If you solve the phase this way, youll actually notice that there is more than one correct solution. This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. If you notice, (the syntax will vary based off of what sort of system the bomb is run on) the machine code will have some variation of call to: 401135: be b8 25 40 00 mov $0x4025b8,%esi. Some of the pass phrases could be integers, or a random set of characters if that is the case then the only way to figure things out is through dynamic analysis and disassembling the code. Are you sure you want to create this branch? If not then the detonation flag that was initialized to 1 is not set to low and will eventually trigger the detonate function. A tag already exists with the provided branch name. Cannot retrieve contributors at this time. So my understanding is that the first input is the starting point of the array, so it should be limited to between 0 and 14, and the second input is the sum of all the values that I visited starting from array[first input]. GDB then stopped at the break before entering into the phase_1 function call. A note to the reader: For explanation on how to set up the lab environment see the "Introduction" section of the post. phase 2, variant "a" for phase 3, variant "c" for phase 4, and so on. There is a small grade penalty for explosions beyond 20. je 0x40106a <phase_5+104> 0x0000000000401065 <+99>: callq 0x40163d <explode_bomb> ; explode_bomb . without any ill effects. The variable being used in this comparison is $eax. Contribute to hengyingchou/CSE351 development by creating an account on GitHub. ", Notifying Bomb: A bomb can be compiled with a NOTIFY option that, causes the bomb to send a message each time the student explodes or, defuses a phase. This number was 115. phase_6() - This function does a few initial checks on the numbers inputed by the user. When you fail a phase, and the bomb goes off, you probably get the string 'BOOM!!!' Assignment #3: Bomb Lab (due on Tue, Feb 21, 2023 by 11:59pm) Introduction. Good work! The source code for the different phase variants is in ./src/phases/. When, the student untars this file, it creates a directory (./bomb) with, bomb* Notifying custom bomb executable, bomb.c Source code for the main bomb routine, ID Identifies the student associated with this bomb, README Lists bomb number, student, and email address, The request server also creates a directory (bomblab/bombs/bomb), bomb.c Source code for main routine, bomb-quiet* A quiet version of bomb used for autograding, ID Identifies the user name assigned to this bomb, phases.c C source code for the bomb phases, README Lists bombID, user name, and email address, Result Server: Each time a student defuses a phase or explodes their, bomb, the bomb sends an HTTP message (called an autoresult string) to, the result server, which then appends the message to the scoreboard, log. How about saving the world? and upon beating the stage you get the string 'Wow! (up to -6 points deducted) Each bomb explosion notification that reaches the staff results in a 1 point deduction, capped at -6 points total. Phase 1. I then continue to run the program until I am prompted for a phrase to input. Former New York University and Peking University student. The main daemon is the. Each bomb phase tests a different aspect of machine language programs: Phase 4: recursive calls and the stack discipline, Phases get progressively harder. You signed in with another tab or window. I am currently stuck on bomb lab phase 5. Ahhhh, recursion, right? A string that could be the final string outputted when you solve stage 6 is 'Congratulations! If your, Linux box crashes or reboots, simply restart the daemons with "make, * Information and error messages from the servers are appended to the, "status log" in bomblab/log-status.txt. For homework: defuse phases 2 and 3. student whose email address is and whose user name is : bomb* Custom bomb executable (handout to student), bomb.c Source code for main routine (handout to student). ', After solving stage 2, you likely get the string 'That's number 2. I found the memory position for the beginning of phase_1 and placed a break point there. Thanks for contributing an answer to Stack Overflow! You've defused the bomb!'. 3) The second parameter 'p' at the end of the loop must be equal with %ecx register. p # Change print mode in Visual/Graph mode. 0x00401100 4989e5 mov r13, rsp. But when I put 4 1 6 5 2 3 or 3 6 1 2 5 4, it explodes. Once you have updated the configuration files, modify the Latex lab, writeup in ./writeup/bomblab.tex for your environment. You can start and stop the autograding service as often as. Well BOOM!!! The address and stuff will vary, but . and/or the string 'The bomb has blown up.' So, I mapped out the array from element 0 to 15 and then worked backwards through it to find the element I needed to start with. is "defused." After solving stage 1 you likely get the string 'Phase 1 defused. BombID: Each bomb in a given instance of the lab has a unique, non-negative integer called the "bombID. phase_6 From the code, we can see that we first read in 6 numbers. Next, as we scan through each operation, we see that a register is being incremented at , followed by a jump-less-than statement right afterwards that takes us back up to . Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Once we enter the function, we can check the registers that store the first two inputs: $rdi and $rsi. It should look like this. Work fast with our official CLI. Enter a random string and then we stop at the phase 1 position, then we try printing out the information around 0x402400. phase_3 Are you sure you want to create this branch? Thus on the 14th iteration if I needed a 6, I would need to be in the 14th index of the array on the 13th iteration, then on index 2 of the 12th iteration. No description, website, or topics provided. Bomb Lab Write-up. The smart way of solving this phase is by actually figuring out the cypher. Thus I'm pretty confident that this will be the pass phrase for the first phase. The values came out it the following format: 0x000003b8 So if I order the nodes in ascending order, it should be 6 4 1 2 5 3, but this still wasn't the correct input. Curses, you've found the secret phase! So you got that one. If nothing happens, download Xcode and try again. f = 9. In the first block of code, the function read_six_numbers is called which essentially confirms that it is six numbers which are seperated by a space (as we entered in the first part of this phase). fun7 ??? CMU Bomb Lab with Radare2 Phase 1. * See src/README for more information about the anatomy of bombs and, how they are constructed. I then restart the program and see if that got me through phase 1. Site design / logo 2023 Stack Exchange Inc; user contributions licensed under CC BY-SA. From the above annotations, we can see that there is a loop. Which one to choose? Lets set a breakpoint at strings_not_equal. Hello world. The first number must be between 0 and 7. Let's have a look at the phase_4 function. First, to figure out that the program wants a string as an input. In memory there is a 16 element array of the numbers 0-15. Unexpected uint64 behaviour 0xFFFF'FFFF'FFFF'FFFF - 1 = 0? There was a problem preparing your codespace, please try again. Phase 1 is sort of the "Hello World" of the Bomb Lab. sign in (**Please feel free to fork or star if helpful!). solution to each bomb is available to the instructor. Here is Phase 4. Upon entry to that secret stage you likely get the string 'Curses, you've found the secret phase!' Such bombs are called "notifying bombs. initialize_bomb aseje owo nla. . Each phase reads a line from the standard input. The idea is to understand what each, assembly statement does, and then use this knowledge to infer the, defusing string. phase_2 Phase 1: There are two main ways of getting the answer. greatwhite.ics.cs.cmu.edu To review, open the file in an editor that reveals hidden Unicode characters. These look like they could pertain to the various phases of the bomb. Learn more. There are no explicit handins and the lab is self-grading. Contribute to xmpf/cse351 development by creating an account on GitHub. Next, the, student fills in this form with their user name and email address, and, then submits the form. Tools: Starting challenge; Phase_1: Phase_2: Phase_3: Phase_4: Phase_5: Phase_6: Bomb Lab Write-up. I will likely take another shot at figureing out exactly how to come up with the solution by following the implemented logic but I eventually brute forced it, which took a whole 30 seconds to figure out. Congratulations! VASPKIT and SeeK-path recommend different paths. By clicking Post Your Answer, you agree to our terms of service, privacy policy and cookie policy. 0000000000401062 <phase_5>: 401062: 53 push % rbx 401063: 48 83 ec 20 sub $ 0x20, % rsp 401067: 48 89 fb mov % rdi, % rbx 40106a: . To subscribe to this RSS feed, copy and paste this URL into your RSS reader. Work fast with our official CLI. It's a great. So far from my understanding, two conditions need to be met: edx must equal 0xf, meaning the first input has to be 5, 21, 37, etc. The other option for offering an offline lab is to use the, makebomb.pl script to build a unique quiet custom bomb for each, linux> ./makebomb.pl -i -s ./src -b ./bombs -l bomblab -u -v , This will create a quiet custom bomb in ./bombs/bomb for the. You create a table using the method above, and then you get the answer to be "ionefg". Then we take a look at the assembly code above, we see one register eax and an address 0x402400. Lets do the standard disas command to see the assembly of the function. makoshark.ics.cs.cmu.edu, Dunno, lets just get a static printout of the disassembled code and see what comes out. If you accidentally kill one of the daemons, or you modify a daemon, or the daemon dies for some reason, then use, "make stop" to clean up, and then restart with "make start". There are various versions of this challenge scattered across . I also wanted to see groupings of strings that may have similar prefixes and so I sorted the strings program output and looked for anything interesting in that manner. Load the binary, perform analysis, seek to Phase 6, and have a look at your task. Content Discovery initiative April 13 update: Related questions using a Review our technical responses for the 2023 Developer Survey. You have 6 phases with which to blow yourself up. All things web. node3 Alternative paths? phase_2 By clicking Accept all cookies, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy. First things first, we can see from the call to at and subsequent jump equal statement our string should be six characters long. From this, we can deduce that the input for phase_2 should be 1 2 4 8 16 32. Your goal is to set breakpoints and step through the binary code using gdb to figure out the program inputs that defuse the bombs (and make you gain points). I found: initialize_bomb Going through func4, we get the value of d at 400ff7 and 400fe2 to be (14 + 0) >> 1 = 7. It is useful to check the values of these registers before/after entering a function. So you think you can stop the bomb with ctrl-c, do you?' I hope it's helpful. Custom, notifying bombs are constrained to run on a specific set of Linux, hosts determined by the instructor. In this part, we are given two functions phase_4() and func4(). phase_defused The function then takes the address of the memory location within the array indexed by the second user input and places it in the empty adjacent element designated by the first user input. read_six_numbers At the onset of the program you get the string 'Welcome to my fiendish little bomb. Option 1: The simplest approach for offering the offline Bomb Lab is. The Bomb Lab teaches students principles of, machine-level programs, as well as general debugger and reverse, A "binary bomb" is a Linux executable C program that consists of six, "phases." Considering this line of code. A tag already exists with the provided branch name. There exists a linked list structure under these codes. Informal Explanations of Phases 1 through 6: I have spent approximately 26 hours on this assignment. Can you help me please? Using layout asm, we can see the assembly code as we step through the program. Enter disas and you will get a chunk of assembly for the function phase_1 which we put our breakpoint at. (Add 16 each time) ecx is compared to rsp, which is 15, so we need ecx to equal to 15. $ecx is the output of the loop, Values attached to letters based on testing: The previous output from the strings program was outputted to stout in order that the strings are found in the binary. We can now see the assembly code. sig_handler Has depleted uranium been considered for radiation shielding in crewed spacecraft beyond LEO? Connect and share knowledge within a single location that is structured and easy to search. offline version, you can ignore most of these settings. In this part we use objdump to get the assembly code Based on the first user inputed number, you enter into that indexed element of the array, which then gives you the index of the next element in the array, etc. Phase 4: recursive calls and the stack discipline. The key part is the latter one. Identify the generic Linux machine ($SERVER_NAME) where you will, create the Bomb Lab directory (./bomblab) and, if you are offering the, online version, run the autograding service. Ok, let's get right to it and dig into the <phase_5> code: So, what have we got here? I dont want to go through either solution all the way here, since the first one is a no-brainer and the second one is a little complicated. Please So, what do we know about phase 5 so far? What differentiates living as mere roommates from living in a marriage-like relationship? @Jester so I looked at your reply to another question which is extremely similar to my question, actually the same exact question. Give 0 to ebp-8, which is used as loop condition. What was the actual cockpit layout and crew of the Mi-24A? 1 2 6 24 120 720 0 q 777 9 opukma 4 2 6 3 1 5 output Welcome to my fiendish little bomb. A binary bomb is a program that consists of a . As an experienced engineer, I believe you can figure out that there are two arguments, each of which should be integers. Segmentation fault in attack lab phase5. Although the problems differ from each other, the main methods we take are totally the same. Each binary bomb is a program, running a sequence of phases. ", Quiet Bomb: If compiled with the NONOTIFY option, then the bomb, doesn't send any messages when it explodes or is defused. I don't want to run the program/"pull the pin" on the bomb by running it, so this tells me that there are likely 6 stages to the bomb. phase_4 I will list some transitions here: The ascii code of "flyers" should be "102, 108, 121, 101, 114, 115". DrEvil. This part is really long. In this write-up, I will show you how i solve bomb lab challenge. Now you can see there are a few loops. Is it true that the first input has to be 5, 21, 37, etc? phase_1 Learn more about bidirectional Unicode characters. a = 10 a user account on this machine. We can see that the last line shouldn't be contained in this switch structure, while the first four should be. Dump of assembler code for function phase_5: 0x0000000000401002 <+0>: sub $0x18,%rsp ; rsp = rsp - 24, 0x0000000000401006 <+4>: lea 0x8(%rsp),%rcx ; rcx = *(rsp + 8) (function argument), 0x000000000040100b <+9>: lea 0xc(%rsp),%rdx ; rdx = *(rsp + 12) (function argument), 0x0000000000401010 <+14>: mov $0x401ebe,%esi ; esi = "%d %d", 0x0000000000401015 <+19>: mov $0x0,%eax ; eax = 0, 0x000000000040101a <+24>: callq 0x400ab0 <__isoc99_sscanf@plt>, 0x000000000040101f <+29>: cmp $0x1,%eax ; if (eax > 1) goto 0x401029, 0x0000000000401022 <+32>: jg 0x401029 , 0x0000000000401024 <+34>: callq 0x40163d ; if (eax <= 1) explode_bomb(), 0x0000000000401029 <+39>: mov 0xc(%rsp),%eax ; eax = *(rsp + 12) ::function parameter, 0x000000000040102d <+43>: and $0xf,%eax ; eax = eax & 0xf (last 2 bits), 0x0000000000401030 <+46>: mov %eax,0xc(%rsp) ; *(rsp + 12) = eax, 0x0000000000401034 <+50>: cmp $0xf,%eax ; if (eax == 0xf) explode_bomb(), 0x0000000000401037 <+53>: je 0x401065 , 0x0000000000401039 <+55>: mov $0x0,%ecx ; ecx = 0, 0x000000000040103e <+60>: mov $0x0,%edx ; edx = 0, 0x0000000000401043 <+65>: add $0x1,%edx ; edx = edx + 0x1, 0x0000000000401046 <+68>: cltq ; sign extend eax to quadword (rax), 0x0000000000401048 <+70>: mov 0x401ba0(,%rax,4),%eax ; eax = *(rax * 4 + 0x401ba0), 0x000000000040104f <+77>: add %eax,%ecx ; ecx = ecx + eax, 0x0000000000401051 <+79>: cmp $0xf,%eax ; if (eax != 0xf) goto 0x401043 (inc edx), 0x0000000000401054 <+82>: jne 0x401043 , 0x0000000000401056 <+84>: mov %eax,0xc(%rsp) ; *(rsp + 12) = eax, 0x000000000040105a <+88>: cmp $0xc,%edx ; if (edx != 12) explode_bomb(), 0x000000000040105d <+91>: jne 0x401065 , 0x000000000040105f <+93>: cmp 0x8(%rsp),%ecx ; if (ecx == *(rsp + 8)) goto 0x40106a, 0x0000000000401063 <+97>: je 0x40106a , 0x0000000000401065 <+99>: callq 0x40163d ; explode_bomb(), 0x000000000040106a <+104>: add $0x18,%rsp ; rsp = rsp + 24, 0x000000000040106e <+108>: retq ; return, --------------------------------------------------------------------------------. Defusing the binary bomb. Learn more about bidirectional Unicode characters. phase_2 You've defused the secret stage!'. Actually I'm not that patient and I didn't go through this part on my own. The request server builds the, bomb, archives it in a tar file, and then uploads the resulting tar, file back to the browser, where it can be saved on disk and, untarred. Phase 3: conditionals/switches. Type "./makebomb.pl -h" to see its arguments. In this version of the lab, you build your own quiet bombs manually, and then hand them out to the students. On line <phase_4+16>, the <phase_4> function is pushing a fixed value stored at memory address 0x8049808 onto the stack right before a call to scanf is made. by hand by running their custom bomb against their solution: For both Option 1 and Option 2, the makebomb.pl script randomly, chooses the variant ("a", "b", or "c") for each phase. There are many things going on with shuffling of variables between registers, some bit shifting, and either a subtraction or an addition being applied to some of the hard coded constants. A tag already exists with the provided branch name. Now lets take a quick look at the disassebly to see what variables are being used. Then you can solve this problem by making a table(Yeah, it may seem silly, but I think it's the most convenient way). main To review, open the file in an editor that reveals hidden Unicode characters. Details on Grading for Bomb Lab. Next, as we scan through each operation, we see that a register is being . Control-l can be used to refresh the UI whenever it inevitably becomes distorted. You'll only need to have. The report daemon finds the most recent, defusing string submitted by each student for each phase, and, validates these strings by applying them to a local copy of the, student's bomb. srveaw is pretty far off from abcdef. For lab: defuse phase 1. If you type the correct string, then the phase is defused and the bomb proceeds to the next phase. Cannot retrieve contributors at this time. Learn more about bidirectional Unicode characters, #######################################################, # Copyright (c) 2002-2013, R. Bryant and D. O'Hallaron, This directory contains the files that you will use to build and run, the CS:APP Bomb Lab. I inputed the word 'blah' and continued to run the program. Halfway there! If so, put zero in %eax and return. Lets clear all our previous breakpoints and set a new one at phase_2. Analysis of CME bomb lab program in linux using dbg, objdump, and strings. The Hardware/Software Interface - UWA @ Coursera. At any point in time, the, tab-delimited file (./bomblab/scores.txt) contains the most recent, scores for each student. This post walks through CMUs bomb lab, which involves defusing a bomb by finding the correct inputs to successive phases in a binary executable using GDB. The update. I then did the same for the possible second pointer arguement which would be in %rsi with x/s $rsi and get 'When I get angry, Mr. Bigglesworth gets upset.'. phase_5() - This function requires you to go backwards through an array of numbers to crack the code. If the first character in the input string is anything but a zero then the detonation flag is set to low and passed out the function. The request server also creates a copy of the bomb and its, - Result Server (bomblab-resultd.pl). Help/Collaboration: I recieved no outside help with this bomb, other than. frequency is a configuration variable in Bomblab.pm. OK. :-) phase_defused() - So this function implements stack protection by adding, checking, and removing a canary. Lets use blah again as out input for phase_2. to use Codespaces. The numbers you enter are used to sort a linked list actually. A loop is occurring. Software engineer at Amazon. I used a linux machine running x86_64. How about the next one? Can you still use Commanders Strike if the only attack available to forego is an attack against an ally? When in doubt "make stop; make start", However, resetting the lab deletes all old bombs, status logs, and the, scoreboard log. phase_1 Become familiar with Linux VM and Linux command-line, Use and navigate through gdb debugger to examine memory and registers, view assembly code, and set breakpoints within the gdb debugger, Read and understand low level assembly code. Making statements based on opinion; back them up with references or personal experience. The second number is simply linked to the first number: 0 must be followed by 704, 1 by 848, 2 by 736, 3 by 346, 4 by 607, 5 by 147, 6 by 832, and 7 by 536. This continuous through all the user inputed indices and finally places the value zero in the last remaining empty element in the array. daemon that starts and nannies the other programs in the service, checking their status every few seconds and restarting them if, (3) Stopping the Bomb Lab. int numArray[15] = {10, 2, 14, 7, 8, 12, 15, 11, 0, 4, 1, 13, 3, 9, 6}; int readOK; /** number of elements successfully read **/. This is the phase 5 of attack lab in my software security class. Each phase expects you to type a particular string on stdin.If you type the correct string, then the phase is defused and the bomb proceeds to the next phase. I'm trying to trace through this, but I'm struggling a little. You will handout four of these files to the student: bomb, bomb.c, ID, Each student will hand in their solution file, which you can validate. Phase 1 defused. "/> dearborn police incident reports. Then you set a breakpoint at 4010b3 and find the target string to be "flyers". As a next step, lets input the test string abcdef and take a look at what the loop does to it. Well Request Server: The request server is a simple special-purpose HTTP, server that (1) builds and delivers custom bombs to student browsers, on demand, and (2) displays the current state of the real-time, A student requests a bomb from the request daemon in two, steps: First, the student points their favorite browser at, For example, http://foo.cs.cmu.edu:15213/. Each line is annotated. At the . The Hardware/Software Interface - UWA @ Coursera. Are you sure you want to create this branch? You encounter with a loop and you can't find out what it is doing easily. A tag already exists with the provided branch name. phase_5 () - This function requires you to go backwards through an array of numbers to crack the code. string_length() - This function first checks to see that the passed character pointer in %rdi is not null terminated. Try this one.'. It is important to step the test numbers in some way so you know which order they are in. How about the next one? If the two string are of the same length, then it looks to see that the first inputed character is a non-zero (anything but a zero). From here, we have two ways to solve this phase, a dumb way and a smart way. Then we can get the range of the first argument from the line. If you are offering the. As we have learned from the past phases, fixed values are almost always important. I choose the first argument as 1 and then the second one should be 311. Bomb explosions. What I know so far: first input cannot be 15, 31, 47, etc. Bomb Lab: Phase 5. The following lines are annotated. So, the value of node1 to node6 are f6, 304, b7, eb, 21f, 150. executable file 271 lines (271 sloc) 7.74 KB. phase_defused We can inspect its structure directly using gdb. For each bomb, it tallies the number, of explosions, the last defused phase, validates each last defused, phase using a quiet copy of the bomb, and computes a score for each, student in a tab delimited text file called "scores.txt." If not null terminated then preserve the originally passed pointer argument by copying it to %rdx. correctly, else you and your students won't be able to run your bombs. The request server, responds by sending an HTML form back to the browser. If the event was a defusion, the message also, contains the "defusing string" that the student typed to defuse the, Report Daemon: The report daemon periodically scans the scoreboard log, and updates the Web scoreboard. The bomb is defused . For example, after a function has finished executing, this command can be used to check the value of $rax to see the function output. phase_defused. If the student enters the expected string, then that phase. From this mapping table, we can figure out the un-cyphered version of giants. What is the Russian word for the color "teal"? When in doubt "make stop; make start" will get everything in a stable state. Each phase expects you to type a particular string. The second input had to be a 11, because the the phase_4 code did a simple compare, nothing special. The problem requires that the return value of the func4 should also be zero. Bomb Lab: Phase 5. Nothing special other than the first number acting like a selector of jump paths to a linked second number. Evil has created a slew of "binary bombs" for our class. this is binary bomb lab phase 5.I didn't solve phase 5. As we can see, it is fairly obvious that there is a loop somewhere in this function (by following the arrows). Each bomb phase tests a different aspect of machine language programs: Phase 1: string comparison. read_six_numbers() - Checks that the user inputed at least 6 numbers and if less than 6 numbers then detonate the bomb. In order to solve the cypher, take a look at %esi and youll find an array of characters stored there, where each character has an index. changeme.edu rev2023.4.21.43403. Students download their bombs, and display the scoreboard by pointing a browser at a simple HTTP, server called the "request server." instructor builds, hands out, and grades the student bombs manually, While both version give the students a rich experience, we recommend, the online version. After looking at the static Main() code, I've got a reasonable understanding of the gross control flow through this program now lets do a more dynamic analysis with GDB. Could this mean alternative endings? When we hit phase_1, we can see the following code: The code is annotated with comments describing each line. because it is too easy for the students to cheat. phase_6 Phase 5 reads in two numbers, the first of which is used as a starting point within a sequence of numbers. This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. Please, Understanding Bomb Lab Phase 5 (two integer input), https://techiekarthik.hashnode.dev/cmu-bomblab-walkthrough?t=1676391915473#heading-phase-5. Instructors and students view the scoreboard by pointing their, The online Bomb Lab is self-grading. Then you get the answer to be the pair(7, 0). Find centralized, trusted content and collaborate around the technologies you use most. Try this one. I tried many methods of solution on internet. Phase 1 defused. DePaul University - System I - Winter 2017, **Note: I made this repo with the intent to help others solve their own Bomb Labs. Not the answer you're looking for? I should say the first half of the code is plain. This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. !", deducting points from your problem set grade, and then terminating. When I get angry, Mr. Bigglesworth gets upset. It also might be easier to visualize the operations by using an online disambler like https://onlinedisassembler.com/ to see a full graph.
Nyc Marriage Proposal Packages,
Michael Zuieback House,
Unclaimed Premium Bonds From 1959,
How To Make A Narcissist Miss You After Discard,
Articles B
