bomb lab phase 5 github

When, the student untars this file, it creates a directory (./bomb) with, bomb* Notifying custom bomb executable, bomb.c Source code for the main bomb routine, ID Identifies the student associated with this bomb, README Lists bomb number, student, and email address, The request server also creates a directory (bomblab/bombs/bomb), bomb.c Source code for main routine, bomb-quiet* A quiet version of bomb used for autograding, ID Identifies the user name assigned to this bomb, phases.c C source code for the bomb phases, README Lists bombID, user name, and email address, Result Server: Each time a student defuses a phase or explodes their, bomb, the bomb sends an HTTP message (called an autoresult string) to, the result server, which then appends the message to the scoreboard, log. DrEvil. solution to each bomb is available to the instructor. This question is based on the same project as the other Binary Bomb Phase 6 questions (most likely will be related links), but for some reason I can't find the nodes themselves, to check their incr. Connect and share knowledge within a single location that is structured and easy to search. initialize_bomb_solve greatwhite.ics.cs.cmu.edu If you accidentally kill one of the daemons, or you modify a daemon, or the daemon dies for some reason, then use, "make stop" to clean up, and then restart with "make start". Asking for help, clarification, or responding to other answers. offer the lab. Do this only during debugging, or the very first time, Students request bombs by pointing their browsers at, Students view the scoreboard by pointing their browsers at, http://$SERVER_NAME:$REQUESTD_PORT/scoreboard, (1) Resetting the Bomb Lab. Students download their bombs, and display the scoreboard by pointing a browser at a simple HTTP, server called the "request server." How about the next one? If one of these processes dies for some reason, the main daemon, detects this and automatically restarts it. If the event was a defusion, the message also, contains the "defusing string" that the student typed to defuse the, Report Daemon: The report daemon periodically scans the scoreboard log, and updates the Web scoreboard. From the first few lines, we guess that there are two arguments to enter. sign in Phase 2: loops. We can get the full assembly code using an object dump: objdump -d path/to/binary > temp.txt. This function reads 6 inputs to *(ebp-0x20)~*(ebp-0xc), use n0~n5 as their alias, and it compares 5 and n1 in 8049067, n1 must be larger than 5. This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. If the line is correct, then the phase is defused and the bomb proceeds to the next phase. This part is really long. On line <phase_4+16>, the <phase_4> function is pushing a fixed value stored at memory address 0x8049808 onto the stack right before a call to scanf is made. string_length ", Quiet Bomb: If compiled with the NONOTIFY option, then the bomb, doesn't send any messages when it explodes or is defused. Now lets take a quick look at the disassebly to see what variables are being used. Is it true that the first input has to be 5, 21, 37, etc? Can you still use Commanders Strike if the only attack available to forego is an attack against an ally? Each message contains a BombID, a phase, and an indication of the, event that occurred. To review, open the file in an editor that reveals hidden Unicode characters. phase_1 The main daemon is the. It is clearly the most compelling and fun for the, students, and the easiest for the instructor to grade. This continuous through all the user inputed indices and finally places the value zero in the last remaining empty element in the array. A binary bomb is a program that consists of a . From this, we can see that the input format of read_six_numbers should be 6 space-separated integers. If the two string are of the same length, then it looks to see that the first inputed character is a non-zero (anything but a zero). Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. phase_1 Next, as we scan through each operation, we see that a register is being . Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. The student then saves the tar file to disk. The goal for the students is to defuse as many phases as possible. Breakpoints can be set at specific memory addresses, the start of functions, and line numbers. First, to figure out that the program wants a string as an input. Given this info, it looks as though the loop is implementing a cypher. These numbers act as indices within a six element array in memory, each element of which contains a number. These lines indicate that if the first argument equal the last one(right before this line), then we get 0. I have given a detailed explanation for phase_5 here: https://techiekarthik.hashnode.dev/cmu-bomblab-walkthrough?t=1676391915473#heading-phase-5. On the bright side, at least now we know that our string should come out of the loop as giants. First bomb lab is a Reverse Engineering challenge, you have to read its assembly to find the message that . How about saving the world? You signed in with another tab or window. It appears that there may be a secret stage. First things first, we can see from the call to <string_length> at <phase_5+23> and subsequent jump equal statement our string should be six characters long. Thus, each student, gets a unique bomb that they must solve themselves. Tools: Starting challenge; Phase_1: Phase_2: Phase_3: Phase_4: Phase_5: Phase_6: Bomb Lab Write-up. Let me know if you have any questions in the comments. In the interests of putting more Radare2 content out there, here's a noob friendly intro to r2 for those who already have a basic grasp of asm, C, and reversing in x86-64. First, the numbers must be positive. Did the drapes in old theatres actually say "ASBESTOS" on them? Use Git or checkout with SVN using the web URL. The other option for offering an offline lab is to use the, makebomb.pl script to build a unique quiet custom bomb for each, linux> ./makebomb.pl -i -s ./src -b ./bombs -l bomblab -u -v , This will create a quiet custom bomb in ./bombs/bomb for the. You create a table using the method above, and then you get the answer to be "ionefg". Remember this structure from Phase 2? You signed in with another tab or window. "make cleanallfiles" resets the lab from scratch, deleting all data specific to a particular instance of the lab, such, as the status log, all bombs created by the request server, and the, scoreboard log. need to, but we are careful never to type "make cleanallfiles" again. Students earn points for defusing phases, and they, lose points (configurable by the instructor, but typically 1/2 point), for each explosion. Lets do the standard disas command to see the assembly of the function. . Here is Phase 2. How about the next one?'. Going through func4, we get the value of d at 400ff7 and 400fe2 to be (14 + 0) >> 1 = 7. Let's start with when it calls sym.read_six_numbers. I used a linux machine running x86_64. I know there has to be 6 numbers, with the range of 1-6, and there can't be any repeats. Contribute to CurryTang/bomb_lab_solution development by creating an account on GitHub. main So you got that one. A binary bomb is a program that consists of a sequence of phases. Ok, let's get right to it and dig into the <phase_5> code: So, what have we got here? Using layout asm, we can see the assembly code as we step through the program. What are the advantages of running a power tool on 240 V vs 120 V? If you type the correct string, then. Such bombs are called "notifying bombs. After looking at these interesting strings, I'm going to make a few guesses at what is going on in this binary "BOMB!!". Cannot retrieve contributors at this time. I tried many methods of solution on internet. daemon that starts and nannies the other programs in the service, checking their status every few seconds and restarting them if, (3) Stopping the Bomb Lab. 565), Improving the copy in the close modal and post notices - 2023 edition, New blog post from our CEO Prashanth: Community is the future of AI. Each of you will work with a special "binary bomb". If this is a duplicate of another question, please link it so future readers can find it if their search turns up this question first. At any point in time, the, tab-delimited file (./bomblab/scores.txt) contains the most recent, scores for each student. Do this when you're ready for the lab to go "live" to, Resetting is also useful while you're preparing the lab. Link to Bomb Lab Instructions (pdf) in GitHub Repository bomblab-Angr/Phase 5 x86_64.ipynb. Unexpected uint64 behaviour 0xFFFF'FFFF'FFFF'FFFF - 1 = 0? Ok, lets get right to it and dig into the code: So, what have we got here? phase_3 You have 6 phases with This series will focus on CMU's Binary Bomb challenge. Given you ultimately needed to have the element containing 0xf to exit after 15 iterations, I saw that f was at array element index 6. Give 0 to ebp-4, which is used as sum of n0, n1, n2. start gdb ./bomb -q -x ~/gdbCfg. Essentially what is happening is, each character from our string is ANDed with 0xf, and the result is used to get the character with the corresponding index from the array. The following lines are annotated. This second phase deals with numbers so lets try to enter the array of numbers 0 1 2 3 4 5. Thus, the second number in the series must be 1 greater than the first number, the third number in the series must be 2 larger than the second number, etc. Bomb Lab Write-up. The first number must be between 0 and 7. Any numbers entered after the first 6 can be anything. Help/Collaboration: I recieved no outside help with this bomb, other than. This works just fine, and I invite you to try it. Evil has created a slew of "binary bombs" for our class. Now you can see there are a few loops. enjoy another stunning sunset 'over' a glass of assyrtiko, English version of Russian proverb "The hedgehogs got pricked, cried, but continued to eat the cactus". This assignment gives you a binary program containing "bombs" which trigger a ping to our server (and make you lose points) if their inputs are wrong. Also note that the binary follow the AT&T standard so instruction operations are reversed (e.g. Former New York University and Peking University student. by hand by running their custom bomb against their solution: For both Option 1 and Option 2, the makebomb.pl script randomly, chooses the variant ("a", "b", or "c") for each phase. Site design / logo 2023 Stack Exchange Inc; user contributions licensed under CC BY-SA. Learn more. Thanks for contributing an answer to Stack Overflow! I inputed the word 'blah' and continued to run the program. Also, where the arrow is, it's comparing the current node with the next node. To review, open the file in an editor that reveals hidden Unicode characters. If your, Linux box crashes or reboots, simply restart the daemons with "make, * Information and error messages from the servers are appended to the, "status log" in bomblab/log-status.txt. From the above annotations, we can see that there is a loop. Subtract original pointer from %eax and get the running total of the string. Let's enter the string blah as our input to phase_1 . Learn more about bidirectional Unicode characters. The key part is the latter one. @Jester so I looked at your reply to another question which is extremely similar to my question, actually the same exact question. We can find the latter numbers from the loop structure. I dont want to go through either solution all the way here, since the first one is a no-brainer and the second one is a little complicated. phase_4 Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. blank_line The "report daemon" periodically, scans the scoreboard log file. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Knowing that scanf() takes in a string format as its input, lets break right before scanf() is called and check the value of $esi. Bomb Lab: Phase 5. Good work! Enter a random string and then we stop at the phase 1 position, then we try printing out the information around 0x402400. More than 2 is fine but the code is only dependent on the first two numbers. node5 Answers that are vague, inaccurate, or . A tag already exists with the provided branch name. Welcome to my fiendish little bomb. invalid_phase phase_5 This looks familiar! We can open our strings.txt file and see that the string we found in memory is the beginning of the full string: I can see Russia from my house!. First thing I did was to search the binary using strings to see if there was anything interesting that pops out. To learn more, see our tips on writing great answers. Score!!! How is white allowed to castle 0-0-0 in this position? By clicking Accept all cookies, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy. There are a ton of dead ends that you can follow in this code that all land on detonation. phase 2, variant "a" for phase 3, variant "c" for phase 4, and so on. input.txt Public speaking is very easy. This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. Keep going! From this, we can guess that to pass phase_1, we need to enter the correct string. We see that a strings_not_equal function is being called. Have a nice day! I start stepping by single instructions until I get to the point where I am about to hit the function strings_not_equal. If not null terminated then preserve the originally passed pointer argument by copying it to %rdx. There are various versions of this challenge scattered across . Well Well initialize_bomb Has depleted uranium been considered for radiation shielding in crewed spacecraft beyond LEO? At the onset of the program you get the string 'Welcome to my fiendish little bomb. frequency is a configuration variable in Bomblab.pm. Readme (27 points) 2 points for explosion suppression, 5 points for each level question. executable file 271 lines (271 sloc) 7.74 KB. CIA_MKUltraBrainwashing_Drugs . Changing the second input does not affect the ecx. (**Please feel free to fork or star if helpful!). A tag already exists with the provided branch name. I found: initialize_bomb Specifically: That's number 2. Phase 1: There are two main ways of getting the answer. If nothing happens, download Xcode and try again. The first number we can try to be 6 and the second must be 682. From the above, we see that we are passing some value into a register before calling scanf(). The request server builds the, bomb, archives it in a tar file, and then uploads the resulting tar, file back to the browser, where it can be saved on disk and, untarred. We can then set up a breakpoint upon entering phase_1 using b phase_1 and for the function explode_bomb to avoid losing points. In this exercise, we have a binary whose source we do not have. The function then takes the address of the memory location within the array indexed by the second user input and places it in the empty adjacent element designated by the first user input. You will have to run through the reverse engineering process, but there won't be much in the way of complicated assembly to decipher or tricky mental hoops to jump through. Use Git or checkout with SVN using the web URL. Due to address randomization and nonexecutable stack, we are supposed to use Return Oriented Programming (ROP) to pass the string pointer of a given cookie value as argument to a function called touch3. Since there exists a bunch of different versions of this problem, I' ve already uploaded my version. Then type the, This will create ps and pdf versions of the writeup, (1) Reset the Bomb Lab from scratch by typing, (2) Start the autograding service by typing, (3) Stop the autograding service by typing, You can start and stop the autograding service as often as you like, without losing any information. So, I mapped out the array from element 0 to 15 and then worked backwards through it to find the element I needed to start with. In order to determine the comparisons used, it will be useful to look up or know Jumps Based on Signed Comparisons. The binary bomb is a very good exercise to learn the assembly language.I started this exercise for fun. Type "./makebomb.pl -h" to see its arguments. How about the next one? int numArray[15] = {10, 2, 14, 7, 8, 12, 15, 11, 0, 4, 1, 13, 3, 9, 6}; int readOK; /** number of elements successfully read **/. Alternative paths? The request server, responds by sending an HTML form back to the browser. Ultimately to pass this test all you need to do is input any string of 46 characters in length that does not start with a zero. Then we encounter with an optimized switch expression. But finding it and solving it are quite different CMU Bomb Lab with Radare2 Phase 1. This is the phase 5 of attack lab in my software security class. Mar 19, . * phase2a.c - To defeat this stage the user must enter a sequence of, * 6 nonnegative numbers where x[i] = x[i-1] + i. A Mad Programmer got really mad and created a slew of binary bombs. The two stipulations that you must satisfy to move to the last portion of this phase is that you have incremented the counter to 15 and that the final value when you leave the loop is 0xf (decimal 15). I will omit this part here, you can refer to this document. Bomb explosions. It's obvious that the first number should be 1. gdbCfg phase 5. Here are the directions for offering both versions of the lab. Simple function made to look like a mess. From phase_4, we call the four arguments of func4 to be a, b(known, 0), c(known, 14), d(known, 0). skip Otherwise, the bomb explodes by printing " You've defused the bomb! Thus, they quickly learn to set breakpoints before, each phase and the function that explodes the bomb. How does loop address alignment affect the speed on Intel x86_64? In order to do this you must look at the various integers within the array and then place them in ascending order by the index of those integer containing elements. Each line is annotated. Each time a student defuses a, bomb phase or causes an explosion, the bomb sends a short HTTP, message, called an "autoresult string," to an HTTP "result server,", which simply appends the autoresult string to a "scoreboard log file. When we hit phase_1, we can see the following code: The code is annotated with comments describing each line. Phase 4: recursive calls and the stack discipline. Untar your specific file and lets get started! Could this mean alternative endings? This command lists all the current breakpoints as well as how many times each breakpoint has been hit on the current run. There is an accessed memory area that serves as a counter. 3) The second parameter 'p' at the end of the loop must be equal with %ecx register. phase_defused Thus I'm pretty confident that this will be the pass phrase for the first phase. phase_3 Browse other questions tagged, Where developers & technologists share private knowledge with coworkers, Reach developers & technologists worldwide. (Add 16 each time) ecx is compared to rsp, which is 15, so we need ecx to equal to 15. Please If you are offering the online version, you will also need to edit the, ./src/config.h - This file lists the domain names of the hosts that, notifying bombs are allowed to run on. The idea is to understand what each, assembly statement does, and then use this knowledge to infer the, defusing string. initialize_bomb because it is too easy for the students to cheat. is "defused." I choose the first argument as 1 and then the second one should be 311. So there are some potential strings for solving each of the stages. Increment %rdx by 1 to point to the next character byte and move to %eax. How about the next one? First things first, we can see from the call to at and subsequent jump equal statement our string should be six characters long. This part is a little bit trickier. This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. The unique. After solving stage 1 you likely get the string 'Phase 1 defused. I then restart the program and see if that got me through phase 1. They will likely be either 'Good work! Maybe you get an alternative string for the bomb blowing up if done so via the secret stage? Otherwise, the bomb explodes by printing "BOOM!! You will get full credit for defusing phases 2 and 3 with less than 30 explosions. Otherwise the bomb "explodes" by printing "BOOM!!!". Pull up the function in Graph mode with VV, press p to cycle between views, and select the minigraph. phase_1 The goal for the students is to defuse as many phases as possible. Specifically: . Learn more. The problem requires that the return value of the func4 should also be zero. Phase 1 defused. This post walks through the first 3 phases of the lab. For homework: defuse phases 2 and 3. Set a breakpoint on phase 3 and start the process again and you should come to the following. In this write-up, I will show you how i solve bomb lab challenge. If the student enters the expected string, then that phase. There is also a test that the first user inputed number is less than or equal to 14. There are 6 levels in the bomb and our task is to diffuse it. Then the tricky part comes. Servers run quietly, so they. f7 ff ff callq 400bf0 <__isoc99_sscanf@plt>, : e8 a1 ff ff ff callq 40143a , fc ff ff callq 400bf0 <__isoc99_sscanf@plt>, : e8 c7 fb ff ff callq 400bf0 <__isoc99_sscanf@plt>, fa ff ff callq 400b30 <__stack_chk_fail@plt>. You don't need root access. This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. sign in Your goal is to set breakpoints and step through the binary code using gdb to figure out the program inputs that defuse the bombs (and make you gain points). First, setup your bomb directory. Making statements based on opinion; back them up with references or personal experience. There is a small amount of extra credit for each additional phase . What I know so far: first input cannot be 15, 31, 47, etc. phase_6 phase_6 read_line A loop is occurring. It is passed the inputed user phrase and the pass-phrase and then checks that the two strings are the same length. Guide and work-through for System I's Bomb Lab at DePaul University. changeme.edu You don't need to understand any of this to. This command lists out all the values that each of the registers hold. In order to solve the cypher, take a look at %esi and youll find an array of characters stored there, where each character has an index. What does the power set mean in the construction of Von Neumann universe? No description, website, or topics provided. any particular student, is quiet, and hence can run on any host. Each phase expects you to type a particular string on stdin.If you type the correct string, then the phase is defused and the bomb proceeds to the next phase. Lets clear all our previous breakpoints and set a new one at phase_2. Try this one. Next it takes the address of the memory location within the array indexed by the third user input and places in the empty adjacent element designated by the second user input. OK. :-) Here is Phase 6. phase_5 f = 9. Cannot retrieve contributors at this time. Regardless, the first user inputed value had to be less than or equal to 14 and had to spit out an 11 after its computation. It should look like this. Then you may not find the key to the second part(at least I didn't). phase_4() - In this phase you are dealing with a recursively called function. This file is created by the report daemon, 4.4.4. A tag already exists with the provided branch name. readOK = sscanf(cString, "%d %d", &p, &q); --------------------------------------------------------. Jumping to the next "instruction" using gdb, Binary Bomb Phase 5 issue (my phase 5 seems to be different from everyone elses), Memory allocation and addressing in Assembly, Tikz: Numbering vertices of regular a-sided Polygon. requires that you keep the autograding service running non-stop, because handouts, grading, and reporting occur continuously for the, duration of the lab. In the first block of code, the function read_six_numbers is called which essentially confirms that it is six numbers which are seperated by a space (as we entered in the first part of this phase). Raw Blame. Lets enter a test string to let the program hit our break point. The ./bomblab directory contains the following files: Makefile - For starting/stopping the lab and cleaning files, bomblab.pl* - Main daemon that nannies the other servers & daemons, Bomblab.pm - Bomblab configuration file, bomblab-reportd.pl* - Report daemon that continuously updates scoreboard, bomblab-requestd.pl* - Request server that serves bombs to students, bomblab-resultd.pl* - Result server that gets autoresult strings from bombs, bomblab-scoreboard.html - Real-time Web scoreboard, bomblab-update.pl* - Helper to bomblab-reportd.pl that updates scoreboard, bombs/ - Contains the bombs sent to each student, log-status.txt - Status log with msgs from various servers and daemons, log.txt - Scoreboard log of autoresults received from bombs, makebomb.pl* - Helper script that builds a bomb, scores.txt - Summarizes current scoreboard scores for each student, src/ - The bomb source files, writeup/ - Sample Latex Bomb Lab writeup, LabID: Each instance (offering) of the lab is identified by a unique, name, e.g., "f12" or "s13", that the instructor chooses. In addition, most, phase variants are parameterized by randomly chosen constants that are, assigned when a particular bomb is constructed. Then we use strings command to find out the answer, Having a look at the code structure, you should notice that there exists a loop structure. I know that due to x86-64 calling conventions on programs compiled with GCC that %rdi and %rsi may contain pointers to the words to compare. . Phase 1 defused. "make start" runs bomblab.pl, the main. We can then set up a breakpoint upon entering phase_1 using b phase_1 and for the function explode_bomb to avoid losing points. Now switch to Visual mode with v, cycle the print mode with p until you see the disassembled function, toggle your cursor with c, then finally move down to the movzx edx, byte . Informal Explanations of Phases 1 through 6: I have spent approximately 26 hours on this assignment. Keep going! GDB then stopped at the break before entering into the phase_1 function call. VASPKIT and SeeK-path recommend different paths. func4 ??? 0000000000401062 <phase_5>: 401062: 53 push % rbx 401063: 48 83 ec 20 sub $ 0x20, % rsp 401067: 48 89 fb mov % rdi, % rbx 40106a: . It first checks that you have inputed 6 numbers, then that they are within the range of 1 through 6, and finally that they are all unique numbers, in that no number is repeated. To review, open the file in an editor that reveals hidden Unicode characters. However, you know that the loop is doing some transitions on your input string. You encounter with a loop and you can't find out what it is doing easily. A tag already exists with the provided branch name. Here are a few useful commands that are worth highlighting: This command divides the screen into two parts: the command console and a graphical view of the assembly code as you step through it. 3 lea's, a cmp of the output to 2 and a jump if greater than. So far from my understanding, two conditions need to be met: edx must equal 0xf, meaning the first input has to be 5, 21, 37, etc. e = 16 The source code for the different phase variants is in ./src/phases/. You'll only need to have. We can now see the assembly code. You won't be able, to validate the students handins. Such bombs, We will also find it helpful to distinguish between custom and, Custom Bomb: A "custom bomb" has a BombID > 0, is associated with a, particular student, and can be either notifying or quiet. Each phase has a password/key that is solved through the hints found within the assembly code. p # Change print mode in Visual/Graph mode. Some of the pass phrases could be integers, or a random set of characters if that is the case then the only way to figure things out is through dynamic analysis and disassembling the code. The second input had to be a 11, because the the phase_4 code did a simple compare, nothing special.

When Will Sbrcy Trade Again, Offerup Verify Payment Method, Dog Drooling Thick Smelly Mucus, Female Celebrities With Law Degrees Uk, How Long Do Red Light Cameras Keep Footage, Articles B

0 replies

bomb lab phase 5 github

Want to join the discussion?
Feel free to contribute!