Each phase reads a line from the standard input. Going through func4, we get the value of d at 400ff7 and 400fe2 to be (14 + 0) >> 1 = 7. You can tell, makebomb.pl to use a specific variant by using the "-p" option. On line <phase_4+16>, the <phase_4> function is pushing a fixed value stored at memory address 0x8049808 onto the stack right before a call to scanf is made. Q. You've defused the bomb!'. Thus, the second number in the series must be 1 greater than the first number, the third number in the series must be 2 larger than the second number, etc. PHASE 3. which to blow yourself up. A tag already exists with the provided branch name. Identify the generic Linux machine ($SERVER_NAME) where you will, create the Bomb Lab directory (./bomblab) and, if you are offering the, online version, run the autograding service. The "report daemon" periodically, scans the scoreboard log file. The other option for offering an offline lab is to use the, makebomb.pl script to build a unique quiet custom bomb for each, linux> ./makebomb.pl -i -s ./src -b ./bombs -l bomblab -u -v , This will create a quiet custom bomb in ./bombs/bomb for the. These numbers act as indices within a six element array in memory, each element of which contains a number. phase_4 It appears that there may be a secret stage. I'm guessing that this function will likely compare the string that I inputed to some string stored in memory somewhere. Any numbers entered after the first 6 can be anything. You have 6 phases with which to blow yourself up. ', After solving stage 3 you likely get the string 'Halfway there! If the event was a defusion, the message also, contains the "defusing string" that the student typed to defuse the, Report Daemon: The report daemon periodically scans the scoreboard log, and updates the Web scoreboard. Bomb Lab Write-up. First thing I did was to search the binary using strings to see if there was anything interesting that pops out. Can you help me please? Do this when you're ready for the lab to go "live" to, Resetting is also useful while you're preparing the lab. Please feel free to fork or star this repo if you find it helpful!***. Phase 5 reads in two numbers, the first of which is used as a starting point within a sequence of numbers. I then restart the program and see if that got me through phase 1. Dump of assembler code for function phase_5: 0x0000000000401002 <+0>: sub $0x18,%rsp ; rsp = rsp - 24, 0x0000000000401006 <+4>: lea 0x8(%rsp),%rcx ; rcx = *(rsp + 8) (function argument), 0x000000000040100b <+9>: lea 0xc(%rsp),%rdx ; rdx = *(rsp + 12) (function argument), 0x0000000000401010 <+14>: mov $0x401ebe,%esi ; esi = "%d %d", 0x0000000000401015 <+19>: mov $0x0,%eax ; eax = 0, 0x000000000040101a <+24>: callq 0x400ab0 <__isoc99_sscanf@plt>, 0x000000000040101f <+29>: cmp $0x1,%eax ; if (eax > 1) goto 0x401029, 0x0000000000401022 <+32>: jg 0x401029 , 0x0000000000401024 <+34>: callq 0x40163d ; if (eax <= 1) explode_bomb(), 0x0000000000401029 <+39>: mov 0xc(%rsp),%eax ; eax = *(rsp + 12) ::function parameter, 0x000000000040102d <+43>: and $0xf,%eax ; eax = eax & 0xf (last 2 bits), 0x0000000000401030 <+46>: mov %eax,0xc(%rsp) ; *(rsp + 12) = eax, 0x0000000000401034 <+50>: cmp $0xf,%eax ; if (eax == 0xf) explode_bomb(), 0x0000000000401037 <+53>: je 0x401065 , 0x0000000000401039 <+55>: mov $0x0,%ecx ; ecx = 0, 0x000000000040103e <+60>: mov $0x0,%edx ; edx = 0, 0x0000000000401043 <+65>: add $0x1,%edx ; edx = edx + 0x1, 0x0000000000401046 <+68>: cltq ; sign extend eax to quadword (rax), 0x0000000000401048 <+70>: mov 0x401ba0(,%rax,4),%eax ; eax = *(rax * 4 + 0x401ba0), 0x000000000040104f <+77>: add %eax,%ecx ; ecx = ecx + eax, 0x0000000000401051 <+79>: cmp $0xf,%eax ; if (eax != 0xf) goto 0x401043 (inc edx), 0x0000000000401054 <+82>: jne 0x401043 , 0x0000000000401056 <+84>: mov %eax,0xc(%rsp) ; *(rsp + 12) = eax, 0x000000000040105a <+88>: cmp $0xc,%edx ; if (edx != 12) explode_bomb(), 0x000000000040105d <+91>: jne 0x401065 , 0x000000000040105f <+93>: cmp 0x8(%rsp),%ecx ; if (ecx == *(rsp + 8)) goto 0x40106a, 0x0000000000401063 <+97>: je 0x40106a , 0x0000000000401065 <+99>: callq 0x40163d ; explode_bomb(), 0x000000000040106a <+104>: add $0x18,%rsp ; rsp = rsp + 24, 0x000000000040106e <+108>: retq ; return, --------------------------------------------------------------------------------. Entering this string defuses phase_1. We've made it very easy to run the service, but, some instructors may be uncomfortable with this requirement and will. Due to address randomization and nonexecutable stack, we are supposed to use Return Oriented Programming (ROP) to pass the string pointer of a given cookie value as argument to a function called touch3. correctly, else you and your students won't be able to run your bombs. If the first character in the input string is anything but a zero then the detonation flag is set to low and passed out the function. 1) We have to find that number 'q' which will cause 12 (twelve) iterations. can be started from initrc scripts at boot time. No description, website, or topics provided. You won't be able, to validate the students handins. This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. Pretty confident its looking for 3 inputs this time. VASPKIT and SeeK-path recommend different paths. initialize_bomb_solve This looks just like phase 1. In order to solve the cypher, take a look at %esi and youll find an array of characters stored there, where each character has an index. The first argument must be less than 7, right? OK. :-) Well In order to determine the comparisons used, it will be useful to look up or know Jumps Based on Signed Comparisons. input.txt Public speaking is very easy. As its currently written, your answer is unclear. Is it true that the first input has to be 5, 21, 37, etc? Help/Collaboration: I recieved no outside help with this bomb, other than. srveaw is pretty far off from abcdef. A string that could be the final string outputted when you solve stage 6 is 'Congratulations! The user input is then, 4 5 1 6 2 3. Make sure you update this. Bomb Lab: Phase 5. As the students work on their bombs, each, explosion and defusion is streamed back to the server, where the, current results for each bomb are displayed on a Web "scoreboard.". The following lines are annotated. From here, we have two ways to solve this phase, a dumb way and a smart way. I cannot describe the question better . The update. because it is too easy for the students to cheat. Could this mean alternative endings? Good work! The bomb explodes if the number calculated by this function does not equal 49. Try this one. You will get full credit for defusing phases 2 and 3 with less than 30 explosions. This number was 115. phase_6() - This function does a few initial checks on the numbers inputed by the user. Each phase expects the student to enter a particular string, on stdin. On the bright side, at least now we know that our string should come out of the loop as giants. ordered by the total number of accrued points. The goal for the students is to defuse as many phases as possible. aseje owo nla. Binary Bomb Lab :: Phase 6 - Zach Alexander From the above comments, we deduce that we want to input two space-separated integers. This file is created by the report daemon, 4.4.4. Let me know if you have any questions in the comments. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. However, you do need to handle recursion actually. e = 16 When we hit phase_1, we can see the following code: Pull up the function in Graph mode with VV, press p to cycle between views, and select the minigraph. The code is comparing the string (presumably our input) stored in %eax to a fixed string stored at 0x804980b. The student then saves the tar file to disk. Regardless, the first user inputed value had to be less than or equal to 14 and had to spit out an 11 after its computation. Each binary bomb is a program, running a sequence of phases. Each time a student defuses a, bomb phase or causes an explosion, the bomb sends a short HTTP, message, called an "autoresult string," to an HTTP "result server,", which simply appends the autoresult string to a "scoreboard log file. Knowing that scanf() takes in a string format as its input, lets break right before scanf() is called and check the value of $esi. I have given a detailed explanation for phase_5 here: https://techiekarthik.hashnode.dev/cmu-bomblab-walkthrough?t=1676391915473#heading-phase-5. Try this . Details on Grading for Bomb Lab. How about the next one? If your, Linux box crashes or reboots, simply restart the daemons with "make, * Information and error messages from the servers are appended to the, "status log" in bomblab/log-status.txt. Evil has created a slew of "binary bombs" for our class. How about saving the world? phase_1 BombID: Each bomb in a given instance of the lab has a unique, non-negative integer called the "bombID. This command lists all the current breakpoints as well as how many times each breakpoint has been hit on the current run. Give 0 to ebp-8, which is used as loop condition. How a top-ranked engineering school reimagined CS curriculum (Ep. CurryTang/bomb_lab_solution - Github Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Solve a total of 6 phases to defuse the bomb. There are various versions of this challenge scattered across . to use Codespaces. This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. In this part we use objdump to get the assembly code The smart way of solving this phase is by actually figuring out the cypher. The purpose of this project is to become more familiar with machine level programming. The third bomb is about the switch expression. This post walks through CMUs bomb lab, which involves defusing a bomb by finding the correct inputs to successive phases in a binary executable using GDB. 0000000000401062 <phase_5>: 401062: 53 push % rbx 401063: 48 83 ec 20 sub $ 0x20, % rsp 401067: 48 89 fb mov % rdi, % rbx 40106a: . Then you can solve this problem by making a table(Yeah, it may seem silly, but I think it's the most convenient way). Keep going! ", Quiet Bomb: If compiled with the NONOTIFY option, then the bomb, doesn't send any messages when it explodes or is defused. They will likely be either 'Good work! Lets create our breakpoints to make sure nothing gets set to the gradebook! initialize_bomb 3 lea's, a cmp of the output to 2 and a jump if greater than. a user account on this machine. Lets use that address in memory and see what it contains as a string. Try this one.'. Lets get started by creating both a breakpoint for explode_bomb and phase_2. "make cleanallfiles" resets the lab from scratch, deleting all data specific to a particular instance of the lab, such, as the status log, all bombs created by the request server, and the, scoreboard log. Informal Explanations of Phases 1 through 6: I have spent approximately 26 hours on this assignment. Are you sure you want to create this branch? It is passed the inputed user phrase and the pass-phrase and then checks that the two strings are the same length. Bomb_Lab/Analysis.md at master MarkHyphen/Bomb_Lab GitHub Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. angelshark.ics.cs.cmu.edu Video on steps to complete phase one of the lab.If y'all real, hit that subscribe button lmao Based on the output, our input string is being run into the function with the string I can see Russia from my . Go to file. GitHub; Linkedin; Bomb Lab 7 minute read On this page. You just pass through the function and it does nothing. Tools: Starting challenge; Phase_1: Phase_2: Phase_3: Phase_4: Phase_5: Phase_6: Bomb Lab Write-up. Second, each progressive number in the code series entered by the user must be 1 larger than the next. start So far from my understanding, two conditions need to be met: edx must equal 0xf, meaning the first input has to be 5, 21, 37, etc. You will only need, to modify or inspect a few variables in Section 1 of this file. node6 CIA_MKUltraBrainwashing_Drugs . We can see that the last line shouldn't be contained in this switch structure, while the first four should be. Are you sure you want to create this branch? Solved this is binary bomb lab phase 5.I didn't solve phase - Chegg So there are some potential strings for solving each of the stages. by hand by running their custom bomb against their solution: For both Option 1 and Option 2, the makebomb.pl script randomly, chooses the variant ("a", "b", or "c") for each phase. Thus, they quickly learn to set breakpoints before, each phase and the function that explodes the bomb. Keep going! Each bomb phase tests a different aspect of machine language programs: Phase 4: recursive calls and the stack discipline, Phases get progressively harder. Each phase expects you to type a particular string on stdin. Point breakdown for each phase: Phase 1 - 4: 10 points each; Phase 5 and 6: 15 points each; Total maximum score possible: 70 points; Each time the "bomb explodes", it notifies the server, resulting in a (-)1/5 point deduction from the final score for the lab. Contribute to xmpf/cse351 development by creating an account on GitHub. This assignment gives you a binary program containing "bombs" which trigger a ping to our server (and make you lose points) if their inputs are wrong. I am currently stuck on bomb lab phase 5. We can inspect its structure directly using gdb. int numArray[15] = {10, 2, 14, 7, 8, 12, 15, 11, 0, 4, 1, 13, 3, 9, 6}; int readOK; /** number of elements successfully read **/. Control-l can be used to refresh the UI whenever it inevitably becomes distorted. A tag already exists with the provided branch name. phase_4 "make start" runs bomblab.pl, the main. Link to Bomb Lab Instructions (pdf) in GitHub Repository. This command lists out all the values that each of the registers hold. If nothing happens, download GitHub Desktop and try again. Lets set a breakpoint at strings_not_equal. to build a single generic bomb that every student attempts to defuse: This will create a generic bomb and some other files in ./bombs/bomb0: bomb* Generic bomb executable (handout to students), bomb.c Source code for main routine (handout to students), You will handout only two of these files to the students: ./bomb and ./bomb.c, The students will handin their solution files, which you can validate, This option is easy for the instructor, but we don't recommend it.