I have given a detailed explanation for phase_5 here: https://techiekarthik.hashnode.dev/cmu-bomblab-walkthrough?t=1676391915473#heading-phase-5. I will list some transitions here: The ascii code of "flyers" should be "102, 108, 121, 101, 114, 115". Students earn points for defusing phases, and they, lose points (configurable by the instructor, but typically 1/2 point), for each explosion. f = 9. First, interesting sections/function names: sign in phase_4 From this, we can guess that to pass phase_1, we need to enter the correct string. string_length 10 January 2015. Binary-Bomb/phase2a.c at master lukeknowles/Binary-Bomb - Github Remember this structure from Phase 2? student whose email address is and whose user name is : bomb* Custom bomb executable (handout to student), bomb.c Source code for main routine (handout to student). CMU Bomb Lab with Radare2 Phase 1. Browse other questions tagged, Where developers & technologists share private knowledge with coworkers, Reach developers & technologists worldwide. DrEvil. Going back all the way to the first iteration you needed to enter into the array at the 5th index, which is the first interger needed for the user input. Servers run quietly, so they. ', After solving stage 2, you likely get the string 'That's number 2. If you accidentally kill one of the daemons, or you modify a daemon, or the daemon dies for some reason, then use, "make stop" to clean up, and then restart with "make start". If you solve the phase this way, youll actually notice that there is more than one correct solution. A tag already exists with the provided branch name. Lets set a breakpoint at strings_not_equal. phase_5 I should say the first half of the code is plain. You will handout four of these files to the student: bomb, bomb.c, ID, Each student will hand in their solution file, which you can validate. Learn more about bidirectional Unicode characters. output of func4 should be 45, Based on this line in the compiler, we know that the final comparison needed should be 72. So a should be 7, too. METU Ceng'e selamlar :)This is the first part of the Attack Lab. This part is a little bit trickier. It appears that there may be a secret stage. Contribute to xmpf/cse351 development by creating an account on GitHub. You continue to bounce through the array. Looking for job perks? Binary Bomb Lab (All Phases Solved) - John Keller readOK = sscanf(cString, "%d %d", &p, &q); --------------------------------------------------------. !", deducting points from your problem set grade, and then terminating. Based on the first user inputed number, you enter into that indexed element of the array, which then gives you the index of the next element in the array, etc. Could this mean alternative endings? Thus, each student, gets a unique bomb that they must solve themselves. sc2225/Bomb-Lab - Github Now lets get started with Phase 1! To begin we first edit our gdbCfg file. Lets use that address in memory and see what it contains as a string. manually. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Try this one.'. Actually I'm not that patient and I didn't go through this part on my own. Have a nice day!' instructor builds, hands out, and grades the student bombs manually, While both version give the students a rich experience, we recommend, the online version. There is a small amount of extra credit for each additional phase . Analysis of Binary Bomb Lab GitHub It is called recursively and in the end you need it to spit out the number 11. phase_1() - I'm first going to start stepping through the program starting at main. Each phase reads a line from the standard input. We can find the latter numbers from the loop structure. However, you know that the loop is doing some transitions on your input string. And your students will have to get, (2) Starting the Bomb Lab. In addition, most, phase variants are parameterized by randomly chosen constants that are, assigned when a particular bomb is constructed. We multiply the number by 2 each step, so we guess the sequence to be 1, 2, 4, 8, 16, 32, which is the answer. Any numbers entered after the first 6 can be anything. (**Please feel free to fork or star if helpful!). You will have to run through the reverse engineering process, but there won't be much in the way of complicated assembly to decipher or tricky mental hoops to jump through. node4 Subtract original pointer from %eax and get the running total of the string. On the bright side, at least now we know that our string should come out of the loop as giants. The key is that each time you enter into the next element in the array there is a counter that increments. daemon that starts and nannies the other programs in the service, checking their status every few seconds and restarting them if, (3) Stopping the Bomb Lab. In the "offline" version, the. The binary bomb is a very good exercise to learn the assembly language.I started this exercise for fun. Thus, the second number in the series must be 1 greater than the first number, the third number in the series must be 2 larger than the second number, etc. Asking for help, clarification, or responding to other answers. The previous output from the strings program was outputted to stout in order that the strings are found in the binary. Here are the directions for offering both versions of the lab. From the above, we see that we are passing some value into a register before calling scanf(). input.txt Public speaking is very easy. Then we take a look at the assembly code above, we see one register eax and an address 0x402400. fun7 ??? There are two hard coded variables that are then initialized and they, as well as the first user inputed value, are passed to func4. Thus on the 14th iteration if I needed a 6, I would need to be in the 14th index of the array on the 13th iteration, then on index 2 of the 12th iteration. The student then saves the tar file to disk. Untar your specific file and lets get started! Did the drapes in old theatres actually say "ASBESTOS" on them? phase_defused() - So this function implements stack protection by adding, checking, and removing a canary. Now lets take a quick look at the disassebly to see what variables are being used. read_line Next, as we scan through each operation, we see that a register is being incremented at , followed by a jump-less-than statement right afterwards that takes us back up to . Load the binary, perform analysis, seek to Phase 6, and have a look at your task. Set a breakpoint on phase 3 and start the process again and you should come to the following. Each line is annotated. On whose turn does the fright from a terror dive end? sig_handler Binary Bomb Lab :: Phase 4 - Zach Alexander initialize_bomb Segmentation fault in attack lab phase5 - Stack Overflow What I know so far: first input cannot be 15, 31, 47, etc. BombID: Each bomb in a given instance of the lab has a unique, non-negative integer called the "bombID. From this, we can see that the input format of read_six_numbers should be 6 space-separated integers. As an experienced engineer, I believe you can figure out that there are two arguments, each of which should be integers. which to blow yourself up. You just choose a number arbitarily from 0 to 6 and go through the switch expression, and you get your second argument. I then restart the program and see if that got me through phase 1. (Add 16 each time) ecx is compared to rsp, which is 15, so we need ecx to equal to 15. Although the problems differ from each other, the main methods we take are totally the same. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. From the first few lines, we guess that there are two arguments to enter. From the above comments, we deduce that we want to input two space-separated integers. Using gdb we can convince our guess. This file is created by the report daemon, 4.4.4. This number was 115. phase_6() - This function does a few initial checks on the numbers inputed by the user. Can you still use Commanders Strike if the only attack available to forego is an attack against an ally? Bomb Lab - 0x70RVS A binary bomb is a program that consists of a sequence of six phases. From this, we can deduce that the input for phase_2 should be 1 2 4 8 16 32. The code shows as follows: After inspecting the code, you should figure out that the length of the string must be 6. You can tell, makebomb.pl to use a specific variant by using the "-p" option. Please feel free to fork or star this repo if you find it helpful!***. f7 ff ff callq 400bf0 <__isoc99_sscanf@plt>, : e8 a1 ff ff ff callq 40143a , fc ff ff callq 400bf0 <__isoc99_sscanf@plt>, : e8 c7 fb ff ff callq 400bf0 <__isoc99_sscanf@plt>, fa ff ff callq 400b30 <__stack_chk_fail@plt>. Phase 1: There are two main ways of getting the answer. On a roll! In this write-up, I will show you how i solve bomb lab challenge. Since we know the final value is 6 letters/numbers, we know 72/6 = 12. ", Quiet Bomb: If compiled with the NONOTIFY option, then the bomb, doesn't send any messages when it explodes or is defused. phase_2 The source code for the different phase variants is in ./src/phases/. requires that you keep the autograding service running non-stop, because handouts, grading, and reporting occur continuously for the, duration of the lab. CMU Bomb Lab with Radare2 Phase 1 | by Mark Higgins - Medium LabID are ignored. Alternative paths? Former New York University and Peking University student. Identify the generic Linux machine ($SERVER_NAME) where you will, create the Bomb Lab directory (./bomblab) and, if you are offering the, online version, run the autograding service. strings_not_equal() - This function implements the test of equality between the user inputed string and the pass-phrase for phase_1 of the bomb challenge. In this part we use objdump to get the assembly code When we hit phase_1, we can see the following code: Have a nice day! All things web. You signed in with another tab or window. Are you sure you want to create this branch? You can start and stop the autograding service as often as. Learn more about bidirectional Unicode characters. Tools: Starting challenge; Phase_1: Phase_2: Phase_3: Phase_4: Phase_5: Phase_6: Bomb Lab Write-up. phase_5 () - This function requires you to go backwards through an array of numbers to crack the code. Since there exists a bunch of different versions of this problem, I' ve already uploaded my version. Custom, notifying bombs are constrained to run on a specific set of Linux, hosts determined by the instructor. Entering this string defuses phase_1. Your goal is to set breakpoints and step through the binary code using gdb to figure out the program inputs that defuse the bombs (and make you gain points). What are the advantages of running a power tool on 240 V vs 120 V? to build a single generic bomb that every student attempts to defuse: This will create a generic bomb and some other files in ./bombs/bomb0: bomb* Generic bomb executable (handout to students), bomb.c Source code for main routine (handout to students), You will handout only two of these files to the students: ./bomb and ./bomb.c, The students will handin their solution files, which you can validate, This option is easy for the instructor, but we don't recommend it. To review, open the file in an editor that reveals hidden Unicode characters. These numbers act as indices within a six element array in memory, each element of which contains a number. correctly, else you and your students won't be able to run your bombs. Content Discovery initiative April 13 update: Related questions using a Review our technical responses for the 2023 Developer Survey. CSO1 - Bomb lab. "make cleanallfiles" resets the lab from scratch, deleting all data specific to a particular instance of the lab, such, as the status log, all bombs created by the request server, and the, scoreboard log. Then we can get the range of the first argument from the line. Each offering of the Bomb Lab starts with a clean new ./bomblab. You signed in with another tab or window. Then, we can take a look at the fixed value were supposed to match and go from there: Woah. phase_1 By clicking Accept all cookies, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy. There was a bunch of manipulation of stack space but there was nothing in the stack at that location and so it is likely a bunch of leg work. No description, website, or topics provided. phase_defused Each phase has a password/key that is solved through the hints found within the assembly code. node1 phase_2() - This phase is about typing in a code. This post walks through CMUs bomb lab, which involves defusing a bomb by finding the correct inputs to successive phases in a binary executable using GDB. The LabID must not have any spaces. Keep going! First, setup your bomb directory. [RE] Linux Bomb Walkthrough - Part2 (Phases 1-3) - [McB]Defence This command lists all the current breakpoints as well as how many times each breakpoint has been hit on the current run. The students work on defusing, their bombs offline (i.e., independently of any autograding service), and then handin their solution files to you, each of which you grade, You can use the makebomb.pl script to build your own bombs. It also might be easier to visualize the operations by using an online disambler like https://onlinedisassembler.com/ to see a full graph. to use Codespaces. sign in This second phase deals with numbers so lets try to enter the array of numbers 0 1 2 3 4 5. There are a ton of dead ends that you can follow in this code that all land on detonation. So, what do we know about phase 5 so far? This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. You will get full credit for defusing phases 2 and 3 with less than 30 explosions. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. It is passed the inputed user phrase and the pass-phrase and then checks that the two strings are the same length. If the first character in the input string is anything but a zero then the detonation flag is set to low and passed out the function. These look like they could pertain to the various phases of the bomb. The problem requires that the return value of the func4 should also be zero. It's provided only for completeness. 1) We have to find that number 'q' which will cause 12 (twelve) iterations. Software engineer at Amazon. ordered by the total number of accrued points. Bomb_Lab/Analysis.md at master MarkHyphen/Bomb_Lab GitHub You will get full credit for defusing phase 1 with less than 20 explosions. This question is based on the same project as the other Binary Bomb Phase 6 questions (most likely will be related links), but for some reason I can't find the nodes themselves, to check their incr. And, as you can see at structure, the loop iterates 6 times. 1 Introduction. 0000000000401062 <phase_5>: 401062: 53 push % rbx 401063: 48 83 ec 20 sub $ 0x20, % rsp 401067: 48 89 fb mov % rdi, % rbx 40106a: . Site design / logo 2023 Stack Exchange Inc; user contributions licensed under CC BY-SA. Pull up the function in Graph mode with VV, press p to cycle between views, and select the minigraph. CMU Bomb Lab with Radare2 Phase 5 | by Mark Higgins - Medium There are 6 levels in the bomb and our task is to diffuse it. This is the phase 5 of attack lab in my software security class. I think the second number should be. Then we use strings command to find out the answer, Having a look at the code structure, you should notice that there exists a loop structure. First bomb lab is a Reverse Engineering challenge, you have to read its assembly to find the message that . I dereference the string pointed to by %rdi using x/s $rdi and see that the string pointed to is 'blah'. Work fast with our official CLI. Halfway there! Knowing that scanf() takes in a string format as its input, lets break right before scanf() is called and check the value of $esi. The other option for offering an offline lab is to use the, makebomb.pl script to build a unique quiet custom bomb for each, linux> ./makebomb.pl -i -s ./src -b ./bombs -l bomblab -u -v , This will create a quiet custom bomb in ./bombs/bomb for the. Guide and work-through for System I's Bomb Lab at DePaul University. Solution to OST2 Binary Bomb Lab. | by Olotu Praise Jah | Medium If so, pass the counter back to the calling function else continue the incrementing loop through string pointer until it hits null termination. It then updates the HTML scoreboard that summarizes, the current number of explosions and defusions for each bomb, rank. From this mapping table, we can figure out the un-cyphered version of giants. If nothing happens, download GitHub Desktop and try again. Load the binary, perform analysis, seek to Phase 6, and have a look at your task. Give 0 to ebp-8, which is used as loop condition. Work fast with our official CLI. The makebomb.pl script also generates the bomb's solution. Go to file. First things first, we can see from the call to <string_length> at <phase_5+23> and subsequent jump equal statement our string should be six characters long. Each phase expects you to type a particular string on stdin. Interpreting non-statistically significant results: Do we have "no evidence" or "insufficient evidence" to reject the null? But when I put 4 1 6 5 2 3 or 3 6 1 2 5 4, it explodes. My phase 5 is different from most other phase 5's I've found online, as it is the input of two integers. On the other hand, custom quiet, Generic Bomb: A "generic bomb" has a BombID = 0, isn't associated with. Then enter this command. I tried many methods of solution on internet. explode_bomb e = 16 Buffer Overflow Lab (Attack Lab) - Phase1 - YouTube Now switch to Visual mode with v, cycle the print mode with p until you see the disassembled function, toggle your cursor with c, then finally move down to the movzx edx, byte . The Hardware/Software Interface - UWA @ Coursera. Then type the, This will create ps and pdf versions of the writeup, (1) Reset the Bomb Lab from scratch by typing, (2) Start the autograding service by typing, (3) Stop the autograding service by typing, You can start and stop the autograding service as often as you like, without losing any information. Bomb Lab: Phase 5. This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. Thus I'm pretty confident that this will be the pass phrase for the first phase. Attack Lab Phase 1: Buffer Overflow (CS:APP) - YouTube Okay, we know it works. - Main daemon (bomblab.pl). Thanks for contributing an answer to Stack Overflow! If nothing happens, download GitHub Desktop and try again. Are you sure you want to create this branch? I then continue to run the program until I am prompted for a phrase to input. How about the next one?'. You've defused the secret stage! I'm getting a feeling that the author wants you to really have to work to get through some of these functions. phase_3 We can inspect its structure directly using gdb. It is clearly the most compelling and fun for the, students, and the easiest for the instructor to grade. Ok, lets get right to it and dig into the code: So, what have we got here? I used a linux machine running x86_64. You've defused the secret stage!'. There are two basic flavors of Bomb Lab: In the "online" version, the, instructor uses the autograding service to handout a custom notifying, bomb to each student on demand, and to automatically track their, progress on the realtime scoreboard. In this repository I will take down my process of solving the bomb lab of CS:APP. any particular student, is quiet, and hence can run on any host. A clear, concise, correct answer will earn full credit. If you type the correct string, then. For, example, "-p abacba" will use variant "a" for phase 1, variant "b" for. From here, we have two ways to solve this phase, a dumb way and a smart way. There is an accessed memory area that serves as a counter. Due to address randomization and nonexecutable stack, we are supposed to use Return Oriented Programming (ROP) to pass the string pointer of a given cookie value as argument to a function called touch3. Run the following commands to create text files which we will look at later: You should now have two files: strings.txt and assembly.txt. We can see that our string input blah is being compared with the string Border relations with Canada have never been better.. d = 12 phase_3() - In this phase you are required to type in another code of at least 2 numbers. blank_line The nefarious Dr. Is there a weapon that has the heavy property and the finesse property (or could this be obtained)? I hope it's helpful. The goal for the students is to defuse as many phases as possible. CS3330: Lab 1 (Bomb Lab) First, the numbers must be positive. node2 Ahhhh, recursion, right? It is useful to check the values of these registers before/after entering a function. phase_3 Enter disas and you will get a chunk of assembly for the function phase_1 which we put our breakpoint at. First thing I did was to search the binary using strings to see if there was anything interesting that pops out. How about saving the world? I know b7 < eb < f6 < 150 < 21f < 304, so the order of nodes should be 3 0 5 4 1 2 (or 2 5 0 1 4 3 - in ascending order) and I should add +1 to all numbers.
