Browse other questions tagged, Where developers & technologists share private knowledge with coworkers, Reach developers & technologists worldwide. Solve a total of 6 phases to defuse the bomb. If so, put zero in %eax and return. 10 January 2015. Changing the second input does not affect the ecx. From the above annotations, we can see that there is a loop. input.txt Public speaking is very easy. I know there has to be 6 numbers, with the range of 1-6, and there can't be any repeats. Did the drapes in old theatres actually say "ASBESTOS" on them? So, what do we know about phase 5 so far? Cannot retrieve contributors at this time. You signed in with another tab or window. Software engineer at Amazon. Answers that are vague, inaccurate, or . So a should be 7, too. That's number 2. solution to each bomb is available to the instructor. Is there any extra credit for solving the secret phase. You've defused the secret stage! initialize_bomb (**Please feel free to fork or star if helpful!). node2 phase_5 How about the next one?'. The bomb is defused . executable file 271 lines (271 sloc) 7.74 KB. I don't want to run the program/"pull the pin" on the bomb by running it, so this tells me that there are likely 6 stages to the bomb. However, you know that the loop is doing some transitions on your input string. Details on Grading for Bomb Lab. Given that our string is 6 characters long, it makes sense to assume that the function is iterating over each character in the loop and presumably doing something to them. 565), Improving the copy in the close modal and post notices - 2023 edition, New blog post from our CEO Prashanth: Community is the future of AI. Each time a student defuses a, bomb phase or causes an explosion, the bomb sends a short HTTP, message, called an "autoresult string," to an HTTP "result server,", which simply appends the autoresult string to a "scoreboard log file. It's obvious that the first number should be 1. Each of you will work with a special "binary bomb". Then we encounter with an optimized switch expression. OK. :-) The LabID must not have any spaces. * Before going live with the students, we like to check everything out, by running some tests. Lets create our breakpoints to make sure nothing gets set to the gradebook! To learn more, see our tips on writing great answers. If the first character in the input string is anything but a zero then the detonation flag is set to low and passed out the function. You signed in with another tab or window. A string that could be the final string outputted when you solve stage 6 is 'Congratulations! Using layout asm, we can see the assembly code as we step through the program. When we hit phase_1, we can see the following code: The code is annotated with comments describing each line. Here are the directions for offering both versions of the lab. Specifically: That's number 2. The smart way of solving this phase is by actually figuring out the cypher. can be started from initrc scripts at boot time. Help/Collaboration: I recieved no outside help with this bomb, other than. It's provided only for completeness. Cannot retrieve contributors at this time. It is called recursively and in the end you need it to spit out the number 11. phase_1() - I'm first going to start stepping through the program starting at main. VASPKIT and SeeK-path recommend different paths. The key is that each time you enter into the next element in the array there is a counter that increments. Now lets take a quick look at the disassebly to see what variables are being used. Solved this is binary bomb lab phase 5.I didn't solve phase - Chegg Keep going! explode_bomb If there is a, problem (say because you forgot to update the list of machines the, bombs are allowed to run in src/config.h) you can fix the, configuration, reset the lab, and then request and run more test, CAUTION: If you reset the lab after it's live, you'll lose all your, records of the students bombs and their solutions. Try this one.'. Are you sure you want to create this branch? First thing I did was to search the binary using strings to see if there was anything interesting that pops out. phase_1 The bomb explodes if the number of steps to get to the number 15 in the sequence does not equal 9, or if the second input number does not equal the sum of the . Given you ultimately needed to have the element containing 0xf to exit after 15 iterations, I saw that f was at array element index 6. I will likely take another shot at figureing out exactly how to come up with the solution by following the implemented logic but I eventually brute forced it, which took a whole 30 seconds to figure out. All things web. From the above comments, we deduce that we want to input two space-separated integers. "make stop" ensures that there are no. Solution to OST2 Binary Bomb Lab. | by Olotu Praise Jah | Medium When in doubt "make stop; make start" will get everything in a stable state. You will have to run through the reverse engineering process, but there won't be much in the way of complicated assembly to decipher or tricky mental hoops to jump through. to use Codespaces. This command lists out all the values that each of the registers hold. You create a table using the method above, and then you get the answer to be "ionefg". Video on steps to complete phase one of the lab.If y'all real, hit that subscribe button lmao 0x00401100 4989e5 mov r13, rsp. A note to the reader: For explanation on how to set up the lab environment see the "Introduction" section of the post. Here is the assembly code: The list of numbers I've inputed is this: So far from my understanding, two conditions need to be met: compare %ecx is 115 line 103 Load the binary, perform analysis, seek to Phase 6, and have a look at your task. Also note that the binary follow the AT&T standard so instruction operations are reversed (e.g. phase_defused() - So this function implements stack protection by adding, checking, and removing a canary. sign in phase_1 The bomb has blown up. We see that a strings_not_equal function is being called. When I get angry, Mr. Bigglesworth gets upset. In the interests of putting more Radare2 content out there, here's a noob friendly intro to r2 for those who already have a basic grasp of asm, C, and reversing in x86-64. Phase 1. Otherwise, the bomb explodes by printing " sign in Contribute to hengyingchou/CSE351 development by creating an account on GitHub. Binary Bomb Lab :: Phase 6. phase_6 For example, after a function has finished executing, this command can be used to check the value of $rax to see the function output. To begin, let's take a look at the <phase_1> function in our objdump file: Here is Phase 2. Dump of assembler code for function phase_5: 0x0000000000401002 <+0>: sub $0x18,%rsp ; rsp = rsp - 24, 0x0000000000401006 <+4>: lea 0x8(%rsp),%rcx ; rcx = *(rsp + 8) (function argument), 0x000000000040100b <+9>: lea 0xc(%rsp),%rdx ; rdx = *(rsp + 12) (function argument), 0x0000000000401010 <+14>: mov $0x401ebe,%esi ; esi = "%d %d", 0x0000000000401015 <+19>: mov $0x0,%eax ; eax = 0, 0x000000000040101a <+24>: callq 0x400ab0 <__isoc99_sscanf@plt>, 0x000000000040101f <+29>: cmp $0x1,%eax ; if (eax > 1) goto 0x401029, 0x0000000000401022 <+32>: jg 0x401029 , 0x0000000000401024 <+34>: callq 0x40163d ; if (eax <= 1) explode_bomb(), 0x0000000000401029 <+39>: mov 0xc(%rsp),%eax ; eax = *(rsp + 12) ::function parameter, 0x000000000040102d <+43>: and $0xf,%eax ; eax = eax & 0xf (last 2 bits), 0x0000000000401030 <+46>: mov %eax,0xc(%rsp) ; *(rsp + 12) = eax, 0x0000000000401034 <+50>: cmp $0xf,%eax ; if (eax == 0xf) explode_bomb(), 0x0000000000401037 <+53>: je 0x401065 , 0x0000000000401039 <+55>: mov $0x0,%ecx ; ecx = 0, 0x000000000040103e <+60>: mov $0x0,%edx ; edx = 0, 0x0000000000401043 <+65>: add $0x1,%edx ; edx = edx + 0x1, 0x0000000000401046 <+68>: cltq ; sign extend eax to quadword (rax), 0x0000000000401048 <+70>: mov 0x401ba0(,%rax,4),%eax ; eax = *(rax * 4 + 0x401ba0), 0x000000000040104f <+77>: add %eax,%ecx ; ecx = ecx + eax, 0x0000000000401051 <+79>: cmp $0xf,%eax ; if (eax != 0xf) goto 0x401043 (inc edx), 0x0000000000401054 <+82>: jne 0x401043 , 0x0000000000401056 <+84>: mov %eax,0xc(%rsp) ; *(rsp + 12) = eax, 0x000000000040105a <+88>: cmp $0xc,%edx ; if (edx != 12) explode_bomb(), 0x000000000040105d <+91>: jne 0x401065 , 0x000000000040105f <+93>: cmp 0x8(%rsp),%ecx ; if (ecx == *(rsp + 8)) goto 0x40106a, 0x0000000000401063 <+97>: je 0x40106a , 0x0000000000401065 <+99>: callq 0x40163d ; explode_bomb(), 0x000000000040106a <+104>: add $0x18,%rsp ; rsp = rsp + 24, 0x000000000040106e <+108>: retq ; return, --------------------------------------------------------------------------------. There are two hard coded variables that are then initialized and they, as well as the first user inputed value, are passed to func4. a = 10 d = 12 Halfway there! This number was 115. phase_6() - This function does a few initial checks on the numbers inputed by the user. If the function succeeds, it follows the green arrow on the right to the third box. There are many things going on with shuffling of variables between registers, some bit shifting, and either a subtraction or an addition being applied to some of the hard coded constants. And your students will have to get, (2) Starting the Bomb Lab. Here is Phase 4. The key is to place the correct memory locations, as indexed by the user inputs, so as that the integer pointed to by the address is always greater than the preceding adjacent integer. PHASE 3. Keep going! As we have learned from the past phases, fixed values are almost always important. node4 First things first, we can see from the call to <string_length> at <phase_5+23> and subsequent jump equal statement our string should be six characters long. The second input had to be a 11, because the the phase_4 code did a simple compare, nothing special. They will likely be either 'Good work! Learn more about bidirectional Unicode characters. Custom, notifying bombs are constrained to run on a specific set of Linux, hosts determined by the instructor. need to, but we are careful never to type "make cleanallfiles" again. Let me know if you have any questions in the comments. invalid_phase Maybe function names or labels? Curses, you've found the secret phase! Each message contains a BombID, a phase, and an indication of the, event that occurred. Maybe you get an alternative string for the bomb blowing up if done so via the secret stage? Then, we can take a look at the fixed value were supposed to match and go from there: Woah. Did the Golden Gate Bridge 'flatten' under the weight of 300,000 people in 1987? CMU Bomb Lab with Radare2 Phase 1 | by Mark Higgins - Medium If this is a duplicate of another question, please link it so future readers can find it if their search turns up this question first. Analysis of Binary Bomb Lab GitHub This post walks through CMUs bomb lab, which involves defusing a bomb by finding the correct inputs to successive phases in a binary executable using GDB. Phase 1: There are two main ways of getting the answer. Guide and work-through for System I's Bomb Lab at DePaul University. A binary bomb is a program that consists of a . If nothing happens, download GitHub Desktop and try again. You signed in with another tab or window. start CIA_MKUltraBrainwashing_Drugs . * See src/README for more information about the anatomy of bombs and, how they are constructed. If one of these processes dies for some reason, the main daemon, detects this and automatically restarts it. offer the lab. Next, as we scan through each operation, we see that a register is being incremented at , followed by a jump-less-than statement right afterwards that takes us back up to . This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. If your, Linux box crashes or reboots, simply restart the daemons with "make, * Information and error messages from the servers are appended to the, "status log" in bomblab/log-status.txt. Additional Notes on the Online Bomb Lab, * Since the request server and report daemon both need to execute, bombs, you must include $SERVER_NAME in the list of legal machines in, * All of the servers and daemons are stateless, so you can stop ("make, stop") and start ("make start") the lab as many times as you like. Based on the first user inputed number, you enter into that indexed element of the array, which then gives you the index of the next element in the array, etc. This command sets breakpoints throughout the code. phase_4 [RE] Linux Bomb Walkthrough - Part2 (Phases 1-3) - [McB]Defence ", Notifying Bomb: A bomb can be compiled with a NOTIFY option that, causes the bomb to send a message each time the student explodes or, defuses a phase. Ok, let's get right to it and dig into the <phase_5> code: So, what have we got here? A tag already exists with the provided branch name. From phase_4, we call the four arguments of func4 to be a, b(known, 0), c(known, 14), d(known, 0). Are you sure you want to create this branch? Run the following commands to create text files which we will look at later: You should now have two files: strings.txt and assembly.txt. Asking for help, clarification, or responding to other answers. The first number we can try to be 6 and the second must be 682. strings_not_equal() - This function implements the test of equality between the user inputed string and the pass-phrase for phase_1 of the bomb challenge. Next there is pattern that must be applied to the first 6 numbers. There was a problem preparing your codespace, please try again. Bomb Lab Write-up. Binary-Bomb/phase2a.c at master lukeknowles/Binary-Bomb - Github Which one to choose? Let's start with when it calls sym.read_six_numbers. The nefarious Dr. I inputed the word 'blah' and continued to run the program. Bomblab - William & Mary It is useful to check the values of these registers before/after entering a function. Stepping through the code with the GDB debugger I can say plenty about the various functions called in this program: From this, we can guess that to pass phase_1, we need to enter the correct string. This question is based on the same project as the other Binary Bomb Phase 6 questions (most likely will be related links), but for some reason I can't find the nodes themselves, to check their incr. You will get full credit for defusing phases 2 and 3 with less than 30 explosions. At each iteration, we check to see that the current value is double the previous value. I know that due to x86-64 calling conventions on programs compiled with GCC that %rdi and %rsi may contain pointers to the words to compare. We can then set up a breakpoint upon entering phase_1 using b phase_1 and for the function explode_bomb to avoid losing points. Work fast with our official CLI. Type "./makebomb.pl -h" to see its arguments. Making statements based on opinion; back them up with references or personal experience. Using gdb we can convince our guess. The Hardware/Software Interface - UWA @ Coursera. aseje owo nla. your answer turns out to be 21 115, The solution is : 5 115. You have 6 phases with which to blow yourself up. . rev2023.4.21.43403. For lab: defuse phase 1. Subtract original pointer from %eax and get the running total of the string. More than 2 is fine but the code is only dependent on the first two numbers. The unique. int numArray[15] = {10, 2, 14, 7, 8, 12, 15, 11, 0, 4, 1, 13, 3, 9, 6}; int readOK; /** number of elements successfully read **/. The second input had to be a 11, because the the phase_4 code did a simple compare, nothing special. read_six_numbers() - Checks that the user inputed at least 6 numbers and if less than 6 numbers then detonate the bomb. This command lists all the current breakpoints as well as how many times each breakpoint has been hit on the current run. Phase 1 is sort of the "Hello World" of the Bomb Lab. Alternative paths? . Then the tricky part comes. Segmentation fault in attack lab phase5 - Stack Overflow (sorted smallest to largest gives you the answer), See also: getSubSequenceCount Interview Question. Phase 4: recursive calls and the stack discipline. Make sure you update this. phase_4 you like without losing any information. The code shows as follows: After inspecting the code, you should figure out that the length of the string must be 6. Lets get started by creating both a breakpoint for explode_bomb and phase_2. phase_2 The request server builds the, bomb, archives it in a tar file, and then uploads the resulting tar, file back to the browser, where it can be saved on disk and, untarred. I'm guessing that this function will likely compare the string that I inputed to some string stored in memory somewhere. Try this . Welcome to my fiendish little bomb. A tag already exists with the provided branch name. Please CS3330: Lab 1 (Bomb Lab) Since we know the final value is 6 letters/numbers, we know 72/6 = 12. Thus the memory array contains an element that holds an integer followed by an element that holds a memory location from within the same array to one of the integers, followed by another integer, and then another memory location from within the array, etc, until the end of the array. LabID are ignored. Once we enter the function, we can check the registers that store the first two inputs: $rdi and $rsi. Each phase has a password/key that is solved through the hints found within the assembly code. You will get full credit for defusing phase 1 with less than 20 explosions. CMU Bomb Lab with Radare2 Phase 5 | by Mark Higgins - Medium I found various strings of interest. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. We can then set up a breakpoint upon entering phase_1 using b phase_1 and for the function explode_bomb to avoid losing points. . we use, and get the following file (not the full code), We enter gdb, set a breakpoint at the phase 1. Raw Blame. The problem requires that the return value of the func4 should also be zero. In the "offline" version, the. Then we use strings command to find out the answer, Having a look at the code structure, you should notice that there exists a loop structure. Each offering of the Bomb Lab starts with a clean new ./bomblab. How about saving the world? This function reads 6 inputs to *(ebp-0x20)~*(ebp-0xc), use n0~n5 as their alias, and it compares 5 and n1 in 8049067, n1 must be larger than 5. From this, we can see that the input format of read_six_numbers should be 6 space-separated integers. However, you do need to handle recursion actually. This count is checked by the function read six numbers which also takes the user input string and formats them into integers that are then dumped onto the stack. I start stepping by single instructions until I get to the point where I am about to hit the function strings_not_equal. I dereference the string pointed to by %rdi using x/s $rdi and see that the string pointed to is 'blah'. If nothing happens, download GitHub Desktop and try again. cse351/solution-explanation-of-phase-5.text at master - Github I believe this function also acts as the gateway to the secret phase. Next it takes the address of the memory location within the array indexed by the third user input and places in the empty adjacent element designated by the second user input. I'm trying to trace through this, but I'm struggling a little. Thus, the second number in the series must be 1 greater than the first number, the third number in the series must be 2 larger than the second number, etc. You've defused the bomb!'. so I did. Each phase expects you to type a particular string. I'm getting a feeling that the author wants you to really have to work to get through some of these functions. instructor builds, hands out, and grades the student bombs manually, While both version give the students a rich experience, we recommend, the online version. You'll only need to have. 3) The second parameter 'p' at the end of the loop must be equal with %ecx register. As its currently written, your answer is unclear. Use arg1 and address ebp-0x20 as arguments of function read_six_numbers. gdbCfg phase 5. 1) We have to find that number 'q' which will cause 12 (twelve) iterations. Each bomb phase tests a different aspect of machine language programs: Phase 4: recursive calls and the stack discipline, Phases get progressively harder. False COVID-19 PCR Test. Connect and share knowledge within a single location that is structured and easy to search. Please 3 lea's, a cmp of the output to 2 and a jump if greater than. The source code for the different phase variants is in ./src/phases/. Are you sure you want to create this branch? I will omit this part here, you can refer to this document.
Walker County Schools Salary Schedule,
Articles B
French 
English