The function then takes the address of the memory location within the array indexed by the second user input and places it in the empty adjacent element designated by the first user input. But finding it and solving it are quite different First bomb lab is a Reverse Engineering challenge, you have to read its assembly to find the message that . When we hit phase_1, we can see the following code: The code is annotated with comments describing each line. What does the power set mean in the construction of Von Neumann universe? Based on the first user inputed number, you enter into that indexed element of the array, which then gives you the index of the next element in the array, etc. A tag already exists with the provided branch name. we use, and get the following file (not the full code), We enter gdb, set a breakpoint at the phase 1. Entering this string defuses phase_1. At the onset of the program you get the string 'Welcome to my fiendish little bomb. a = 10 It is clearly the most compelling and fun for the, students, and the easiest for the instructor to grade. I start stepping by single instructions until I get to the point where I am about to hit the function strings_not_equal. Bomb lab phase 6 github - ayafpo.saligia-kunst.de Phase 4: recursive calls and the stack discipline. and upon beating the stage you get the string 'Wow! Site design / logo 2023 Stack Exchange Inc; user contributions licensed under CC BY-SA. However, you know that the loop is doing some transitions on your input string. The second input had to be a 11, because the the phase_4 code did a simple compare, nothing special. While layout asm is helpful, also helpful to view the complete disassembled binary. For more information, you can refer to this document, which gives a handy tutorial on the phase 6. VASPKIT and SeeK-path recommend different paths. Okay, we know it works. "make start" runs bomblab.pl, the main. If you are offering the online version, you will also need to edit the, ./src/config.h - This file lists the domain names of the hosts that, notifying bombs are allowed to run on. A note to the reader: For explanation on how to set up the lab environment see the "Introduction" section of the post. The values came out it the following format: 0x000003b8 So if I order the nodes in ascending order, it should be 6 4 1 2 5 3, but this still wasn't the correct input. There are many things going on with shuffling of variables between registers, some bit shifting, and either a subtraction or an addition being applied to some of the hard coded constants. "make cleanallfiles" resets the lab from scratch, deleting all data specific to a particular instance of the lab, such, as the status log, all bombs created by the request server, and the, scoreboard log. We can see that our string input blah is being compared with the string Border relations with Canada have never been better.. Then we take a look at the assembly code above, we see one register eax and an address 0x402400. This part is a little bit trickier. We see that a strings_not_equal function is being called. Please If one of these processes dies for some reason, the main daemon, detects this and automatically restarts it. If not null terminated then preserve the originally passed pointer argument by copying it to %rdx. In this exercise, we have a binary whose source we do not have. Cannot retrieve contributors at this time. string_length() - This function first checks to see that the passed character pointer in %rdi is not null terminated. mov a b moves data from a to b as opposed to b to a). That's number 2. The makebomb.pl script also generates the bomb's solution. What is scrcpy OTG mode and how does it work? Has depleted uranium been considered for radiation shielding in crewed spacecraft beyond LEO? Former New York University and Peking University student. Understanding Bomb Lab Phase 5 (two integer input) The input should be "4 2 6 3 1 5". The request server also creates a copy of the bomb and its, - Result Server (bomblab-resultd.pl). Each phase expects the student to enter a particular string, on stdin. Binary Bomb Lab :: Phase 6 - Zach Alexander The code shows as follows: After inspecting the code, you should figure out that the length of the string must be 6. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. 10 January 2015. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. greatwhite.ics.cs.cmu.edu PHASE 3. Going through func4, we get the value of d at 400ff7 and 400fe2 to be (14 + 0) >> 1 = 7. Any numbers entered after the first 6 can be anything. This part is really long. bomblab-Angr/Phase 5 x86_64.ipynb at master - Github First thing I did was to search the binary using strings to see if there was anything interesting that pops out. The request server builds the, bomb, archives it in a tar file, and then uploads the resulting tar, file back to the browser, where it can be saved on disk and, untarred. You get to know that the input sequence must be an arbitary combination of number 1,2,3,4,5,6. Lets do the standard disas command to see the assembly of the function. CSO1 - Bomb lab. In order to do this you must look at the various integers within the array and then place them in ascending order by the index of those integer containing elements. Set a breakpoint on phase 3 and start the process again and you should come to the following. In order to defuse the bomb, students must use a debugger, typically, gdb or ddd, to disassemble the binary and single-step through the, machine code in each phase. Learn more about bidirectional Unicode characters. You'll only need to have. "make stop" kills all of the running, servers. Here is Phase 6. From the above comments, we deduce that we want to input two space-separated integers. This command lists out all the values that each of the registers hold. There was a problem preparing your codespace, please try again. Lets clear all our previous breakpoints and set a new one at phase_2. CS3330: Lab 1 (Bomb Lab) My phase 5 is different from most other phase 5's I've found online, as it is the input of two integers. You just pass through the function and it does nothing. So far from my understanding, two conditions need to be met: edx must equal 0xf, meaning the first input has to be 5, 21, 37, etc. Cannot retrieve contributors at this time. Connect and share knowledge within a single location that is structured and easy to search. Phase 2: loops. I dereference the string pointed to by %rdi using x/s $rdi and see that the string pointed to is 'blah'. Ultimately to pass this test all you need to do is input any string of 46 characters in length that does not start with a zero. Video on steps to complete phase one of the lab.If y'all real, hit that subscribe button lmao When you fail a phase, and the bomb goes off, you probably get the string 'BOOM!!!' The request server, responds by sending an HTML form back to the browser. Essentially what is happening is, each character from our string is ANDed with 0xf, and the result is used to get the character with the corresponding index from the array. Solve a total of 6 phases to defuse the bomb. If you are offering the. phase_3 The key is that each time you enter into the next element in the array there is a counter that increments. node3 In this part we use objdump to get the assembly code phase_defused Bomblab - William & Mary phase_5() - This function requires you to go backwards through an array of numbers to crack the code. If there is a, problem (say because you forgot to update the list of machines the, bombs are allowed to run in src/config.h) you can fix the, configuration, reset the lab, and then request and run more test, CAUTION: If you reset the lab after it's live, you'll lose all your, records of the students bombs and their solutions. On whose turn does the fright from a terror dive end? Given this info, it looks as though the loop is implementing a cypher. Otherwise the bomb "explodes" by printing "BOOM!!!". - Main daemon (bomblab.pl). Q. We can see one line above that $esi is also involved. Option 2. I found various strings of interest. Then the tricky part comes. 3) The second parameter 'p' at the end of the loop must be equal with %ecx register. Readme (27 points) 2 points for explosion suppression, 5 points for each level question. You signed in with another tab or window. Analysis of CME bomb lab program in linux using dbg, objdump, and strings. Firstly, let's have a look at the asm code. offer the lab. This continuous through all the user inputed indices and finally places the value zero in the last remaining empty element in the array. Students earn points for defusing phases, and they, lose points (configurable by the instructor, but typically 1/2 point), for each explosion. How about the next one?'. If the line is correct, then the phase is defused and the bomb proceeds to the next phase. Browse other questions tagged, Where developers & technologists share private knowledge with coworkers, Reach developers & technologists worldwide. Unexpected uint64 behaviour 0xFFFF'FFFF'FFFF'FFFF - 1 = 0? GitHub Microsoft is acquiring GitHub!Read our blog and Satya Nadella's post to learn more. If this is a duplicate of another question, please link it so future readers can find it if their search turns up this question first. Work fast with our official CLI. fun7 ??? As we have learned from the past phases, fixed values are almost always important. It is passed the inputed user phrase and the pass-phrase and then checks that the two strings are the same length. Let's have a look at the phase_4 function. Also, where the arrow is, it's comparing the current node with the next node. The "report daemon" periodically, scans the scoreboard log file. phase_3 A binary bomb is a program that consists of a . gdb - binary bomb lab phase 6 - Stack Overflow Binary Bomb Lab :: Phase 1 - Zach Alexander Less than two and the bomb detonates. Although the problems differ from each other, the main methods we take are totally the same. servers running. BOOM!!! f7 ff ff callq 400bf0 <__isoc99_sscanf@plt>, : e8 a1 ff ff ff callq 40143a , fc ff ff callq 400bf0 <__isoc99_sscanf@plt>, : e8 c7 fb ff ff callq 400bf0 <__isoc99_sscanf@plt>, fa ff ff callq 400b30 <__stack_chk_fail@plt>. Up till now, there shouldn't be any difficulties. You will have to run through the reverse engineering process, but there won't be much in the way of complicated assembly to decipher or tricky mental hoops to jump through. Binary Bomb Lab :: Phase 5 - Zach Alexander Please can be started from initrc scripts at boot time. LabID are ignored. Considering this line of code. phase_5 () - This function requires you to go backwards through an array of numbers to crack the code. A tag already exists with the provided branch name. If the student enters the expected string, then that phase. offline version, you can ignore most of these settings. Make sure you update this. initialize_bomb_solve phase_2 You signed in with another tab or window. However, you do need to handle recursion actually. Here is Phase 4. Point breakdown for each phase: Phase 1 - 4: 10 points each; Phase 5 and 6: 15 points each; Total maximum score possible: 70 points; Each time the "bomb explodes", it notifies the server, resulting in a (-)1/5 point deduction from the final score for the lab. These numbers act as indices within a six element array in memory, each element of which contains a number.