Could there be a randomization of stages or two planned routes through the bomb? The other option for offering an offline lab is to use the, makebomb.pl script to build a unique quiet custom bomb for each, linux> ./makebomb.pl -i -s ./src -b ./bombs -l bomblab -u -v , This will create a quiet custom bomb in ./bombs/bomb for the. ', It is not clear what may be the output string for solving stage 4 or 5. So we can plug in 6 d characters and get a valid comparison! Request Server: The request server is a simple special-purpose HTTP, server that (1) builds and delivers custom bombs to student browsers, on demand, and (2) displays the current state of the real-time, A student requests a bomb from the request daemon in two, steps: First, the student points their favorite browser at, For example, http://foo.cs.cmu.edu:15213/. The "main daemon" starts and nannies the, request server, result server, and report deamon, ensuring that, exactly one of these processes (and itself) is running at any point in, time. BOOM!!! Phase 2: loops. Bomblab - William & Mary OK. :-) I will list some transitions here: The ascii code of "flyers" should be "102, 108, 121, 101, 114, 115". We can inspect its structure directly using gdb. strings_not_equal If the function succeeds, it follows the green arrow on the right to the third box. The dumb way is to simply input all characters from a-z into the cypher and create a mapping table. Help/Collaboration: I recieved no outside help with this bomb, other than. This part is really long. Ok, let's get right to it and dig into the <phase_5> code: So, what have we got here? Learn more about bidirectional Unicode characters. We can see that the function is being called which as the name implies compares two strings. node6 The third bomb is about the switch expression. Let's have a look at the phase_4 function. From the above comments, we deduce that we want to input two space-separated integers. A note to the reader: For explanation on how to set up the lab environment see the "Introduction" section of the post. First, setup your bomb directory. However, you do need to handle recursion actually. 0x00401100 4989e5 mov r13, rsp. daemon that starts and nannies the other programs in the service, checking their status every few seconds and restarting them if, (3) Stopping the Bomb Lab. instructor builds, hands out, and grades the student bombs manually, While both version give the students a rich experience, we recommend, the online version. CMU Bomb Lab with Radare2 Phase 5 | by Mark Higgins - Medium phase_defused frequency is a configuration variable in Bomblab.pm. CMU Bomb Lab with Radare2 Phase 1 | by Mark Higgins - Medium not 0, 1, 5, 6, 7, 8, 9, 10, 11, 12, 898, 1587, number is between 0 and 14 using comparison statement Binary Bomb Lab :: Phase 1 - Zach Alexander Contribute to xmpf/cse351 development by creating an account on GitHub. 0000000000401062 <phase_5>: 401062: 53 push % rbx 401063: 48 83 ec 20 sub $ 0x20, % rsp 401067: 48 89 fb mov % rdi, % rbx 40106a: . Bomb lab phase 6 github - ayafpo.saligia-kunst.de We can then set up a breakpoint upon entering phase_1 using b phase_1 and for the function explode_bomb to avoid losing points. The variable being used in this comparison is $eax. (up to -6 points deducted) Each bomb explosion notification that reaches the staff results in a 1 point deduction, capped at -6 points total. I'm guessing that this function will likely compare the string that I inputed to some string stored in memory somewhere. This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. Phase 1: There are two main ways of getting the answer. A tag already exists with the provided branch name. Phase 1 is sort of the "Hello World" of the Bomb Lab. A clear, concise, correct answer will earn full credit. Changing the second input does not affect the ecx. You encounter with a loop and you can't find out what it is doing easily. If you solve the phase this way, youll actually notice that there is more than one correct solution. Each phase has a password/key that is solved through the hints found within the assembly code. Ok, lets get right to it and dig into the code: So, what have we got here? So, the value of node1 to node6 are f6, 304, b7, eb, 21f, 150. In this exercise, we have a binary whose source we do not have. our input has to be a string of 6 characters, the function accepts this 6 character string and loops over each character in it, the result of the loop is compared to a fixed string, and if theyre equal, the bomb doesnt explode. The bomb is defused . Could this mean alternative endings? Phase 1. To see the format of how we enter the six numbers, lets set a breakpoint at read_six_numbers. Are you sure you want to create this branch? Thanks for contributing an answer to Stack Overflow! Each bomb phase tests a different aspect of machine language programs: Phase 4: recursive calls and the stack discipline, Phases get progressively harder. phase_defused. Mar 19, . Now lets take a quick look at the disassebly to see what variables are being used. Firstly, let's have a look at the asm code. Here is Phase 4. As an experienced engineer, I believe you can figure out that there are two arguments, each of which should be integers. Then we can get the range of the first argument from the line. There exists a linked list structure under these codes. These lines indicate that if the first argument equal the last one(right before this line), then we get 0. lesson and forces them to learn to use a debugger. In Bomb Lab phase_6, what are the appropriate steps to take after I You will get full credit for defusing phase 1 with less than 20 explosions. Each phase expects the student to enter a particular string, on stdin. Have a nice day!' Raw Blame. phase_defused Entering this string defuses phase_1. Either way, eventually youll find that the pre-cyphered version of giants is actually opekmq. First bomb lab is a Reverse Engineering challenge, you have to read its assembly to find the message that . A note to the reader: For explanation on how to set up the lab environment see the "Introduction" section of the post. Phase 4: recursive calls and the stack discipline. Each binary bomb is a program, running a sequence of phases. any particular student, is quiet, and hence can run on any host. We have created a stand-alone user-level autograding service that, handles all aspects of the Bomb Lab for you: Students download their, bombs from a server. You've defused the secret stage! phase 2, variant "a" for phase 3, variant "c" for phase 4, and so on. Binary-Bomb/phase2a.c at master lukeknowles/Binary-Bomb - Github Problem set 2 - CS 61 2021 - Harvard University Then you set a breakpoint at 4010b3 and find the target string to be "flyers". By clicking Accept all cookies, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy. What does the power set mean in the construction of Von Neumann universe? Given that our string is 6 characters long, it makes sense to assume that the function is iterating over each character in the loop and presumably doing something to them. @Jester so I looked at your reply to another question which is extremely similar to my question, actually the same exact question. In the interests of putting more Radare2 content out there, here's a noob friendly intro to r2 for those who already have a basic grasp of asm, C, and reversing in x86-64. Can you help me please? The "report daemon" periodically, scans the scoreboard log file. Next, as we scan through each operation, we see that a register is being incremented at , followed by a jump-less-than statement right afterwards that takes us back up to . I also wanted to see groupings of strings that may have similar prefixes and so I sorted the strings program output and looked for anything interesting in that manner. Bomb Lab: Phase 5. Considering this line of code. Bomb Lab - Hang's Blog On the bright side, at least now we know that our string should come out of the loop as giants. You signed in with another tab or window. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. So far from my understanding, two conditions need to be met: edx must equal 0xf, meaning the first input has to be 5, 21, 37, etc. Give 0 to ebp-4, which is used as sum of n0, n1, n2. The code shows as follows: After inspecting the code, you should figure out that the length of the string must be 6. Ahhhh, recursion, right? Use Git or checkout with SVN using the web URL. Now you can see there are a few loops. From the above, we see that we are passing some value into a register before calling scanf(). Do this only during debugging, or the very first time, Students request bombs by pointing their browsers at, Students view the scoreboard by pointing their browsers at, http://$SERVER_NAME:$REQUESTD_PORT/scoreboard, (1) Resetting the Bomb Lab. phase_1 For, example, "-p abacba" will use variant "a" for phase 1, variant "b" for. je 0x40106a <phase_5+104> 0x0000000000401065 <+99>: callq 0x40163d <explode_bomb> ; explode_bomb . If you accidentally kill one of the daemons, or you modify a daemon, or the daemon dies for some reason, then use, "make stop" to clean up, and then restart with "make start". Bomb lab phase 6 github. Programming C Assembly. Instructions. I assume The request server, responds by sending an HTML form back to the browser. After solving stage 1 you likely get the string 'Phase 1 defused. Hello world. This number was 115. phase_6() - This function does a few initial checks on the numbers inputed by the user. You can enter any string, but I used TEST. Thus the memory array contains an element that holds an integer followed by an element that holds a memory location from within the same array to one of the integers, followed by another integer, and then another memory location from within the array, etc, until the end of the array. ordered by the total number of accrued points. If you are offering the. There is also a "secret phase" that, only appears if students append a certain string to the solution to, Each phase has three variants: "a", "b", and "c". Regardless, I'm not falling for it this time. Phase 5 reads in two numbers, the first of which is used as a starting point within a sequence of numbers. We see that a strings_not_equal function is being called. This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. The answer is that the first input had to be 1. Go to file. Some of the pass phrases could be integers, or a random set of characters if that is the case then the only way to figure things out is through dynamic analysis and disassembling the code. Analysis of CME bomb lab program in linux using dbg, objdump, and strings. Then we use strings command to find out the answer, Having a look at the code structure, you should notice that there exists a loop structure. Become familiar with Linux VM and Linux command-line, Use and navigate through gdb debugger to examine memory and registers, view assembly code, and set breakpoints within the gdb debugger, Read and understand low level assembly code. edx must equal 0xf, meaning the first input has to be 5, 21, 37, etc. First, the numbers must be positive. phase_4 When you fail a phase, and the bomb goes off, you probably get the string 'BOOM!!!' 'But finding it and solving it are quite different' I think the second number should be. The report daemon finds the most recent, defusing string submitted by each student for each phase, and, validates these strings by applying them to a local copy of the, student's bomb. A loop is occurring. It's provided only for completeness. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. gdb ./bomb -q -x ~/gdbCfg. CSAPP-Labs/README-bomblab at master - Github We can then set up a breakpoint upon entering phase_1 using b phase_1 and for the function explode_bomb to avoid losing points. I dereference the string pointed to by %rdi using x/s $rdi and see that the string pointed to is 'blah'. All things web. Cannot retrieve contributors at this time. You signed in with another tab or window. offer the lab. You continue to bounce through the array. So, possible codes would be 1, 2, 4, 7, 11, 16 or 21, 22, 24, 27, 11, 16. Option 1: The simplest approach for offering the offline Bomb Lab is. enjoy another stunning sunset 'over' a glass of assyrtiko, English version of Russian proverb "The hedgehogs got pricked, cried, but continued to eat the cactus". If not null terminated then preserve the originally passed pointer argument by copying it to %rdx. (sorted smallest to largest gives you the answer), See also: getSubSequenceCount Interview Question. phase_6 The previous output from the strings program was outputted to stout in order that the strings are found in the binary. Then type the, This will create ps and pdf versions of the writeup, (1) Reset the Bomb Lab from scratch by typing, (2) Start the autograding service by typing, (3) Stop the autograding service by typing, You can start and stop the autograding service as often as you like, without losing any information. For more information, you can refer to this document, which gives a handy tutorial on the phase 6. node1 As its currently written, your answer is unclear. This second phase deals with numbers so lets try to enter the array of numbers 0 1 2 3 4 5. Regardless, the first user inputed value had to be less than or equal to 14 and had to spit out an 11 after its computation. you like without losing any information. I hope it's helpful. invalid_phase We multiply the number by 2 each step, so we guess the sequence to be 1, 2, 4, 8, 16, 32, which is the answer. Less than two and the bomb detonates. The key is to place the correct memory locations, as indexed by the user inputs, so as that the integer pointed to by the address is always greater than the preceding adjacent integer. offline version, you can ignore most of these settings. "make start" runs bomblab.pl, the main. (**Please feel free to fork or star if helpful!). $ecx is the output of the loop, Values attached to letters based on testing: VASPKIT and SeeK-path recommend different paths. When we hit phase_1, we can see the following code: The code is annotated with comments describing each line. 1 Introduction. I have given a detailed explanation for phase_5 here: https://techiekarthik.hashnode.dev/cmu-bomblab-walkthrough?t=1676391915473#heading-phase-5. Thus on the 14th iteration if I needed a 6, I would need to be in the 14th index of the array on the 13th iteration, then on index 2 of the 12th iteration. The request server parses the form, builds and, tars up a notifying custom bomb with bombID=n, and delivers the tar, file to the browser. A Mad Programmer got really mad and created a slew of binary bombs. To learn more, see our tips on writing great answers. * See src/README for more information about the anatomy of bombs and, how they are constructed. You just choose a number arbitarily from 0 to 6 and go through the switch expression, and you get your second argument. initialize_bomb Making statements based on opinion; back them up with references or personal experience. A string that could be the final string outputted when you solve stage 6 is 'Congratulations! node3 To review, open the file in an editor that reveals hidden Unicode characters. At any point in time, the, tab-delimited file (./bomblab/scores.txt) contains the most recent, scores for each student. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. There was a problem preparing your codespace, please try again. To begin we first edit our gdbCfg file. If so, pass the counter back to the calling function else continue the incrementing loop through string pointer until it hits null termination. Interpreting non-statistically significant results: Do we have "no evidence" or "insufficient evidence" to reject the null? In order to do this you must look at the various integers within the array and then place them in ascending order by the index of those integer containing elements. How about the next one? Lets use that address in memory and see what it contains as a string. What' more, there's a function call to read_six_numbers(), we can inspect it, Up till now, you should be able to find out that in this part, we are required to enter six numbers. string_length() - This function first checks to see that the passed character pointer in %rdi is not null terminated. If you notice, (the syntax will vary based off of what sort of system the bomb is run on) the machine code will have some variation of call to: 401135: be b8 25 40 00 mov $0x4025b8,%esi. Looking for job perks? Phase 1 defused. You'll only need to have. So you think you can stop the bomb with ctrl-c, do you?' From this, we can deduce that the input for phase_2 should be 1 2 4 8 16 32. ', After solving stage 2, you likely get the string 'That's number 2. In the "offline" version, the. A tag already exists with the provided branch name. Students earn points for defusing phases, and they, lose points (configurable by the instructor, but typically 1/2 point), for each explosion. CMU Bomb Lab with Radare2 Phase 1. sign in Each phase reads a line from the standard input. this is binary bomb lab phase 5.I didn't solve phase 5. "make stop" kills all of the running, servers. There are many things going on with shuffling of variables between registers, some bit shifting, and either a subtraction or an addition being applied to some of the hard coded constants. Looks like it wants 2 numbers and a character this time. phase_1 How about saving the world? If you type the correct string, then the phase is defused and the bomb proceeds to the next phase. The function then takes the address of the memory location within the array indexed by the second user input and places it in the empty adjacent element designated by the first user input. We can see that our string input blah is being compared with the string Border relations with Canada have never been better.. When we hit phase_1, we can see the following code: The first number must be between 0 and 7. After looking at these interesting strings, I'm going to make a few guesses at what is going on in this binary "BOMB!!". So my understanding is that the first input is the starting point of the array, so it should be limited to between 0 and 14, and the second input is the sum of all the values that I visited starting from array[first input]. In memory there is a 16 element array of the numbers 0-15. This looks familiar! When I get angry, Mr. Bigglesworth gets upset. Thus, each student, gets a unique bomb that they must solve themselves. * Before going live with the students, we like to check everything out, by running some tests. Software engineer at Amazon. Ultimately to pass this test all you need to do is input any string of 46 characters in length that does not start with a zero. so I did. phase_4() - In this phase you are dealing with a recursively called function. The second input had to be a 11, because the the phase_4 code did a simple compare, nothing special. Each time a student defuses a, bomb phase or causes an explosion, the bomb sends a short HTTP, message, called an "autoresult string," to an HTTP "result server,", which simply appends the autoresult string to a "scoreboard log file. I found various strings of interest. I am currently stuck on bomb lab phase 5. This series will focus on CMU's Binary Bomb challenge. Contribute to xmpf/cse351 development by creating an account on GitHub. The numbers you enter are used to sort a linked list actually. You don't need root access. Congratulations! Then we encounter with an optimized switch expression. Essentially what is happening is, each character from our string is ANDed with 0xf, and the result is used to get the character with the corresponding index from the array. Phase 3: conditionals/switches. There was a problem preparing your codespace, please try again. Lets enter the string blah as our input to phase_1. without any ill effects. 1) We have to find that number 'q' which will cause 12 (twelve) iterations. In this write-up, I will show you how i solve bomb lab challenge. I know that due to x86-64 calling conventions on programs compiled with GCC that %rdi and %rsi may contain pointers to the words to compare. phase_4 How does loop address alignment affect the speed on Intel x86_64? I'm trying to trace through this, but I'm struggling a little. You will get full credit for defusing phases 2 and 3 with less than 30 explosions. First, interesting sections/function names: Since we know the final value is 6 letters/numbers, we know 72/6 = 12.