bomb lab phase 5 github

executable file 271 lines (271 sloc) 7.74 KB. In order to defuse the bomb, students must use a debugger, typically, gdb or ddd, to disassemble the binary and single-step through the, machine code in each phase. @Jester so I looked at your reply to another question which is extremely similar to my question, actually the same exact question. Then type the, This will create ps and pdf versions of the writeup, (1) Reset the Bomb Lab from scratch by typing, (2) Start the autograding service by typing, (3) Stop the autograding service by typing, You can start and stop the autograding service as often as you like, without losing any information. If the student enters the expected string, then that phase. I inputed the word 'blah' and continued to run the program. When prompted, enter the command 'c' to continue. It should look like this. The request server parses the form, builds and, tars up a notifying custom bomb with bombID=n, and delivers the tar, file to the browser. Thus, each student, gets a unique bomb that they must solve themselves. So you think you can stop the bomb with ctrl-c, do you? These lines indicate that if the first argument equal the last one(right before this line), then we get 0. You've defused the bomb! and/or the string 'The bomb has blown up.' The other option for offering an offline lab is to use the, makebomb.pl script to build a unique quiet custom bomb for each, linux> ./makebomb.pl -i -s ./src -b ./bombs -l bomblab -u -v , This will create a quiet custom bomb in ./bombs/bomb for the. Not the answer you're looking for? . phase_1 All things web. Each of you will work with a special "binary bomb". However, you do need to handle recursion actually. OK. :-) Well I start stepping by single instructions until I get to the point where I am about to hit the function strings_not_equal. Given that our string is 6 characters long, it makes sense to assume that the function is iterating over each character in the loop and presumably doing something to them. Untar your specific file and lets get started! (Add 16 each time) ecx is compared to rsp, which is 15, so we need ecx to equal to 15. It then updates the HTML scoreboard that summarizes, the current number of explosions and defusions for each bomb, rank. Tools: Starting challenge; Phase_1: Phase_2: Phase_3: Phase_4: Phase_5: Phase_6: Bomb Lab Write-up. At the onset of the program you get the string 'Welcome to my fiendish little bomb. How about the next one? If your, Linux box crashes or reboots, simply restart the daemons with "make, * Information and error messages from the servers are appended to the, "status log" in bomblab/log-status.txt. This file is created by the report daemon, 4.4.4. Try this one.'. * See src/README for more information about the anatomy of bombs and, how they are constructed. phase_2() - This phase is about typing in a code. which to blow yourself up. Option 1: The simplest approach for offering the offline Bomb Lab is. Bomb explosions. When we hit phase_1, we can see the following code: Each line is annotated. GitHub Microsoft is acquiring GitHub!Read our blog and Satya Nadella's post to learn more. You just choose a number arbitarily from 0 to 6 and go through the switch expression, and you get your second argument. Since there exists a bunch of different versions of this problem, I' ve already uploaded my version. The second input had to be a 11, because the the phase_4 code did a simple compare, nothing special. This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. What does the power set mean in the construction of Von Neumann universe? Set a breakpoint on phase 3 and start the process again and you should come to the following. It is clearly the most compelling and fun for the, students, and the easiest for the instructor to grade. Servers run quietly, so they. It also might be easier to visualize the operations by using an online disambler like https://onlinedisassembler.com/ to see a full graph. You signed in with another tab or window. Your goal is to set breakpoints and step through the binary code using gdb to figure out the program inputs that defuse the bombs (and make you gain points). The smart way of solving this phase is by actually figuring out the cypher. If nothing happens, download GitHub Desktop and try again. phase_3 frequency is a configuration variable in Bomblab.pm. We see that a strings_not_equal function is being called. Have a nice day!' Mar 19, . A string that could be the final string outputted when you solve stage 6 is 'Congratulations! readOK = sscanf(cString, "%d %d", &p, &q); --------------------------------------------------------. we use, and get the following file (not the full code), We enter gdb, set a breakpoint at the phase 1. You will only need, to modify or inspect a few variables in Section 1 of this file. ordered by the total number of accrued points. GET /%s/submitr.pl/?userid=%s&lab=%s&result=%s&submit=submit HTTP/1.0 When in doubt "make stop; make start", However, resetting the lab deletes all old bombs, status logs, and the, scoreboard log. The Hardware/Software Interface - UWA @ Coursera. ', It is not clear what may be the output string for solving stage 4 or 5. So you think you can stop the bomb with ctrl-c, do you?' So there are some potential strings for solving each of the stages. Work fast with our official CLI. At each iteration, we check to see that the current value is double the previous value. Keep going! A Mad Programmer got really mad and created a slew of binary bombs. f = 9. Phase 1 defused. A binary bomb is a program that consists of a . Make sure you update this. If not null terminated then preserve the originally passed pointer argument by copying it to %rdx. Here is Phase 5. Okay, we know it works. By clicking Accept all cookies, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy. There are two basic flavors of Bomb Lab: In the "online" version, the, instructor uses the autograding service to handout a custom notifying, bomb to each student on demand, and to automatically track their, progress on the realtime scoreboard. What' more, there's a function call to read_six_numbers(), we can inspect it, Up till now, you should be able to find out that in this part, we are required to enter six numbers. But when I put 4 1 6 5 2 3 or 3 6 1 2 5 4, it explodes. rev2023.4.21.43403. The user input is then, 4 5 1 6 2 3. you like without losing any information. Based on the output, our input string is being run into the function with the string I can see Russia from my . That's number 2. This function reads 6 inputs to *(ebp-0x20)~*(ebp-0xc), use n0~n5 as their alias, and it compares 5 and n1 in 8049067, n1 must be larger than 5. Option 2. read_six_numbers() - Checks that the user inputed at least 6 numbers and if less than 6 numbers then detonate the bomb. Once you have updated the configuration files, modify the Latex lab, writeup in ./writeup/bomblab.tex for your environment. I should say the first half of the code is plain. If you type the correct string, then the phase is defused and the bomb proceeds to the next phase. Bomb Lab: Phase 5. You create a table using the method above, and then you get the answer to be "ionefg". offline version, you can ignore most of these settings. VASPKIT and SeeK-path recommend different paths. mov a b moves data from a to b as opposed to b to a). As we have learned from the past phases, fixed values are almost always important. Halfway there! CIA_MKUltraBrainwashing_Drugs . From this, we can deduce that the input for phase_2 should be 1 2 4 8 16 32. Actually in this part, the answer isn't unique. The key is that each time you enter into the next element in the array there is a counter that increments. Bomb Lab: Phase 5. Cannot retrieve contributors at this time. And, as you can see at structure, the loop iterates 6 times. edx must equal 0xf, meaning the first input has to be 5, 21, 37, etc. initialize_bomb What is the Russian word for the color "teal"? We can then set up a breakpoint upon entering phase_1 using b phase_1 and for the function explode_bomb to avoid losing points. Good work! When, the student untars this file, it creates a directory (./bomb) with, bomb* Notifying custom bomb executable, bomb.c Source code for the main bomb routine, ID Identifies the student associated with this bomb, README Lists bomb number, student, and email address, The request server also creates a directory (bomblab/bombs/bomb), bomb.c Source code for main routine, bomb-quiet* A quiet version of bomb used for autograding, ID Identifies the user name assigned to this bomb, phases.c C source code for the bomb phases, README Lists bombID, user name, and email address, Result Server: Each time a student defuses a phase or explodes their, bomb, the bomb sends an HTTP message (called an autoresult string) to, the result server, which then appends the message to the scoreboard, log. Well invalid_phase (up to -6 points deducted) Each bomb explosion notification that reaches the staff results in a 1 point deduction, capped at -6 points total. explode_bomb. strings_not_equal So my understanding is that the first input is the starting point of the array, so it should be limited to between 0 and 14, and the second input is the sum of all the values that I visited starting from array[first input]. The "report daemon" periodically, scans the scoreboard log file. node1 We can inspect its structure directly using gdb. You just pass through the function and it does nothing. So you got that one. We can see one line above that $esi is also involved. Segmentation fault in attack lab phase5. I used a linux machine running x86_64. . Increment %rdx by 1 to point to the next character byte and move to %eax. There are various versions of this challenge scattered across . Request Server: The request server is a simple special-purpose HTTP, server that (1) builds and delivers custom bombs to student browsers, on demand, and (2) displays the current state of the real-time, A student requests a bomb from the request daemon in two, steps: First, the student points their favorite browser at, For example, http://foo.cs.cmu.edu:15213/. After satisfying this first requirement of phase_5 there is a comparison of the second user input to what turns out to be the sum of the numbers in the array you accessed. It's obvious that the first number should be 1. So, possible codes would be 1, 2, 4, 7, 11, 16 or 21, 22, 24, 27, 11, 16. phase_2 I found the memory position for the beginning of phase_1 and placed a break point there. If so, put zero in %eax and return. You signed in with another tab or window. "make start" runs bomblab.pl, the main. Students earn points for defusing phases, and they, lose points (configurable by the instructor, but typically 1/2 point), for each explosion. So we can plug in 6 d characters and get a valid comparison! Each, variable is preceded by a descriptive comment. Readme (27 points) 2 points for explosion suppression, 5 points for each level question. ", Notifying Bomb: A bomb can be compiled with a NOTIFY option that, causes the bomb to send a message each time the student explodes or, defuses a phase. The numbers you enter are used to sort a linked list actually. The main daemon is the. The second number is simply linked to the first number: 0 must be followed by 704, 1 by 848, 2 by 736, 3 by 346, 4 by 607, 5 by 147, 6 by 832, and 7 by 536. Are you sure you want to create this branch? "make cleanallfiles" resets the lab from scratch, deleting all data specific to a particular instance of the lab, such, as the status log, all bombs created by the request server, and the, scoreboard log. a = 10 False COVID-19 PCR Test. Link to Bomb Lab Instructions (pdf) in GitHub Repository. Based on the first user inputed number, you enter into that indexed element of the array, which then gives you the index of the next element in the array, etc. There are two hard coded variables that are then initialized and they, as well as the first user inputed value, are passed to func4. Then you may not find the key to the second part(at least I didn't). I choose the first argument as 1 and then the second one should be 311. The address and stuff will vary, but . From phase_4, we call the four arguments of func4 to be a, b(known, 0), c(known, 14), d(known, 0). student whose email address is and whose user name is : bomb* Custom bomb executable (handout to student), bomb.c Source code for main routine (handout to student). This part is a little bit trickier. (**Please feel free to fork or star if helpful!). Try this one. We get the following part, We see a critical keyword Border, right? This number was 115. phase_6() - This function does a few initial checks on the numbers inputed by the user. b = 6 You don't need root access. You signed in with another tab or window. explode_bomb phase_5 Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Each phase expects you to type a particular string on stdin. Try this . This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. Dump of assembler code for function phase_5: 0x0000000000401002 <+0>: sub $0x18,%rsp ; rsp = rsp - 24, 0x0000000000401006 <+4>: lea 0x8(%rsp),%rcx ; rcx = *(rsp + 8) (function argument), 0x000000000040100b <+9>: lea 0xc(%rsp),%rdx ; rdx = *(rsp + 12) (function argument), 0x0000000000401010 <+14>: mov $0x401ebe,%esi ; esi = "%d %d", 0x0000000000401015 <+19>: mov $0x0,%eax ; eax = 0, 0x000000000040101a <+24>: callq 0x400ab0 <__isoc99_sscanf@plt>, 0x000000000040101f <+29>: cmp $0x1,%eax ; if (eax > 1) goto 0x401029, 0x0000000000401022 <+32>: jg 0x401029 , 0x0000000000401024 <+34>: callq 0x40163d ; if (eax <= 1) explode_bomb(), 0x0000000000401029 <+39>: mov 0xc(%rsp),%eax ; eax = *(rsp + 12) ::function parameter, 0x000000000040102d <+43>: and $0xf,%eax ; eax = eax & 0xf (last 2 bits), 0x0000000000401030 <+46>: mov %eax,0xc(%rsp) ; *(rsp + 12) = eax, 0x0000000000401034 <+50>: cmp $0xf,%eax ; if (eax == 0xf) explode_bomb(), 0x0000000000401037 <+53>: je 0x401065 , 0x0000000000401039 <+55>: mov $0x0,%ecx ; ecx = 0, 0x000000000040103e <+60>: mov $0x0,%edx ; edx = 0, 0x0000000000401043 <+65>: add $0x1,%edx ; edx = edx + 0x1, 0x0000000000401046 <+68>: cltq ; sign extend eax to quadword (rax), 0x0000000000401048 <+70>: mov 0x401ba0(,%rax,4),%eax ; eax = *(rax * 4 + 0x401ba0), 0x000000000040104f <+77>: add %eax,%ecx ; ecx = ecx + eax, 0x0000000000401051 <+79>: cmp $0xf,%eax ; if (eax != 0xf) goto 0x401043 (inc edx), 0x0000000000401054 <+82>: jne 0x401043 , 0x0000000000401056 <+84>: mov %eax,0xc(%rsp) ; *(rsp + 12) = eax, 0x000000000040105a <+88>: cmp $0xc,%edx ; if (edx != 12) explode_bomb(), 0x000000000040105d <+91>: jne 0x401065 , 0x000000000040105f <+93>: cmp 0x8(%rsp),%ecx ; if (ecx == *(rsp + 8)) goto 0x40106a, 0x0000000000401063 <+97>: je 0x40106a , 0x0000000000401065 <+99>: callq 0x40163d ; explode_bomb(), 0x000000000040106a <+104>: add $0x18,%rsp ; rsp = rsp + 24, 0x000000000040106e <+108>: retq ; return, --------------------------------------------------------------------------------. I cannot describe the question better . This command sets breakpoints throughout the code. Specifically: The LabID must not have any spaces. The request server, responds by sending an HTML form back to the browser. Wow! phase_6 Before the, lab goes live, you'll want to request a few bombs for yourself, run, them, defuse a few phases, explode a few phases, and make sure that, the results are displayed properly on the scoreboard. Pretty confident its looking for 3 inputs this time. From this, we can guess that to pass phase_1, we need to enter the correct string. Alternative paths? a user account on this machine. Lets create our breakpoints to make sure nothing gets set to the gradebook! If the two string are of the same length, then it looks to see that the first inputed character is a non-zero (anything but a zero). Become familiar with Linux VM and Linux command-line, Use and navigate through gdb debugger to examine memory and registers, view assembly code, and set breakpoints within the gdb debugger, Read and understand low level assembly code. In memory there is a 16 element array of the numbers 0-15. In memory there is a 16 element array of the numbers 0-15. There is an accessed memory area that serves as a counter. Score!!! So, what do we know about phase 5 so far? makoshark.ics.cs.cmu.edu, Dunno, lets just get a static printout of the disassembled code and see what comes out. It is passed the inputed user phrase and the pass-phrase and then checks that the two strings are the same length. Welcome to my fiendish little bomb. phase_4 lesson and forces them to learn to use a debugger. Have a nice day! Students download their bombs, and display the scoreboard by pointing a browser at a simple HTTP, server called the "request server." There is a small grade penalty for explosions beyond 20. You'll only need to have. Cannot retrieve contributors at this time. Breakpoints can be set at specific memory addresses, the start of functions, and line numbers. Using gdb we can convince our guess. not 0, 1, 5, 6, 7, 8, 9, 10, 11, 12, 898, 1587, number is between 0 and 14 using comparison statement Phase 1 defused. This looks just like phase 1. A tag already exists with the provided branch name. The second input had to be a 11, because the the phase_4 code did a simple compare, nothing special. DrEvil. Instructors and students view the scoreboard by pointing their, The online Bomb Lab is self-grading. Here is the assembly code: The list of numbers I've inputed is this: So far from my understanding, two conditions need to be met: compare %ecx is 115 line 103 A tag already exists with the provided branch name. The input should be "4 2 6 3 1 5". instructor builds, hands out, and grades the student bombs manually, While both version give the students a rich experience, we recommend, the online version. Details on Grading for Bomb Lab. (Add 16 each time), ecx is compared to rsp, which is 15, so we need ecx to equal to 15, Changing the second input does not affect the ecx, first input is directly correlated to edx. Let's start with when it calls sym.read_six_numbers. PHASE 3. The ./bomblab directory contains the following files: Makefile - For starting/stopping the lab and cleaning files, bomblab.pl* - Main daemon that nannies the other servers & daemons, Bomblab.pm - Bomblab configuration file, bomblab-reportd.pl* - Report daemon that continuously updates scoreboard, bomblab-requestd.pl* - Request server that serves bombs to students, bomblab-resultd.pl* - Result server that gets autoresult strings from bombs, bomblab-scoreboard.html - Real-time Web scoreboard, bomblab-update.pl* - Helper to bomblab-reportd.pl that updates scoreboard, bombs/ - Contains the bombs sent to each student, log-status.txt - Status log with msgs from various servers and daemons, log.txt - Scoreboard log of autoresults received from bombs, makebomb.pl* - Helper script that builds a bomb, scores.txt - Summarizes current scoreboard scores for each student, src/ - The bomb source files, writeup/ - Sample Latex Bomb Lab writeup, LabID: Each instance (offering) of the lab is identified by a unique, name, e.g., "f12" or "s13", that the instructor chooses. A binary bomb is a program that consists of a sequence of six phases. I then did the same for the possible second pointer arguement which would be in %rsi with x/s $rsi and get 'When I get angry, Mr. Bigglesworth gets upset.'. Lets enter a test string to let the program hit our break point. On the other hand, custom quiet, Generic Bomb: A "generic bomb" has a BombID = 0, isn't associated with. Please, Your answer could be improved with additional supporting information. Here are the directions for offering both versions of the lab. Analysis of CME bomb lab program in linux using dbg, objdump, and strings. The dumb way is to simply input all characters from a-z into the cypher and create a mapping table. Configure the Bomb Lab by editing the following file: ./Bomblab.pm - This is the main configuration file. If you type the correct string, then. I think the second number should be. If so, pass the counter back to the calling function else continue the incrementing loop through string pointer until it hits null termination. It first checks that you have inputed 6 numbers, then that they are within the range of 1 through 6, and finally that they are all unique numbers, in that no number is repeated. Phase 1. without any ill effects. The "main daemon" starts and nannies the, request server, result server, and report deamon, ensuring that, exactly one of these processes (and itself) is running at any point in, time. The Bomb Lab teaches students principles of, machine-level programs, as well as general debugger and reverse, A "binary bomb" is a Linux executable C program that consists of six, "phases." GDB then stopped at the break before entering into the phase_1 function call. strings_not_equal() - This function implements the test of equality between the user inputed string and the pass-phrase for phase_1 of the bomb challenge. Lets set a breakpoint at strings_not_equal. But finding it and solving it are quite different As the students work on their bombs, each, explosion and defusion is streamed back to the server, where the, current results for each bomb are displayed on a Web "scoreboard.". Knowing that scanf() takes in a string format as its input, lets break right before scanf() is called and check the value of $esi. To subscribe to this RSS feed, copy and paste this URL into your RSS reader. As an experienced engineer, I believe you can figure out that there are two arguments, each of which should be integers. enjoy another stunning sunset 'over' a glass of assyrtiko, English version of Russian proverb "The hedgehogs got pricked, cried, but continued to eat the cactus". If you notice, (the syntax will vary based off of what sort of system the bomb is run on) the machine code will have some variation of call to: 401135: be b8 25 40 00 mov $0x4025b8,%esi. This post walks through the first 3 phases of the lab. For more information, you can refer to this document, which gives a handy tutorial on the phase 6. can be started from initrc scripts at boot time. requires that you keep the autograding service running non-stop, because handouts, grading, and reporting occur continuously for the, duration of the lab. Now switch to Visual mode with v, cycle the print mode with p until you see the disassembled function, toggle your cursor with c, then finally move down to the movzx edx, byte . I don't want to run the program/"pull the pin" on the bomb by running it, so this tells me that there are likely 6 stages to the bomb. The function then takes the address of the memory location within the array indexed by the second user input and places it in the empty adjacent element designated by the first user input. Please feel free to fork or star this repo if you find it helpful!***. These numbers act as indices within a six element array in memory, each element of which contains a number. This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. We have created a stand-alone user-level autograding service that, handles all aspects of the Bomb Lab for you: Students download their, bombs from a server. I dereference the string pointed to by %rdi using x/s $rdi and see that the string pointed to is 'blah'. As we can see, it is fairly obvious that there is a loop somewhere in this function (by following the arrows). A tag already exists with the provided branch name. In this write-up, I will show you how i solve bomb lab challenge. 3 lea's, a cmp of the output to 2 and a jump if greater than. When you fail a phase, and the bomb goes off, you probably get the string 'BOOM!!!' This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. And when we execute it, it expects to receive certain inputs, otherwise it 'blows' up. Keep going! Halfway there! Could there be a randomization of stages or two planned routes through the bomb? offer the lab. The following lines are annotated. You encounter with a loop and you can't find out what it is doing easily. However, you know that the loop is doing some transitions on your input string. Then we can get the range of the first argument from the line. You don't need to understand any of this to. The third bomb is about the switch expression. The answer is that the first input had to be 1. Making statements based on opinion; back them up with references or personal experience. The students work on defusing, their bombs offline (i.e., independently of any autograding service), and then handin their solution files to you, each of which you grade, You can use the makebomb.pl script to build your own bombs. You continue to bounce through the array. Raw Blame. When I get angry, Mr. Bigglesworth gets upset. initialize_bomb_solve This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. You can tell, makebomb.pl to use a specific variant by using the "-p" option. This works just fine, and I invite you to try it. When in doubt "make stop; make start" will get everything in a stable state. Lets use that address in memory and see what it contains as a string. Lets now set a breakpoint at phase_3. The code shows as follows: After inspecting the code, you should figure out that the length of the string must be 6.