You encounter with a loop and you can't find out what it is doing easily. p # Change print mode in Visual/Graph mode. Servers run quietly, so they. You will have to run through the reverse engineering process, but there won't be much in the way of complicated assembly to decipher or tricky mental hoops to jump through. So far from my understanding, two conditions need to be met: edx must equal 0xf, meaning the first input has to be 5, 21, 37, etc. In the first block of code, the function read_six_numbers is called which essentially confirms that it is six numbers which are seperated by a space (as we entered in the first part of this phase). I will likely take another shot at figureing out exactly how to come up with the solution by following the implemented logic but I eventually brute forced it, which took a whole 30 seconds to figure out. To review, open the file in an editor that reveals hidden Unicode characters. Then enter this command. The request server builds the, bomb, archives it in a tar file, and then uploads the resulting tar, file back to the browser, where it can be saved on disk and, untarred. Less than two and the bomb detonates. Can you still use Commanders Strike if the only attack available to forego is an attack against an ally? We have created a stand-alone user-level autograding service that, handles all aspects of the Bomb Lab for you: Students download their, bombs from a server. phase_4 Here are a few useful commands that are worth highlighting: This command divides the screen into two parts: the command console and a graphical view of the assembly code as you step through it. Try this . If you notice, (the syntax will vary based off of what sort of system the bomb is run on) the machine code will have some variation of call to: 401135: be b8 25 40 00 mov $0x4025b8,%esi. input.txt Public speaking is very easy. Use Git or checkout with SVN using the web URL. I see the output 'Phase 1 defused. We can get the full assembly code using an object dump: objdump -d path/to/binary > temp.txt. angelshark.ics.cs.cmu.edu I dereference the string pointed to by %rdi using x/s $rdi and see that the string pointed to is 'blah'. 0000000000401062 <phase_5>: 401062: 53 push % rbx 401063: 48 83 ec 20 sub $ 0x20, % rsp 401067: 48 89 fb mov % rdi, % rbx 40106a: . You can enter any string, but I used TEST. A tag already exists with the provided branch name. This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. Breakpoints can be set at specific memory addresses, the start of functions, and line numbers. Knowing that scanf() takes in a string format as its input, lets break right before scanf() is called and check the value of $esi. More than 2 is fine but the code is only dependent on the first two numbers. e = 16 If the two string are of the same length, then it looks to see that the first inputed character is a non-zero (anything but a zero). Load the binary, perform analysis, seek to Phase 6, and have a look at your task. It first checks that you have inputed 6 numbers, then that they are within the range of 1 through 6, and finally that they are all unique numbers, in that no number is repeated. This post walks through the first 3 phases of the lab. You've defused the bomb!'. and upon beating the stage you get the string 'Wow! Cannot retrieve contributors at this time. rev2023.4.21.43403. We can then set up a breakpoint upon entering phase_1 using b phase_1 and for the function explode_bomb to avoid losing points. As the students work on their bombs, each, explosion and defusion is streamed back to the server, where the, current results for each bomb are displayed on a Web "scoreboard.". A loop is occurring. You'll only need to have. If you're looking for a specific phase: Here is Phase 1. The previous output from the strings program was outputted to stout in order that the strings are found in the binary. Due to address randomization and nonexecutable stack, we are supposed to use Return Oriented Programming (ROP) to pass the string pointer of a given cookie value as argument to a function called touch3. Let's inspect the code at first. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. What was the actual cockpit layout and crew of the Mi-24A? Guide and work-through for System I's Bomb Lab at DePaul University. The source code for the different phase variants is in ./src/phases/. f7 ff ff callq 400bf0 <__isoc99_sscanf@plt>, : e8 a1 ff ff ff callq 40143a , fc ff ff callq 400bf0 <__isoc99_sscanf@plt>, : e8 c7 fb ff ff callq 400bf0 <__isoc99_sscanf@plt>, fa ff ff callq 400b30 <__stack_chk_fail@plt>. I used a linux machine running x86_64. In addition, most, phase variants are parameterized by randomly chosen constants that are, assigned when a particular bomb is constructed. DrEvil. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. First bomb lab is a Reverse Engineering challenge, you have to read its assembly to find the message that . node4 How a top-ranked engineering school reimagined CS curriculum (Ep. The values came out it the following format: 0x000003b8 So if I order the nodes in ascending order, it should be 6 4 1 2 5 3, but this still wasn't the correct input. Let's enter the string blah as our input to phase_1 . Entering these numbers allows us to pass phase_3. After satisfying this first requirement of phase_5 there is a comparison of the second user input to what turns out to be the sum of the numbers in the array you accessed. Readme (27 points) 2 points for explosion suppression, 5 points for each level question. Identify the generic Linux machine ($SERVER_NAME) where you will, create the Bomb Lab directory (./bomblab) and, if you are offering the, online version, run the autograding service. In order to defuse the bomb, students must use a debugger, typically, gdb or ddd, to disassemble the binary and single-step through the, machine code in each phase. b = 6 The goal for the students is to defuse as many phases as possible. Then you may not find the key to the second part(at least I didn't). phase_2 This works just fine, and I invite you to try it. Untar your specific file and lets get started! main The second number is simply linked to the first number: 0 must be followed by 704, 1 by 848, 2 by 736, 3 by 346, 4 by 607, 5 by 147, 6 by 832, and 7 by 536. At each iteration, we check to see that the current value is double the previous value. The makebomb.pl script also generates the bomb's solution. I'm guessing that this function will likely compare the string that I inputed to some string stored in memory somewhere. Curses, you've found the secret phase! There is also a test that the first user inputed number is less than or equal to 14. The second input had to be a 11, because the the phase_4 code did a simple compare, nothing special. 1) We have to find that number 'q' which will cause 12 (twelve) iterations. A binary bomb is a program that consists of a . A tag already exists with the provided branch name. $ecx is the output of the loop, Values attached to letters based on testing: A note to the reader: For explanation on how to set up the lab environment see the "Introduction" section of the post. Set a breakpoint on phase 3 and start the process again and you should come to the following. Then we encounter with an optimized switch expression. Custom, notifying bombs are constrained to run on a specific set of Linux, hosts determined by the instructor. Mar 19, . First thing I did was to search the binary using strings to see if there was anything interesting that pops out. Cannot retrieve contributors at this time. Which one to choose? Phase 1 defused. To review, open the file in an editor that reveals hidden Unicode characters. Upon entry to that secret stage you likely get the string 'Curses, you've found the secret phase!' The numbers you enter are used to sort a linked list actually. There are a ton of dead ends that you can follow in this code that all land on detonation. You have 6 phases with which to blow yourself up. Use arg1 and address ebp-0x20 as arguments of function read_six_numbers. Give 0 to ebp-8, which is used as loop condition. Phase 1. Find centralized, trusted content and collaborate around the technologies you use most. Then, we can take a look at the fixed value were supposed to match and go from there: Woah. This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. I know that due to x86-64 calling conventions on programs compiled with GCC that %rdi and %rsi may contain pointers to the words to compare. I then restart the program and see if that got me through phase 1. phase_5 () - This function requires you to go backwards through an array of numbers to crack the code. If the function succeeds, it follows the green arrow on the right to the third box. Phase 1 defused. I know there has to be 6 numbers, with the range of 1-6, and there can't be any repeats. The nefarious Dr. Increment %rdx by 1 to point to the next character byte and move to %eax. You will handout four of these files to the student: bomb, bomb.c, ID, Each student will hand in their solution file, which you can validate. node2 At the . This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. As we have learned from the past phases, fixed values are almost always important. We can see that the function is being called which as the name implies compares two strings. The third bomb is about the switch expression. Okay, we know it works. 3 lea's, a cmp of the output to 2 and a jump if greater than. Maybe you get an alternative string for the bomb blowing up if done so via the secret stage? Try this one. There was a problem preparing your codespace, please try again. fun7 ??? For, example, "-p abacba" will use variant "a" for phase 1, variant "b" for. I should say the first half of the code is plain. !", deducting points from your problem set grade, and then terminating. Request Server: The request server is a simple special-purpose HTTP, server that (1) builds and delivers custom bombs to student browsers, on demand, and (2) displays the current state of the real-time, A student requests a bomb from the request daemon in two, steps: First, the student points their favorite browser at, For example, http://foo.cs.cmu.edu:15213/. Go to file. output of func4 should be 45, Based on this line in the compiler, we know that the final comparison needed should be 72. Former New York University and Peking University student. The request server also creates a copy of the bomb and its, - Result Server (bomblab-resultd.pl). Maybe function names or labels? CIA_MKUltraBrainwashing_Drugs . Enter disas and you will get a chunk of assembly for the function phase_1 which we put our breakpoint at. This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. There is also a "secret phase" that, only appears if students append a certain string to the solution to, Each phase has three variants: "a", "b", and "c". The ./bomblab directory contains the following files: Makefile - For starting/stopping the lab and cleaning files, bomblab.pl* - Main daemon that nannies the other servers & daemons, Bomblab.pm - Bomblab configuration file, bomblab-reportd.pl* - Report daemon that continuously updates scoreboard, bomblab-requestd.pl* - Request server that serves bombs to students, bomblab-resultd.pl* - Result server that gets autoresult strings from bombs, bomblab-scoreboard.html - Real-time Web scoreboard, bomblab-update.pl* - Helper to bomblab-reportd.pl that updates scoreboard, bombs/ - Contains the bombs sent to each student, log-status.txt - Status log with msgs from various servers and daemons, log.txt - Scoreboard log of autoresults received from bombs, makebomb.pl* - Helper script that builds a bomb, scores.txt - Summarizes current scoreboard scores for each student, src/ - The bomb source files, writeup/ - Sample Latex Bomb Lab writeup, LabID: Each instance (offering) of the lab is identified by a unique, name, e.g., "f12" or "s13", that the instructor chooses. Each time a student defuses a, bomb phase or causes an explosion, the bomb sends a short HTTP, message, called an "autoresult string," to an HTTP "result server,", which simply appends the autoresult string to a "scoreboard log file. Thus I'm pretty confident that this will be the pass phrase for the first phase. phase_1 Each phase has a password/key that is solved through the hints found within the assembly code. Could this mean alternative endings? A Mad Programmer got really mad and created a slew of binary bombs. int numArray[15] = {10, 2, 14, 7, 8, 12, 15, 11, 0, 4, 1, 13, 3, 9, 6}; int readOK; /** number of elements successfully read **/. We get the following part, We see a critical keyword Border, right? No description, website, or topics provided. The first number we can try to be 6 and the second must be 682. You've defused the bomb! After looking at the static Main() code, I've got a reasonable understanding of the gross control flow through this program now lets do a more dynamic analysis with GDB. Point breakdown for each phase: Phase 1 - 4: 10 points each; Phase 5 and 6: 15 points each; Total maximum score possible: 70 points; Each time the "bomb explodes", it notifies the server, resulting in a (-)1/5 point deduction from the final score for the lab. Link to Bomb Lab Instructions (pdf) in GitHub Repository. These numbers act as indices within a six element array in memory, each element of which contains a number. strings_not_equal() - This function implements the test of equality between the user inputed string and the pass-phrase for phase_1 of the bomb challenge. Help/Collaboration: I recieved no outside help with this bomb, other than. And when we execute it, it expects to receive certain inputs, otherwise it 'blows' up. Nothing special other than the first number acting like a selector of jump paths to a linked second number. greatwhite.ics.cs.cmu.edu 10 January 2015. by hand by running their custom bomb against their solution: For both Option 1 and Option 2, the makebomb.pl script randomly, chooses the variant ("a", "b", or "c") for each phase. Such bombs are called "notifying bombs. Entering this string defuses phase_1. There was a problem preparing your codespace, please try again. explode_bomb. func4() - This function was rather difficult for me to get through logically and so I ultimately had to take it as somewhat as a black box. The solution for the bomb lab of cs:app. initialize_bomb_solve This post walks through CMUs bomb lab, which involves defusing a bomb by finding the correct inputs to successive phases in a binary executable using GDB. phase_defused Configure the Bomb Lab by editing the following file: ./Bomblab.pm - This is the main configuration file. In this version of the lab, you build your own quiet bombs manually, and then hand them out to the students. Not the answer you're looking for? phase_3 Work fast with our official CLI. phase_5 What is the Russian word for the color "teal"? Welcome to my fiendish little bomb. These look like they could pertain to the various phases of the bomb. The dumb way is to simply input all characters from a-z into the cypher and create a mapping table. Each element in the array has an empty element directly adjacent to it. The idea is to understand what each, assembly statement does, and then use this knowledge to infer the, defusing string. Cannot retrieve contributors at this time. You will only need, to modify or inspect a few variables in Section 1 of this file. Interpreting non-statistically significant results: Do we have "no evidence" or "insufficient evidence" to reject the null? What does the power set mean in the construction of Von Neumann universe? Second, each progressive number in the code series entered by the user must be 1 larger than the next. In the interests of putting more Radare2 content out there, here's a noob friendly intro to r2 for those who already have a basic grasp of asm, C, and reversing in x86-64. There are two hard coded variables that are then initialized and they, as well as the first user inputed value, are passed to func4. The user input is then, 4 5 1 6 2 3. to build a single generic bomb that every student attempts to defuse: This will create a generic bomb and some other files in ./bombs/bomb0: bomb* Generic bomb executable (handout to students), bomb.c Source code for main routine (handout to students), You will handout only two of these files to the students: ./bomb and ./bomb.c, The students will handin their solution files, which you can validate, This option is easy for the instructor, but we don't recommend it. "make stop" kills all of the running, servers. Pretty confident its looking for 3 inputs this time. If there is a, problem (say because you forgot to update the list of machines the, bombs are allowed to run in src/config.h) you can fix the, configuration, reset the lab, and then request and run more test, CAUTION: If you reset the lab after it's live, you'll lose all your, records of the students bombs and their solutions. CMU Bomb Lab with Radare2 Phase 1. To see the format of how we enter the six numbers, lets set a breakpoint at read_six_numbers. When we hit phase_1, we can see the following code: After solving stage 1 you likely get the string 'Phase 1 defused. We see that a strings_not_equal function is being called. The bomb is defused . This looks familiar! Here is Phase 4. Content Discovery initiative April 13 update: Related questions using a Review our technical responses for the 2023 Developer Survey. Thus, the second number in the series must be 1 greater than the first number, the third number in the series must be 2 larger than the second number, etc. Keep going! For lab: defuse phase 1. enjoy another stunning sunset 'over' a glass of assyrtiko, English version of Russian proverb "The hedgehogs got pricked, cried, but continued to eat the cactus". Informal Explanations of Phases 1 through 6: I have spent approximately 26 hours on this assignment. If the first character in the input string is anything but a zero then the detonation flag is set to low and passed out the function. Each, variable is preceded by a descriptive comment. Thanks for contributing an answer to Stack Overflow! If so, put zero in %eax and return. I also found strings that look like they could be related to attribution: The first argument must be less than 7, right? It appears that there may be a secret stage. Remember this structure from Phase 2? Regardless, the first user inputed value had to be less than or equal to 14 and had to spit out an 11 after its computation. Each line is annotated. You get to know that the input sequence must be an arbitary combination of number 1,2,3,4,5,6. There is an accessed memory area that serves as a counter. Can you help me please? Well Please In order to do this you must look at the various integers within the array and then place them in ascending order by the index of those integer containing elements. Are you sure you want to create this branch? phase_2 When, the student untars this file, it creates a directory (./bomb) with, bomb* Notifying custom bomb executable, bomb.c Source code for the main bomb routine, ID Identifies the student associated with this bomb, README Lists bomb number, student, and email address, The request server also creates a directory (bomblab/bombs/bomb), bomb.c Source code for main routine, bomb-quiet* A quiet version of bomb used for autograding, ID Identifies the user name assigned to this bomb, phases.c C source code for the bomb phases, README Lists bombID, user name, and email address, Result Server: Each time a student defuses a phase or explodes their, bomb, the bomb sends an HTTP message (called an autoresult string) to, the result server, which then appends the message to the scoreboard, log. initialize_bomb Video on steps to complete phase one of the lab.If y'all real, hit that subscribe button lmao 1 2 6 24 120 720 0 q 777 9 opukma 4 2 6 3 1 5 output Welcome to my fiendish little bomb. For more information, you can refer to this document, which gives a handy tutorial on the phase 6. Learn more about bidirectional Unicode characters. Now lets take a quick look at the disassebly to see what variables are being used. to use Codespaces. offline version, you can ignore most of these settings. Each phase expects the student to enter a particular string, on stdin. While layout asm is helpful, also helpful to view the complete disassembled binary. I know b7 < eb < f6 < 150 < 21f < 304, so the order of nodes should be 3 0 5 4 1 2 (or 2 5 0 1 4 3 - in ascending order) and I should add +1 to all numbers. phase 2, variant "a" for phase 3, variant "c" for phase 4, and so on. Based on the output, our input string is being run into the function with the string I can see Russia from my . A binary bomb is a program that consists of a sequence of six phases. Any numbers entered after the first 6 can be anything. How about saving the world? edx must equal 0xf, meaning the first input has to be 5, 21, 37, etc. From this, we can guess that to pass phase_1, we need to enter the correct string. My phase 5 is different from most other phase 5's I've found online, as it is the input of two integers. It is passed the inputed user phrase and the pass-phrase and then checks that the two strings are the same length. daemon that starts and nannies the other programs in the service, checking their status every few seconds and restarting them if, (3) Stopping the Bomb Lab. This count is checked by the function read six numbers which also takes the user input string and formats them into integers that are then dumped onto the stack. . readOK = sscanf(cString, "%d %d", &p, &q); --------------------------------------------------------. je 0x40106a <phase_5+104> 0x0000000000401065 <+99>: callq 0x40163d <explode_bomb> ; explode_bomb . 'But finding it and solving it are quite different' Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. The second input had to be a 11, because the the phase_4 code did a simple compare, nothing special. This second phase deals with numbers so lets try to enter the array of numbers 0 1 2 3 4 5. Halfway there! Phase 1 defused. METU Ceng'e selamlar :)This is the first part of the Attack Lab. blank_line If you are offering the online version, you will also need to edit the, ./src/config.h - This file lists the domain names of the hosts that, notifying bombs are allowed to run on. Next it takes the address of the memory location within the array indexed by the third user input and places in the empty adjacent element designated by the second user input. I have given a detailed explanation for phase_5 here: https://techiekarthik.hashnode.dev/cmu-bomblab-walkthrough?t=1676391915473#heading-phase-5. You signed in with another tab or window. If you are offering the. You signed in with another tab or window. Pull up the function in Graph mode with VV, press p to cycle between views, and select the minigraph. and/or the string 'The bomb has blown up.' This series will focus on CMU's Binary Bomb challenge. There are six of them but some of these could be just added strings outputted upon completion of a stage. Please, Your answer could be improved with additional supporting information. initialize_bomb_solve 1 Introduction. phase_3 From this, we can see that the input format of read_six_numbers should be 6 space-separated integers. A tag already exists with the provided branch name. As a next step, lets input the test string abcdef and take a look at what the loop does to it. Next, as we scan through each operation, we see that a register is being incremented at , followed by a jump-less-than statement right afterwards that takes us back up to . node6 This looks just like phase 1. makoshark.ics.cs.cmu.edu, Dunno, lets just get a static printout of the disassembled code and see what comes out. I will list some transitions here: The ascii code of "flyers" should be "102, 108, 121, 101, 114, 115". Each phase expects you to type a particular string on stdin. In the "offline" version, the. Thus, each student, gets a unique bomb that they must solve themselves. Is it true that the first input has to be 5, 21, 37, etc? Here is Phase 6. In this part, we are given two functions phase_4() and func4(). By clicking Accept all cookies, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy. I try a input sequence "aaaaaa" and get the value after transitions doesn't change at all, which means that the output of a given input is unique. BombID: Each bomb in a given instance of the lab has a unique, non-negative integer called the "bombID. @Jester so I looked at your reply to another question which is extremely similar to my question, actually the same exact question. ', After solving stage 3 you likely get the string 'Halfway there! After looking at these interesting strings, I'm going to make a few guesses at what is going on in this binary "BOMB!!". phase_3 I tried many methods of solution on internet. This command lists out all the values that each of the registers hold. Try this one.'. First, setup your bomb directory. 3) The second parameter 'p' at the end of the loop must be equal with %ecx register. The Bomb Lab teaches students principles of, machine-level programs, as well as general debugger and reverse, A "binary bomb" is a Linux executable C program that consists of six, "phases." First things first, we can see from the call to <string_length> at <phase_5+23> and subsequent jump equal statement our string should be six characters long. I choose the first argument as 1 and then the second one should be 311. Solve a total of 6 phases to defuse the bomb. However, you do need to handle recursion actually. The input should be "4 2 6 3 1 5". * See src/README for more information about the anatomy of bombs and, how they are constructed. manually. phase_defused. I cannot describe the question better . So there are some potential strings for solving each of the stages. Ahhhh, recursion, right? Contribute to CurryTang/bomb_lab_solution development by creating an account on GitHub. When in doubt "make stop; make start", However, resetting the lab deletes all old bombs, status logs, and the, scoreboard log. From the above annotations, we can see that there is a loop. In this repository I will take down my process of solving the bomb lab of CS:APP. (**Please feel free to fork or star if helpful!). The key is that each time you enter into the next element in the array there is a counter that increments. But when I put 4 1 6 5 2 3 or 3 6 1 2 5 4, it explodes. This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. bomblab-Angr/Phase 5 x86_64.ipynb. The LabID must not have any spaces. 565), Improving the copy in the close modal and post notices - 2023 edition, New blog post from our CEO Prashanth: Community is the future of AI. strings_not_equal So, what do we know about phase 5 so far? If not then the detonation flag that was initialized to 1 is not set to low and will eventually trigger the detonate function. This function reads 6 inputs to *(ebp-0x20)~*(ebp-0xc), use n0~n5 as their alias, and it compares 5 and n1 in 8049067, n1 must be larger than 5. student whose email address is and whose user name is : bomb* Custom bomb executable (handout to student), bomb.c Source code for main routine (handout to student). Now lets get started with Phase 1! You signed in with another tab or window. Here is the assembly code: The list of numbers I've inputed is this: So far from my understanding, two conditions need to be met: compare %ecx is 115 line 103 I found: initialize_bomb The student then saves the tar file to disk. If nothing happens, download GitHub Desktop and try again. correctly, else you and your students won't be able to run your bombs. Moreover, it's obvious that the second one must be zero being aware of the line, So the problem becomes easier. If nothing happens, download Xcode and try again. Bomb Lab: Phase 5. From this, we can deduce that the input for phase_2 should be 1 2 4 8 16 32. phase_defused() - So this function implements stack protection by adding, checking, and removing a canary. To subscribe to this RSS feed, copy and paste this URL into your RSS reader. As its currently written, your answer is unclear. Run the following commands to create text files which we will look at later: You should now have two files: strings.txt and assembly.txt.