each phase has three variants: "a", "b", and "c". Lets enter the string blah as our input to phase_1. Next there is pattern that must be applied to the first 6 numbers. strings_not_equal mov a b moves data from a to b as opposed to b to a). Please feel free to fork or star this repo if you find it helpful!***. After solving stage 1 you likely get the string 'Phase 1 defused. func4 ??? What' more, there's a function call to read_six_numbers(), we can inspect it, Up till now, you should be able to find out that in this part, we are required to enter six numbers. If one of these processes dies for some reason, the main daemon, detects this and automatically restarts it. Please After looking at these interesting strings, I'm going to make a few guesses at what is going on in this binary "BOMB!!". How about the next one? (Add 16 each time), ecx is compared to rsp, which is 15, so we need ecx to equal to 15, Changing the second input does not affect the ecx, first input is directly correlated to edx. You'll only need to have. To review, open the file in an editor that reveals hidden Unicode characters. What are the advantages of running a power tool on 240 V vs 120 V? How about the next one? This number was 115. phase_6() - This function does a few initial checks on the numbers inputed by the user. To see the format of how we enter the six numbers, lets set a breakpoint at read_six_numbers. Now lets take a quick look at the disassebly to see what variables are being used. The update. Lets clear all our previous breakpoints and set a new one at phase_2. Actually in this part, the answer isn't unique. sign in Given this info, it looks as though the loop is implementing a cypher. On whose turn does the fright from a terror dive end? We've made it very easy to run the service, but, some instructors may be uncomfortable with this requirement and will. You've defused the secret stage! To subscribe to this RSS feed, copy and paste this URL into your RSS reader. Learn more. Let me know if you have any questions in the comments.
Jagermeister Ingredients Allergies,
Articles B
