I dont want to go through either solution all the way here, since the first one is a no-brainer and the second one is a little complicated. Enter disas and you will get a chunk of assembly for the function phase_1 which we put our breakpoint at. to build a single generic bomb that every student attempts to defuse: This will create a generic bomb and some other files in ./bombs/bomb0: bomb* Generic bomb executable (handout to students), bomb.c Source code for main routine (handout to students), You will handout only two of these files to the students: ./bomb and ./bomb.c, The students will handin their solution files, which you can validate, This option is easy for the instructor, but we don't recommend it. I found various strings of interest. CMU Bomb Lab with Radare2 Phase 1. 10 January 2015. Let's start with when it calls sym.read_six_numbers. To see the format of how we enter the six numbers, lets set a breakpoint at read_six_numbers. Specifically: That's number 2. gdb ./bomb -q -x ~/gdbCfg. GET /%s/submitr.pl/?userid=%s&lab=%s&result=%s&submit=submit HTTP/1.0 not 0, 1, 5, 6, 7, 8, 9, 10, 11, 12, 898, 1587, number is between 0 and 14 using comparison statement Solved this is binary bomb lab phase 5.I didn't solve phase - Chegg A tag already exists with the provided branch name. This second phase deals with numbers so lets try to enter the array of numbers 0 1 2 3 4 5. Work fast with our official CLI. read_line I am currently stuck on bomb lab phase 5. A clear, concise, correct answer will earn full credit. From the first few lines, we guess that there are two arguments to enter. On a roll! The Hardware/Software Interface - UWA @ Coursera. executable file 271 lines (271 sloc) 7.74 KB. Mar 19, . This works just fine, and I invite you to try it. is "defused." makoshark.ics.cs.cmu.edu, Dunno, lets just get a static printout of the disassembled code and see what comes out. Phase 4: recursive calls and the stack discipline. I then continue to run the program until I am prompted for a phrase to input. Lets do the standard disas command to see the assembly of the function. So a should be 7, too. So, possible codes would be 1, 2, 4, 7, 11, 16 or 21, 22, 24, 27, 11, 16. Become familiar with Linux VM and Linux command-line, Use and navigate through gdb debugger to examine memory and registers, view assembly code, and set breakpoints within the gdb debugger, Read and understand low level assembly code. Given that our string is 6 characters long, it makes sense to assume that the function is iterating over each character in the loop and presumably doing something to them. When in doubt "make stop; make start" will get everything in a stable state. What was the actual cockpit layout and crew of the Mi-24A? Lets now set a breakpoint at phase_3. This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. The "main daemon" starts and nannies the, request server, result server, and report deamon, ensuring that, exactly one of these processes (and itself) is running at any point in, time. Contribute to xmpf/cse351 development by creating an account on GitHub. Knowing that scanf() takes in a string format as its input, lets break right before scanf() is called and check the value of $esi. I know that due to x86-64 calling conventions on programs compiled with GCC that %rdi and %rsi may contain pointers to the words to compare. If so, pass the counter back to the calling function else continue the incrementing loop through string pointer until it hits null termination. If that function fails, it calls explode_bomb to the left. Changing the second input does not affect the ecx. We can see that the last line shouldn't be contained in this switch structure, while the first four should be. Thus I'm pretty confident that this will be the pass phrase for the first phase. The problem requires that the return value of the func4 should also be zero. Are you sure you want to create this branch? Bomb Lab - Hang's Blog Defusing the binary bomb - Myst!qu3 S@lt You can tell, makebomb.pl to use a specific variant by using the "-p" option. Have a nice day! Cannot retrieve contributors at this time. Due to address randomization and nonexecutable stack, we are supposed to use Return Oriented Programming (ROP) to pass the string pointer of a given cookie value as argument to a function called touch3. First things first, we can see from the call to at and subsequent jump equal statement our string should be six characters long. Identify the generic Linux machine ($SERVER_NAME) where you will, create the Bomb Lab directory (./bomblab) and, if you are offering the, online version, run the autograding service. readOK = sscanf(cString, "%d %d", &p, &q); --------------------------------------------------------. Now lets get started with Phase 1! Here is Phase 6. Not the answer you're looking for? Can you help me please? Make sure you update this. phase_3 The makebomb.pl script also generates the bomb's solution. 1 first, so gdb is the most recent available version of GDB. If nothing happens, download Xcode and try again. initialize_bomb_solve Then we encounter with an optimized switch expression. Then we can get the range of the first argument from the line. Former New York University and Peking University student. Each element in the array has an empty element directly adjacent to it. phase_5 Then you set a breakpoint at 4010b3 and find the target string to be "flyers". The user input is then, 4 5 1 6 2 3. Are you sure you want to create this branch? We can see that our string input blah is being compared with the string Border relations with Canada have never been better.. Each of you will work with a special "binary bomb". Also note that the binary follow the AT&T standard so instruction operations are reversed (e.g. When prompted, enter the command 'c' to continue. Second, each progressive number in the code series entered by the user must be 1 larger than the next. If nothing happens, download Xcode and try again. GitHub; Linkedin; Bomb Lab 7 minute read On this page. Solve a total of 6 phases to defuse the bomb. Regardless, the first user inputed value had to be less than or equal to 14 and had to spit out an 11 after its computation. In order to do this you must look at the various integers within the array and then place them in ascending order by the index of those integer containing elements. What does the power set mean in the construction of Von Neumann universe? e = 16 Dump of assembler code for function phase_5: 0x0000000000401002 <+0>: sub $0x18,%rsp ; rsp = rsp - 24, 0x0000000000401006 <+4>: lea 0x8(%rsp),%rcx ; rcx = *(rsp + 8) (function argument), 0x000000000040100b <+9>: lea 0xc(%rsp),%rdx ; rdx = *(rsp + 12) (function argument), 0x0000000000401010 <+14>: mov $0x401ebe,%esi ; esi = "%d %d", 0x0000000000401015 <+19>: mov $0x0,%eax ; eax = 0, 0x000000000040101a <+24>: callq 0x400ab0 <__isoc99_sscanf@plt>, 0x000000000040101f <+29>: cmp $0x1,%eax ; if (eax > 1) goto 0x401029, 0x0000000000401022 <+32>: jg 0x401029 , 0x0000000000401024 <+34>: callq 0x40163d ; if (eax <= 1) explode_bomb(), 0x0000000000401029 <+39>: mov 0xc(%rsp),%eax ; eax = *(rsp + 12) ::function parameter, 0x000000000040102d <+43>: and $0xf,%eax ; eax = eax & 0xf (last 2 bits), 0x0000000000401030 <+46>: mov %eax,0xc(%rsp) ; *(rsp + 12) = eax, 0x0000000000401034 <+50>: cmp $0xf,%eax ; if (eax == 0xf) explode_bomb(), 0x0000000000401037 <+53>: je 0x401065 , 0x0000000000401039 <+55>: mov $0x0,%ecx ; ecx = 0, 0x000000000040103e <+60>: mov $0x0,%edx ; edx = 0, 0x0000000000401043 <+65>: add $0x1,%edx ; edx = edx + 0x1, 0x0000000000401046 <+68>: cltq ; sign extend eax to quadword (rax), 0x0000000000401048 <+70>: mov 0x401ba0(,%rax,4),%eax ; eax = *(rax * 4 + 0x401ba0), 0x000000000040104f <+77>: add %eax,%ecx ; ecx = ecx + eax, 0x0000000000401051 <+79>: cmp $0xf,%eax ; if (eax != 0xf) goto 0x401043 (inc edx), 0x0000000000401054 <+82>: jne 0x401043 , 0x0000000000401056 <+84>: mov %eax,0xc(%rsp) ; *(rsp + 12) = eax, 0x000000000040105a <+88>: cmp $0xc,%edx ; if (edx != 12) explode_bomb(), 0x000000000040105d <+91>: jne 0x401065 , 0x000000000040105f <+93>: cmp 0x8(%rsp),%ecx ; if (ecx == *(rsp + 8)) goto 0x40106a, 0x0000000000401063 <+97>: je 0x40106a , 0x0000000000401065 <+99>: callq 0x40163d ; explode_bomb(), 0x000000000040106a <+104>: add $0x18,%rsp ; rsp = rsp + 24, 0x000000000040106e <+108>: retq ; return, --------------------------------------------------------------------------------. A note to the reader: For explanation on how to set up the lab environment see the "Introduction" section of the post. Each message contains a BombID, a phase, and an indication of the, event that occurred. Each binary bomb is a program, running a sequence of phases. If you are offering the online version, you will also need to edit the, ./src/config.h - This file lists the domain names of the hosts that, notifying bombs are allowed to run on. The third bomb is about the switch expression. On line <phase_4+16>, the <phase_4> function is pushing a fixed value stored at memory address 0x8049808 onto the stack right before a call to scanf is made. Thus the memory array contains an element that holds an integer followed by an element that holds a memory location from within the same array to one of the integers, followed by another integer, and then another memory location from within the array, etc, until the end of the array. ', After solving stage 3 you likely get the string 'Halfway there! A tag already exists with the provided branch name. As we have learned from the past phases, fixed values are almost always important. Enter a random string and then we stop at the phase 1 position, then we try printing out the information around 0x402400. Halfway there! Next it takes the address of the memory location within the array indexed by the third user input and places in the empty adjacent element designated by the second user input. CMU Bomb Lab with Radare2 Phase 5 | by Mark Higgins - Medium Binary Bomb Lab :: Phase 1 - Zach Alexander And, as you can see at structure, the loop iterates 6 times. Students earn points for defusing phases, and they, lose points (configurable by the instructor, but typically 1/2 point), for each explosion. Otherwise the bomb "explodes" by printing "BOOM!!!". How a top-ranked engineering school reimagined CS curriculum (Ep. You will handout four of these files to the student: bomb, bomb.c, ID, Each student will hand in their solution file, which you can validate. Go to file. If the event was a defusion, the message also, contains the "defusing string" that the student typed to defuse the, Report Daemon: The report daemon periodically scans the scoreboard log, and updates the Web scoreboard. When you fail a phase, and the bomb goes off, you probably get the string 'BOOM!!!' Your goal is to set breakpoints and step through the binary code using gdb to figure out the program inputs that defuse the bombs (and make you gain points). This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. Each phase expects you to type a particular string on stdin.If you type the correct string, then the phase is defused and the bomb proceeds to the next phase. Each phase expects the student to enter a particular string, on stdin. ", - Report Daemon (bomblab-reportd.pl). Segmentation fault in attack lab phase5. Each bomb phase tests a different aspect of machine language programs: Phase 1: string comparison. If not null terminated then preserve the originally passed pointer argument by copying it to %rdx. Wow! correctly, else you and your students won't be able to run your bombs. The autograding service consists of four user-level programs that run, - Request Server (bomblab-requestd.pl). So we can plug in 6 d characters and get a valid comparison! There are many things going on with shuffling of variables between registers, some bit shifting, and either a subtraction or an addition being applied to some of the hard coded constants. This post walks through the first 3 phases of the lab. I know there has to be 6 numbers, with the range of 1-6, and there can't be any repeats. If the student enters the expected string, then that phase. Maybe function names or labels? CSAPP-Labs/README-bomblab at master - Github Lets enter a test string to let the program hit our break point. our input has to be a string of 6 characters, the function accepts this 6 character string and loops over each character in it, the result of the loop is compared to a fixed string, and if theyre equal, the bomb doesnt explode. manually. ", Notifying Bomb: A bomb can be compiled with a NOTIFY option that, causes the bomb to send a message each time the student explodes or, defuses a phase. In memory there is a 16 element array of the numbers 0-15. To review, open the file in an editor that reveals hidden Unicode characters. Before the, lab goes live, you'll want to request a few bombs for yourself, run, them, defuse a few phases, explode a few phases, and make sure that, the results are displayed properly on the scoreboard. If one of these processes dies for some reason, the main daemon, detects this and automatically restarts it. I have given a detailed explanation for phase_5 here: https://techiekarthik.hashnode.dev/cmu-bomblab-walkthrough?t=1676391915473#heading-phase-5. For homework: defuse phases 2 and 3. This question is based on the same project as the other Binary Bomb Phase 6 questions (most likely will be related links), but for some reason I can't find the nodes themselves, to check their incr. sig_handler phase_4() - In this phase you are dealing with a recursively called function. What I know so far: first input cannot be 15, 31, 47, etc. 0x00401100 4989e5 mov r13, rsp. 1) We have to find that number 'q' which will cause 12 (twelve) iterations. Phase 3: conditionals/switches. Learn more. Option 2. Assignment #3: Bomb Lab (due on Tue, Feb 21, 2023 by 11:59pm) Introduction. The bomb explodes if the number calculated by this function does not equal 49. The ./bomblab directory contains the following files: Makefile - For starting/stopping the lab and cleaning files, bomblab.pl* - Main daemon that nannies the other servers & daemons, Bomblab.pm - Bomblab configuration file, bomblab-reportd.pl* - Report daemon that continuously updates scoreboard, bomblab-requestd.pl* - Request server that serves bombs to students, bomblab-resultd.pl* - Result server that gets autoresult strings from bombs, bomblab-scoreboard.html - Real-time Web scoreboard, bomblab-update.pl* - Helper to bomblab-reportd.pl that updates scoreboard, bombs/ - Contains the bombs sent to each student, log-status.txt - Status log with msgs from various servers and daemons, log.txt - Scoreboard log of autoresults received from bombs, makebomb.pl* - Helper script that builds a bomb, scores.txt - Summarizes current scoreboard scores for each student, src/ - The bomb source files, writeup/ - Sample Latex Bomb Lab writeup, LabID: Each instance (offering) of the lab is identified by a unique, name, e.g., "f12" or "s13", that the instructor chooses. Are you sure you want to create this branch? When I get angry, Mr. Bigglesworth gets upset. If the two string are of the same length, then it looks to see that the first inputed character is a non-zero (anything but a zero). Well I'm getting a feeling that the author wants you to really have to work to get through some of these functions. cse351/solution-explanation-of-phase-5.text at master - Github Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Subtract original pointer from %eax and get the running total of the string. Lets create our breakpoints to make sure nothing gets set to the gradebook! Evil has created a slew of "binary bombs" for our class. You've defused the bomb! phase 2, variant "a" for phase 3, variant "c" for phase 4, and so on. The source code for the different phase variants is in ./src/phases/. You signed in with another tab or window. (gdb) i r rax 0x603bf0 6306800 rbx 0x0 0 rcx 0xb 11 rdx 0x603bf0 6306800 rsi 0x1 1 rdi 0x603bf0 6306800 rbp 0x402140 0x402140 <__libc_csu_init> rsp 0x7fffffffdea8 0x7fffffffdea8 r8 0x60567c 6313596 r9 0x7ffff7fe8500 140737354040576 r10 0x7ffff7fe8500 140737354040576 r11 0x246 582 r12 0x400c00 4197376 r13 0x7fffffffdf90 140737488347024 r14 0x0 0 r15 0x0 0 rip 0x400e49 0x400e49 <phase_2> eflags . OK. :-) I'm guessing that this function will likely compare the string that I inputed to some string stored in memory somewhere. Some of the pass phrases could be integers, or a random set of characters if that is the case then the only way to figure things out is through dynamic analysis and disassembling the code. Then enter this command. On the bright side, at least now we know that our string should come out of the loop as giants. Use arg1 and address ebp-0x20 as arguments of function read_six_numbers. !", deducting points from your problem set grade, and then terminating. I know b7 < eb < f6 < 150 < 21f < 304, so the order of nodes should be 3 0 5 4 1 2 (or 2 5 0 1 4 3 - in ascending order) and I should add +1 to all numbers. Cannot retrieve contributors at this time. frequency is a configuration variable in Bomblab.pm. Software engineer at Amazon. So you got that one. skip It should look like this. You won't be able, to validate the students handins. Based on the output, our input string is being run into the function with the string I can see Russia from my . However, you do need to handle recursion actually. It is clearly the most compelling and fun for the, students, and the easiest for the instructor to grade. b = 6 sc2225/Bomb-Lab - Github Learn more about bidirectional Unicode characters. We can get the full assembly code using an object dump: objdump -d path/to/binary > temp.txt. When I get angry, Mr. Bigglesworth gets upset. Lets get started by creating both a breakpoint for explode_bomb and phase_2. Here are the directions for offering both versions of the lab. LabID are ignored. "make cleanallfiles" resets the lab from scratch, deleting all data specific to a particular instance of the lab, such, as the status log, all bombs created by the request server, and the, scoreboard log. Looks like it wants 2 numbers and a character this time. greatwhite.ics.cs.cmu.edu I dereference the string pointed to by %rdi using x/s $rdi and see that the string pointed to is 'blah'. CSO1 - Bomb lab. The variable being used in this comparison is $eax. mov a b moves data from a to b as opposed to b to a). angelshark.ics.cs.cmu.edu We can see that the function is being called which as the name implies compares two strings. your answer turns out to be 21 115, The solution is : 5 115. . They will likely be either 'Good work! From the above comments, we deduce that we want to input two space-separated integers. Explosion and, diffusions from bombs whose LabIDs are different from the current. BOOM!!! I will omit this part here, you can refer to this document. I will list some transitions here: The ascii code of "flyers" should be "102, 108, 121, 101, 114, 115". f7 ff ff callq 400bf0 <__isoc99_sscanf@plt>, : e8 a1 ff ff ff callq 40143a , fc ff ff callq 400bf0 <__isoc99_sscanf@plt>, : e8 c7 fb ff ff callq 400bf0 <__isoc99_sscanf@plt>, fa ff ff callq 400b30 <__stack_chk_fail@plt>. Using gdb we can convince our guess. Given you ultimately needed to have the element containing 0xf to exit after 15 iterations, I saw that f was at array element index 6. Phase 1. Each, variable is preceded by a descriptive comment. There are two basic flavors of Bomb Lab: In the "online" version, the, instructor uses the autograding service to handout a custom notifying, bomb to each student on demand, and to automatically track their, progress on the realtime scoreboard. Cannot retrieve contributors at this time. I also wanted to see groupings of strings that may have similar prefixes and so I sorted the strings program output and looked for anything interesting in that manner. CIA_MKUltraBrainwashing_Drugs . phase_5 Untar your specific file and lets get started! @Jester so I looked at your reply to another question which is extremely similar to my question, actually the same exact question. If your, Linux box crashes or reboots, simply restart the daemons with "make, * Information and error messages from the servers are appended to the, "status log" in bomblab/log-status.txt. At the onset of the program you get the string 'Welcome to my fiendish little bomb. The main daemon is the. Please feel free to fork or star this repo if you find it helpful!***. What are the advantages of running a power tool on 240 V vs 120 V? It appears that there may be a secret stage. Moreover, it's obvious that the second one must be zero being aware of the line, So the problem becomes easier. The request server builds the, bomb, archives it in a tar file, and then uploads the resulting tar, file back to the browser, where it can be saved on disk and, untarred. phase_5() - This function requires you to go backwards through an array of numbers to crack the code. How about the next one? In Bomb Lab phase_6, what are the appropriate steps to take after I func4 ??? A tag already exists with the provided branch name. read_six_numbers() - Checks that the user inputed at least 6 numbers and if less than 6 numbers then detonate the bomb. Guide and work-through for System I's Bomb Lab at DePaul University. Actually I'm not that patient and I didn't go through this part on my own. Thus, the second number in the series must be 1 greater than the first number, the third number in the series must be 2 larger than the second number, etc. sign in You will get full credit for defusing phases 2 and 3 with less than 30 explosions. Are you sure you want to create this branch? Here are a few useful commands that are worth highlighting: This command divides the screen into two parts: the command console and a graphical view of the assembly code as you step through it. * Before going live with the students, we like to check everything out, by running some tests. node6 Lets set a breakpoint at strings_not_equal. Answers that are vague, inaccurate, or . Any numbers entered after the first 6 can be anything. Lets use that address in memory and see what it contains as a string. Bomblab - William & Mary Increment %rdx by 1 to point to the next character byte and move to %eax. In order to determine the comparisons used, it will be useful to look up or know Jumps Based on Signed Comparisons. A binary bomb is a program that consists of a sequence of phases. This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. f = 9. @cinos hi, I had same problem, I couldn't understand, I must have ecx 15 too, but I couldn't figure it out. You signed in with another tab or window. There are various versions of this challenge scattered across . On whose turn does the fright from a terror dive end? $ecx is the output of the loop, Values attached to letters based on testing: How does loop address alignment affect the speed on Intel x86_64? You've defused the secret stage!'. The first number must be between 0 and 7. Finally, we can see down at the bottom of the function that is being called after the contents of %eax and the fixed address 0x804980b have been pushed onto the stack. These lines indicate that if the first argument equal the last one(right before this line), then we get 0. You've defused the bomb!'. Using layout asm, we can see the assembly code as we step through the program. First thing I did was to search the binary using strings to see if there was anything interesting that pops out. The address and stuff will vary, but . Making statements based on opinion; back them up with references or personal experience. This is the phase 5 of attack lab in my software security class. To begin we first edit our gdbCfg file. Bomb explosions. This command prints data stored at a register or memory address. Interpreting non-statistically significant results: Do we have "no evidence" or "insufficient evidence" to reject the null? First, to figure out that the program wants a string as an input. Regardless, I'm not falling for it this time. (sorted smallest to largest gives you the answer), See also: getSubSequenceCount Interview Question. As we can see, it is fairly obvious that there is a loop somewhere in this function (by following the arrows). phase_1 string_length You encounter with a loop and you can't find out what it is doing easily. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. student whose email address is and whose user name is : bomb* Custom bomb executable (handout to student), bomb.c Source code for main routine (handout to student). In the first block of code, the function read_six_numbers is called which essentially confirms that it is six numbers which are seperated by a space (as we entered in the first part of this phase). A tag already exists with the provided branch name. After solving stage 1 you likely get the string 'Phase 1 defused. Try this one. The code must be at least six numbers long or else the bomb detonates. strings_not_equal Q. Help with Binary Bomb Lab Phase 6 : r/learnprogramming - Reddit Ok, let's get right to it and dig into the <phase_5> code: So, what have we got here? Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. You have 6 phases with What is scrcpy OTG mode and how does it work? this is binary bomb lab phase 5.I didn't solve phase 5. Cannot retrieve contributors at this time. Has depleted uranium been considered for radiation shielding in crewed spacecraft beyond LEO? Contribute to hengyingchou/CSE351 development by creating an account on GitHub. Each phase expects you to type a particular string. Video on steps to complete phase one of the lab.If y'all real, hit that subscribe button lmao How about saving the world? Okay, we know it works. The key part is the latter one. to use Codespaces. Stepping through the code with the GDB debugger I can say plenty about the various functions called in this program:
Weill Cornell Gym,
Old Perception Kayak Models,
Brown's Funeral Home Coalgate Obituaries,
Debra Messing Seinfeld,
Airport Hangar For Sale,
Articles B
bomb lab phase 5 github