Firstly, let's have a look at the asm code. Increment %rdx by 1 to point to the next character byte and move to %eax. Here is Phase 5. strings_not_equal Dump of assembler code for function phase_5: 0x0000000000401002 <+0>: sub $0x18,%rsp ; rsp = rsp - 24, 0x0000000000401006 <+4>: lea 0x8(%rsp),%rcx ; rcx = *(rsp + 8) (function argument), 0x000000000040100b <+9>: lea 0xc(%rsp),%rdx ; rdx = *(rsp + 12) (function argument), 0x0000000000401010 <+14>: mov $0x401ebe,%esi ; esi = "%d %d", 0x0000000000401015 <+19>: mov $0x0,%eax ; eax = 0, 0x000000000040101a <+24>: callq 0x400ab0 <__isoc99_sscanf@plt>, 0x000000000040101f <+29>: cmp $0x1,%eax ; if (eax > 1) goto 0x401029, 0x0000000000401022 <+32>: jg 0x401029 , 0x0000000000401024 <+34>: callq 0x40163d ; if (eax <= 1) explode_bomb(), 0x0000000000401029 <+39>: mov 0xc(%rsp),%eax ; eax = *(rsp + 12) ::function parameter, 0x000000000040102d <+43>: and $0xf,%eax ; eax = eax & 0xf (last 2 bits), 0x0000000000401030 <+46>: mov %eax,0xc(%rsp) ; *(rsp + 12) = eax, 0x0000000000401034 <+50>: cmp $0xf,%eax ; if (eax == 0xf) explode_bomb(), 0x0000000000401037 <+53>: je 0x401065 , 0x0000000000401039 <+55>: mov $0x0,%ecx ; ecx = 0, 0x000000000040103e <+60>: mov $0x0,%edx ; edx = 0, 0x0000000000401043 <+65>: add $0x1,%edx ; edx = edx + 0x1, 0x0000000000401046 <+68>: cltq ; sign extend eax to quadword (rax), 0x0000000000401048 <+70>: mov 0x401ba0(,%rax,4),%eax ; eax = *(rax * 4 + 0x401ba0), 0x000000000040104f <+77>: add %eax,%ecx ; ecx = ecx + eax, 0x0000000000401051 <+79>: cmp $0xf,%eax ; if (eax != 0xf) goto 0x401043 (inc edx), 0x0000000000401054 <+82>: jne 0x401043 , 0x0000000000401056 <+84>: mov %eax,0xc(%rsp) ; *(rsp + 12) = eax, 0x000000000040105a <+88>: cmp $0xc,%edx ; if (edx != 12) explode_bomb(), 0x000000000040105d <+91>: jne 0x401065 , 0x000000000040105f <+93>: cmp 0x8(%rsp),%ecx ; if (ecx == *(rsp + 8)) goto 0x40106a, 0x0000000000401063 <+97>: je 0x40106a , 0x0000000000401065 <+99>: callq 0x40163d ; explode_bomb(), 0x000000000040106a <+104>: add $0x18,%rsp ; rsp = rsp + 24, 0x000000000040106e <+108>: retq ; return, --------------------------------------------------------------------------------. So, the value of node1 to node6 are f6, 304, b7, eb, 21f, 150. 10 January 2015. Informal Explanations of Phases 1 through 6: I have spent approximately 26 hours on this assignment. sign in I cannot describe the question better . You won't be able, to validate the students handins. You just pass through the function and it does nothing. Could there be a randomization of stages or two planned routes through the bomb? Upon entry to that secret stage you likely get the string 'Curses, you've found the secret phase!' Congratulations! is "defused." Subtract original pointer from %eax and get the running total of the string. There is an accessed memory area that serves as a counter. Specifically: That's number 2. We do this by typing, Then we request a bomb for ourselves by pointing a Web browser at, After saving our bomb to disk, we untar it, copy it to a host in the, approved list in src/config.h, and then explode and defuse it a couple, of times to make sure that the explosions and diffusion are properly, recorded on the scoreboard, which we check at, Once we're satisfied that everything is OK, we stop the lab, Once we go live, we type "make stop" and "make start" as often as we. To begin we first edit our gdbCfg file. You'll only need to have. initialize_bomb_solve How about saving the world? The first number we can try to be 6 and the second must be 682. If the event was a defusion, the message also, contains the "defusing string" that the student typed to defuse the, Report Daemon: The report daemon periodically scans the scoreboard log, and updates the Web scoreboard. Phase 1 defused. So, possible codes would be 1, 2, 4, 7, 11, 16 or 21, 22, 24, 27, 11, 16. requires that you keep the autograding service running non-stop, because handouts, grading, and reporting occur continuously for the, duration of the lab. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. we use, and get the following file (not the full code), We enter gdb, set a breakpoint at the phase 1. You've defused the secret stage!'. Each binary bomb is a program, running a sequence of phases. There was a bunch of manipulation of stack space but there was nothing in the stack at that location and so it is likely a bunch of leg work. To review, open the file in an editor that reveals hidden Unicode characters. Can you help me please? So, what do we know about phase 5 so far? Use Git or checkout with SVN using the web URL. (gdb) i r rax 0x603bf0 6306800 rbx 0x0 0 rcx 0xb 11 rdx 0x603bf0 6306800 rsi 0x1 1 rdi 0x603bf0 6306800 rbp 0x402140 0x402140 <__libc_csu_init> rsp 0x7fffffffdea8 0x7fffffffdea8 r8 0x60567c 6313596 r9 0x7ffff7fe8500 140737354040576 r10 0x7ffff7fe8500 140737354040576 r11 0x246 582 r12 0x400c00 4197376 r13 0x7fffffffdf90 140737488347024 r14 0x0 0 r15 0x0 0 rip 0x400e49 0x400e49 <phase_2> eflags . The bomb has blown up. phase_4 To review, open the file in an editor that reveals hidden Unicode characters. start I dont want to go through either solution all the way here, since the first one is a no-brainer and the second one is a little complicated. Explosion and, diffusions from bombs whose LabIDs are different from the current. The first argument must be less than 7, right? I know that due to x86-64 calling conventions on programs compiled with GCC that %rdi and %rsi may contain pointers to the words to compare. How about the next one? Using layout asm, we can see the assembly code as we step through the program. When I get angry, Mr. Bigglesworth gets upset. 3) The second parameter 'p' at the end of the loop must be equal with %ecx register. Here is Phase 4. Additional Notes on the Online Bomb Lab, * Since the request server and report daemon both need to execute, bombs, you must include $SERVER_NAME in the list of legal machines in, * All of the servers and daemons are stateless, so you can stop ("make, stop") and start ("make start") the lab as many times as you like. Here is the assembly code: The list of numbers I've inputed is this: So far from my understanding, two conditions need to be met: compare %ecx is 115 line 103 Is it true that the first input has to be 5, 21, 37, etc? Lets clear all our previous breakpoints and set a new one at phase_2. Load the binary, perform analysis, seek to Phase 6, and have a look at your task. Otherwise the bomb "explodes" by printing "BOOM!!!". This post walks through the first 3 phases of the lab. What were the poems other than those by Donne in the Melford Hall manuscript? Learn more about bidirectional Unicode characters. In this repository I will take down my process of solving the bomb lab of CS:APP. LabID are ignored. In the "offline" version, the. Each element in the array has an empty element directly adjacent to it. The request server also creates a copy of the bomb and its, - Result Server (bomblab-resultd.pl). This is the phase 5 of attack lab in my software security class. We see that a strings_not_equal function is being called. frequency is a configuration variable in Bomblab.pm. Guide and work-through for System I's Bomb Lab at DePaul University. We can then set up a breakpoint upon entering phase_1 using b phase_1 and for the function explode_bomb to avoid losing points. Each phase expects you to type a particular string. The previous output from the strings program was outputted to stout in order that the strings are found in the binary. To subscribe to this RSS feed, copy and paste this URL into your RSS reader. c = 1 Some of the pass phrases could be integers, or a random set of characters if that is the case then the only way to figure things out is through dynamic analysis and disassembling the code. The nefarious Dr. It appears that there may be a secret stage. Entering these numbers allows us to pass phase_3. ", Quiet Bomb: If compiled with the NONOTIFY option, then the bomb, doesn't send any messages when it explodes or is defused. Raw Blame. "make stop" kills all of the running, servers. phase_defused() - So this function implements stack protection by adding, checking, and removing a canary. The Bomb Lab teaches students principles of, machine-level programs, as well as general debugger and reverse, A "binary bomb" is a Linux executable C program that consists of six, "phases." Analysis of CME bomb lab program in linux using dbg, objdump, and strings. Find centralized, trusted content and collaborate around the technologies you use most. You signed in with another tab or window. There are six of them but some of these could be just added strings outputted upon completion of a stage. Tools: Starting challenge; Phase_1: Phase_2: Phase_3: Phase_4: Phase_5: Phase_6: Bomb Lab Write-up. Based on the output, our input string is being run into the function with the string I can see Russia from my . gdbCfg phase 5. Then we take a look at the assembly code above, we see one register eax and an address 0x402400. If nothing happens, download Xcode and try again. Link to Bomb Lab Instructions (pdf) in GitHub Repository. How about the next one? "make cleanallfiles" resets the lab from scratch, deleting all data specific to a particular instance of the lab, such, as the status log, all bombs created by the request server, and the, scoreboard log. Changing the second input does not affect the ecx. I hope it's helpful. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. There are many things going on with shuffling of variables between registers, some bit shifting, and either a subtraction or an addition being applied to some of the hard coded constants. I tried many methods of solution on internet. CSO1 - Bomb lab. Answers that are vague, inaccurate, or . Well Using gdb we can convince our guess. phase_6 However, you know that the loop is doing some transitions on your input string. node1 First, to figure out that the program wants a string as an input. and/or the string 'The bomb has blown up.' We can get the full assembly code using an object dump: objdump -d path/to/binary > temp.txt. Identify the generic Linux machine ($SERVER_NAME) where you will, create the Bomb Lab directory (./bomblab) and, if you are offering the, online version, run the autograding service. (sorted smallest to largest gives you the answer), See also: getSubSequenceCount Interview Question. Each offering of the Bomb Lab starts with a clean new ./bomblab. Since we know the final value is 6 letters/numbers, we know 72/6 = 12. To see the format of how we enter the six numbers, lets set a breakpoint at read_six_numbers. I'm trying to trace through this, but I'm struggling a little. Cannot retrieve contributors at this time. node6 I don't want to run the program/"pull the pin" on the bomb by running it, so this tells me that there are likely 6 stages to the bomb. The key is to place the correct memory locations, as indexed by the user inputs, so as that the integer pointed to by the address is always greater than the preceding adjacent integer. We can now see the assembly code. The second input had to be a 11, because the the phase_4 code did a simple compare, nothing special. Next, as we scan through each operation, we see that a register is being . If you are offering the online version, you will also need to edit the, ./src/config.h - This file lists the domain names of the hosts that, notifying bombs are allowed to run on. When prompted, enter the command 'c' to continue. At the . Interpreting non-statistically significant results: Do we have "no evidence" or "insufficient evidence" to reject the null? The second input had to be a 11, because the the phase_4 code did a simple compare, nothing special. Option 1: The simplest approach for offering the offline Bomb Lab is. What are the advantages of running a power tool on 240 V vs 120 V? A tag already exists with the provided branch name. We can see that the function is being called which as the name implies compares two strings. A tag already exists with the provided branch name. read_six_numbers Contribute to xmpf/cse351 development by creating an account on GitHub. The purpose of this project is to become more familiar with machine level programming. Former New York University and Peking University student. Each phase has a password/key that is solved through the hints found within the assembly code. The update. The student then saves the tar file to disk. I found: initialize_bomb First things first, we can see from the call to at and subsequent jump equal statement our string should be six characters long. Lets now set a breakpoint at phase_3. A string that could be the final string outputted when you solve stage 6 is 'Congratulations! Maybe function names or labels? First, the numbers must be positive. Well What does the power set mean in the construction of Von Neumann universe? Welcome to my fiendish little bomb. main If the function succeeds, it follows the green arrow on the right to the third box. A tag already exists with the provided branch name. This command prints data stored at a register or memory address. Binary Bomb Lab :: Phase 6. From phase_4, we call the four arguments of func4 to be a, b(known, 0), c(known, 14), d(known, 0). What differentiates living as mere roommates from living in a marriage-like relationship? Have a nice day! Thus, each student, gets a unique bomb that they must solve themselves. We can see that the last line shouldn't be contained in this switch structure, while the first four should be. Readme (27 points) 2 points for explosion suppression, 5 points for each level question. We multiply the number by 2 each step, so we guess the sequence to be 1, 2, 4, 8, 16, 32, which is the answer. When we hit phase_1, we can see the following code: Try this . If nothing happens, download GitHub Desktop and try again. And your students will have to get, (2) Starting the Bomb Lab. Stepping through the code with the GDB debugger I can say plenty about the various functions called in this program: node4 Is there a weapon that has the heavy property and the finesse property (or could this be obtained)? We can see one line above that $esi is also involved. In this exercise, we have a binary whose source we do not have. The key is that each time you enter into the next element in the array there is a counter that increments. I'll paste the code here. Such bombs, We will also find it helpful to distinguish between custom and, Custom Bomb: A "custom bomb" has a BombID > 0, is associated with a, particular student, and can be either notifying or quiet. You can start and stop the autograding service as often as. sig_handler Entering this string defuses phase_1. ordered by the total number of accrued points. We get the following part, We see a critical keyword Border, right? For, example, "-p abacba" will use variant "a" for phase 1, variant "b" for. Phase 1 defused. I know b7 < eb < f6 < 150 < 21f < 304, so the order of nodes should be 3 0 5 4 1 2 (or 2 5 0 1 4 3 - in ascending order) and I should add +1 to all numbers. Each student gets a, bomb with a randomly chosen variant for each phase. Looking for job perks? Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. This part is really long. Keep going! When, the student untars this file, it creates a directory (./bomb) with, bomb* Notifying custom bomb executable, bomb.c Source code for the main bomb routine, ID Identifies the student associated with this bomb, README Lists bomb number, student, and email address, The request server also creates a directory (bomblab/bombs/bomb), bomb.c Source code for main routine, bomb-quiet* A quiet version of bomb used for autograding, ID Identifies the user name assigned to this bomb, phases.c C source code for the bomb phases, README Lists bombID, user name, and email address, Result Server: Each time a student defuses a phase or explodes their, bomb, the bomb sends an HTTP message (called an autoresult string) to, the result server, which then appends the message to the scoreboard, log. Learn more about bidirectional Unicode characters, #######################################################, # Copyright (c) 2002-2013, R. Bryant and D. O'Hallaron, This directory contains the files that you will use to build and run, the CS:APP Bomb Lab.
How Many Times Has Chuck Norris Been Married,
Labrador Puppies Santa Barbara,
Articles B