Each phase expects you to type a particular string on stdin. You can compile directly on myth using a copy of a Makefile from any CS107 assignment/lab as a starting point, and then use gdb or objdump to poke around. IMPORTANT NOTE: You can work on your solution on any Linux machine, but in order to submit your . TrendMicro CTF 2016 - re100. Bomb-Assembly. This lab allows you to specify a file for the bomb to read your discovered solutions from at run time. P native process 101 In: phase 5 (gdb) x/32wd Ox5555555568a0 0x5555555568a0 <array.3418>: 2 10 6 1 0x5555555568b0 <array.3418+16>: 12 16 9 3 0x555555556800 <array.3418+32>: 4 7 14 5 0x5555555568d0 <array.3418+48>: 11 8 15 13 0x5555555568e0: 2032168787 1948284271 1802398056 1970239776 0x5555555568f0: 1851876128 1869902624 1752440944 1868701797 . I know that it is using switch table here. 8048db7: 83 ec 44 sub $0x44,%esp. Evil has planted a slew of "binary bombs" on our machines. Figure 1: Summary of attack lab phases 4.1 Level 1 For Phase 1, you will not inject new code . (up to -6 points deducted) Each bomb explosion notification that reaches the staff results in a 1 point deduction, capped at -6 points total. BOMB LAB - PHASE 4. Like the last phase, it has multiple correct answers. Each lab is distributed in a self-contained tar file. I know that this phase requires %d %d. If you type the correct string, then the phase is defused and the bomb proceeds to the next phase. The purpose of this project is to become more familiar with machine level programming. Lets try "flower" and see if we get pass the. Posted by Avantika Yellapantula at 6:00 AM. For homework: defuse phases 2 and 3. NHN NEXT 2013 3 ' ' . Now is time to introduce Visual mode, which opens up many of r2's best features. We have a loop with iterators %ebx and %edi. I wonder how I could find the second . Subtraction of 0xb8-0x125 gives the integer -109, which works with this phase. Phase_3 switchcase . addr_target = 0x400FC9 # The address of the first instruction of the explode_bomb function, which is to be avoided. which I believe is the 2nd . Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 Phase 6 Secret Phase. Each additional explosion costs you 0.5 points. The input should consist of an integer (0 ~ 6), a character and another integer (both determined by the previous integer). Here is Phase 6. Modified 6 years, 2 months ago. . GitHub Gist: instantly share code, notes, and snippets. See the answer. The difficulty comes from recursion and another function whose purpose isn't clear from just its name. I keep on getting like 3 numbers correctly, and then find the only possible solutions for the other 3 incorrect, so I am at a loss. Binary Bomb Lab :: Phase 5. In a moment of weakness however, Dr. Checks to see if ANYTHING is inputed. Posted on 2016-08-03 | In writeup. I fired up gdb, added some breakpoints before and after the first input string required for the bomb. Phase 1. Your job for this lab is to defuse your bomb. Each of you will work with a special "binary bomb". If any of these is . Let's start gdb and place a breakpoint on explode_bomb. (Add 16 each time) ecx is compared to rsp, which is 15, so we need ecx to equal to 15. Type in. Dump of assembler code for function phase_3: => 0x08048ce8 <+0>: sub . Assembly to C Code jumps. Let's use gdb to figure out what they are. Guess the second number 2. Your job for this level is to supply an exploit string that will cause getbuf () to return your . Solving a reverse engineering challenge using r2 and ESIL. Each phase expects you to type a . bomb.c: Source file with the bomb's main routine and a friendly greeting. Point breakdown for each phase: Phase 1 - 4: 10 points each; Phase 5 and 6: 15 points each; Total maximum score possible: 70 points; Each time the "bomb explodes", it notifies the server, resulting in a (-)1/5 point deduction from the final score for the lab. Read more . : CSAPP: Bomb Lab . (**Please feel free to fork or star if helpful!) So I am doing the classic Binary bomb and have managed to get to phase 6 without to much trouble but I've been bashing my head trying to figure out this lat phase so any help would be appreciated. BInary Bomb Lab Phase 1 Walkthrough. 08048db5 <phase_6>: 8048db5: 56 push %esi. using a debugger) what the secret input for each "phase" is. Nonetheless, you will always gain points for completing a phase regardless of how many times the bomb has exploded. See the answer See the answer done loading. Phase 3 Resources Intro This post walks through the first 3 phases of the lab. Despite first impressions, this function isn't very complicated, and with Graph mode we can easily make sense of it. A clear, concise, correct answer will earn full credit. 1. All gists Back to GitHub Sign in Sign up Sign in Sign up {{ message }} . If the input passes that check we enter the final function: sym.fun7. So there are consequences to exploding the bomb. That may not seem significantly more difficult than using an ROP attack to invoke touch2, except that we have made it so.Moreover, Phase 5 counts for only 5 points, which is not a true measure of the effort it will require. Each time your bomb explodes it notifies the staff, and you lose 1/4 point (up to a max of 10 points) in the final score for the lab. Level 5: target_f2 in rtarget (15 points) For Level 5, you will repeat the attack of Level 2 to target_f2, but in the program rtarget using gadgets from your gadget farm. Phase 4 is our first real jump in difficulty. Binary Bomb Lab- Phase 3. Keep going! You will get full credit for defusing phase 1 with less than 20 explosions. Details on Grading for Bomb Lab. Question: Bomb Lab phase 3 Right now, I know it is searching for two number(%d %d). 1. A binary bomb is a program that consists of a sequence of six phases. There is a small grade penalty for explosions beyond 20. The answer should be six digits from 1 to 6, and distinct to each other. Bomb explosions. At the r2 command prompt, enter (uppercase) V. addr_start = 0x400F60 # The address of the return of phase_3. (gdb) info line main Line 3 of "main.c" starts at address 0x401050 <main> and ends at 0x401075 <main+ (gdb) disas 0x401050 0x401075 Dump of assembler code from 0x401050 to 0x401075: 0x00401050 . Answers that are vague, inaccurate, or . Defuse the "phases" of the bomb by figuring out (e.g. 0x08048e35 <+91>: add $0xb8,%eax. A short introduction to instrumentation and Frida on Linux. Phase 4 (gdb) ni 3: 0x0000000000400efe in phase_1 (gdb) disas: Dump of assembler code for function phase_1: 0x0000000000400ef0 <+0>: sub $0x8,%rsp: %d 4 . 2 Comments 2 Solutions 12114 Views Last Modified: 11/13/2013. These are the precise rules: There are a total of 34 points (1, 1, 3, 5, 5, 5, 7, 7 points for phases 1-8, respectively). I know there has to be 6 numbers, with the range of 1-6, and there can't be any repeats. Answer contains 6 integers. # The address where the symbolic execution shall begin. You must do the assignment on one of the class machines. this is binary bomb lab phase 5.I didn't solve phase 5. This is an educational video on understanding and solving the Binary Bomb Lab. If it is not 6 characters, it will jump to Bomb_Explode function. I can get to the last bomb explosion function.. but i can't get past it. Computer Science questions and answers. Each time your bomb explodes it notifies the bomblab server, and you lose 1/2 point (up to a max of 20 points) in the final score for the lab. You do not necessarily lose the points immediately. There are 2 free explosions (no points lost) for each phase. Download and print the gdb quick reference guide. Once that's done, disassemble phase_4. If you're looking for a specific phase: Here is Phase 1 Here is Phase 2 Here is Phase 3 Here is Phase 5 Here is Phase 6 Phase 4 In my opinion, this is where things start to get tricky. This was also paired with many add $0x125 and sub $0x125, but ultimately each canceled out till all was left with sub $0x125. 17:24. phase3 . 8048db6: 53 push %ebx. Engineering; Computer Science; Computer Science questions and answers; This is Phase_6 from the Bomb Lab. For lab: defuse phase 1. eb 3b jmp 400fbe <phase_3+0x7b> x = 2 400f83: b8 c3 02 00 00 mov $0x2c3,%eax 400f88: eb 34 jmp 400fbe <phase_3+0x7b> x = 3 400f8a: b8 00 01 00 00 mov $0x100,%eax 400f8f: eb 2d jmp 400fbe <phase_3 . Evil has created a slew of "binary bombs" for our class. Computer Science. There is a small amount of extra credit for each additional phase . ------------------------------------------------------- (gdb) disas phase_3 Dump of assembler code for function phase_3: A note to the reader: For explanation on how to set up the lab environment see the "Introduction" section of the post. Breakpoint 1 at 0x8048cc4. Bomb lab phase_4. That value is decremented and compared against 0x3e8 (1000) - the bomb is triggered if our decremented value is greater than that. Step 2: Defuse Your Bomb. Bomblab. Phases 5 and 6 are a little more difficult, so they are worth 15 points each. I am looking for the solution. , Binary Bomb Lab .. woonohyo.tistory.com. There is a small grade penalty for explosions beyond 20. You must be careful! Next, as we . # We end it there so as to dump the stack and retrieve values before the stack frame is discarded. One possible input is " 0 q 777 ". to "defuse" using your assembly and reverse-engineering skills. For homework: defuse phases 2 and 3. Bomb Lab GitHub BombLabCS:APPlab . A binary bomb is a program that consists of a sequence of phases. Now we have two criteria for our password. Phase 4 Dump of assembler code for function phase_4: 0x000000000040100b <+0>: sub $0x18,%rsp. You will have to run through the reverse engineering process, but there won't be much in the way of complicated assembly to decipher or tricky mental hoops to jump through. You will get full credit for defusing phases 2 and 3 with less than 30 explosions. A binary bomb is a program that consists of a sequence of six phases. I see that I need more than 2 inputs for the function to work, but it begins to get really muddy after that. Note that between the beginning and end of phase_1 there is a call to the function . The first four phases are worth 10 points each. Phase 3 of binary bomb lab. Computer Science questions and answers. February 20, 2011. Binary Bomb (Phase 5) Let go through Phase 5. There is a small amount of extra credit for each additional phase . This is the assembly code for phase 3: The list of numbers I've inputed is this: So far from my understanding, two conditions need to be met: edx must equal 0xf, meaning the first input has to be 5, 21, 37, etc. Jump . Enter Graph. It reads a the answer line from the user for each phase, then calls a function phase_x that has the code for phase x (x between 1 and 6 for the six phases). (You will not get credit for using the debugger to jump over the code that checks whether input is valid; the bomb must send a correct input to our server.) 2) . This page contains a complete set of turnkey labs for the CS:APP3e text. Load the binary, analyze it, seek to sym.phase_3, then print it. Our purpose is to help you learn about the runtime operation of programs and to understand the nature of this form of security weakness so that you can avoid it when you write system code . Each time your bomb explodes it noties the bomblab server, and you lose some points in the nal score for the lab. So there are consequences to exploding the bomb. Accroding to the format, int takes 2 bytes, char takes 1 byte. To begin, let's take a look at the <phase_1> function in our objdump file: Each phase expects you to type a particular string on stdin. In this video, I demonstrate how to solve the Bomblab Phase 6 for Computer Systems. The second part is the binary bomb program, where you're given an executable "bomb" program (no C code provided!) phase3 . What I know so far: first input cannot be 15, 31, 47, etc. It is right after parsing of two numbers taken as input. Viewed 4k times -1 So I'm struggling understanding this phase of a binary bomb lab that I have to do for class. 13. If you type the correct string, then the phase is defused and the bomb proceeds to the next phase. i'm stuck on phase6, i think it is the linked list that is giving me problems. NASM on linux: Using sys_read adds extra line at the end. 11. => 0x00000000004012f1 <+0>: cmpb $0x0, (%rdi) //rdi = string input. Each phase expects you to type a particular string on stdin . Evil has created a slew of "binary bombs" for our class. GDB Here are a few useful commands that are worth highlighting: layout asm Made this really quick but it should give an idea of how to complete phase 3 - to run it just look at my previous video Read more . This is phase 2 of a binary bomb lab. Binary Bomb. Show transcribed image text. The bomb program will ask you you for a secret input. End of assembler dump. Bomblab. Readme (27 points) 2 points for explosion suppression, 5 points for each level question. Also note that the binary follow the AT&T standard so instruction operations are reversed (e.g. This lab allows you to specify a file for the bomb to read your discovered solutions from at run time. Feel free to re away at CTARGET and RTARGET with any strings you like. This problem has been solved! Code must be solved. So if my solutions I have found for different phases are in a file called solutions.txt I would run "run solutions.txt" and it would run my bomb with that argument. . Unlike the Bomb Lab, there is no penalty for making mistakes in this lab. You will get full credit for defusing phases 2 and 3 with less than 30 explosions. It. So the answer: 2 -109. I have listed code below. This phase takes six numbers and runs a test on five of them in a loop. Phase Program Level Method Function Points 1 CTARGET 1 CI touch1 10 2 CTARGET 2 CI touch2 25 3 CTARGET 3 CI touch3 25 4 RTARGET 2 ROP touch2 35 5 RTARGET 3 ROP touch3 5 CI: Code injection ROP: Return-oriented programming Figure 1: Summary of attack lab phases The server will test your exploit string to make sure it really works, and it will update the Attacklab score- Guess the input is: 01 02 04 08 16 32. For phase two, run gdb bomb on terminal and do the following: (gdb) break phase_2. phase 2 solved. The calling function is oblivious to the attack.