Congratulations! At the onset of the program you get the string 'Welcome to my fiendish little bomb. Contribute to xmpf/cse351 development by creating an account on GitHub. This number was 115. phase_6() - This function does a few initial checks on the numbers inputed by the user. Bomb Lab: Phase 5. Upon entry to that secret stage you likely get the string 'Curses, you've found the secret phase!' Binary Bomb Lab (All Phases Solved) - John Keller The code must be at least six numbers long or else the bomb detonates. We can then set up a breakpoint upon entering phase_1 using b phase_1 and for the function explode_bomb to avoid losing points. A clear, concise, correct answer will earn full credit. If this is a duplicate of another question, please link it so future readers can find it if their search turns up this question first. VASPKIT and SeeK-path recommend different paths. And, as you can see at structure, the loop iterates 6 times. to use Codespaces. Guide and work-through for System I's Bomb Lab at DePaul University. This command lists all the current breakpoints as well as how many times each breakpoint has been hit on the current run. Phase 1 defused. CSE351/bomb.c at master hengyingchou/CSE351 GitHub srveaw is pretty far off from abcdef. First thing I did was to search the binary using strings to see if there was anything interesting that pops out. string_length You signed in with another tab or window. What does the power set mean in the construction of Von Neumann universe? Such bombs are called "notifying bombs. If so, put zero in %eax and return. Students earn points for defusing phases, and they, lose points (configurable by the instructor, but typically 1/2 point), for each explosion. ", - Report Daemon (bomblab-reportd.pl). I then restart the program and see if that got me through phase 1. CSAPP-Labs/README-bomblab at master - Github Second, each progressive number in the code series entered by the user must be 1 larger than the next. In this part we use objdump to get the assembly code On a roll! I see the output 'Phase 1 defused. Lets use blah again as out input for phase_2. Making statements based on opinion; back them up with references or personal experience. Work fast with our official CLI. Students download their bombs, and display the scoreboard by pointing a browser at a simple HTTP, server called the "request server." A tag already exists with the provided branch name. By clicking Post Your Answer, you agree to our terms of service, privacy policy and cookie policy. Essentially what is happening is, each character from our string is ANDed with 0xf, and the result is used to get the character with the corresponding index from the array. You've defused the bomb!'. Alternative paths? What was the actual cockpit layout and crew of the Mi-24A? In memory there is a 16 element array of the numbers 0-15. Keep going! Control-l can be used to refresh the UI whenever it inevitably becomes distorted. We can inspect its structure directly using gdb. Are you sure you want to create this branch? You will have to run through the reverse engineering process, but there won't be much in the way of complicated assembly to decipher or tricky mental hoops to jump through. A note to the reader: For explanation on how to set up the lab environment see the "Introduction" section of the post. strings_not_equal The source code for the different phase variants is in ./src/phases/. The function then takes the address of the memory location within the array indexed by the second user input and places it in the empty adjacent element designated by the first user input. The Hardware/Software Interface - UWA @ Coursera. gdb - binary bomb lab phase 6 - Stack Overflow Try this . If the first character in the input string is anything but a zero then the detonation flag is set to low and passed out the function. Actually in this part, the answer isn't unique. . Phase 1 defused. Ahhhh, recursion, right? On whose turn does the fright from a terror dive end? There are no explicit handins and the lab is self-grading. Phase 1. You just choose a number arbitarily from 0 to 6 and go through the switch expression, and you get your second argument. (up to -6 points deducted) Each bomb explosion notification that reaches the staff results in a 1 point deduction, capped at -6 points total. A string that could be the final string outputted when you solve stage 6 is 'Congratulations! CurryTang/bomb_lab_solution - Github So we can plug in 6 d characters and get a valid comparison! Lets get started by creating both a breakpoint for explode_bomb and phase_2. After looking at these interesting strings, I'm going to make a few guesses at what is going on in this binary "BOMB!!". phase_1 offline version, you can ignore most of these settings. Given this info, it looks as though the loop is implementing a cypher. Then we take a look at the assembly code above, we see one register eax and an address 0x402400. Either way, eventually youll find that the pre-cyphered version of giants is actually opekmq. CMU Bomb Lab with Radare2 Phase 5 | by Mark Higgins - Medium Segmentation fault in attack lab phase5 - Stack Overflow Given you ultimately needed to have the element containing 0xf to exit after 15 iterations, I saw that f was at array element index 6. It then updates the HTML scoreboard that summarizes, the current number of explosions and defusions for each bomb, rank. I keep on getting like 3 numbers correctly, and then find the only possible solutions for the other 3 incorrect, so I am at a loss. Lets clear all our previous breakpoints and set a new one at phase_2. Type "./makebomb.pl -h" to see its arguments. In this version of the lab, you build your own quiet bombs manually, and then hand them out to the students. ', After solving stage 3 you likely get the string 'Halfway there! For, example, "-p abacba" will use variant "a" for phase 1, variant "b" for. Each line is annotated. It is clearly the most compelling and fun for the, students, and the easiest for the instructor to grade. How about the next one? Phase 1: There are two main ways of getting the answer. The problem requires that the return value of the func4 should also be zero. The "report daemon" periodically, scans the scoreboard log file. As a next step, lets input the test string abcdef and take a look at what the loop does to it. Cannot retrieve contributors at this time. It's obvious that the first number should be 1. The following lines are annotated. The first number must be between 0 and 7. Welcome to my fiendish little bomb. We've made it very easy to run the service, but, some instructors may be uncomfortable with this requirement and will. f7 ff ff callq 400bf0 <__isoc99_sscanf@plt>, : e8 a1 ff ff ff callq 40143a , fc ff ff callq 400bf0 <__isoc99_sscanf@plt>, : e8 c7 fb ff ff callq 400bf0 <__isoc99_sscanf@plt>, fa ff ff callq 400b30 <__stack_chk_fail@plt>. The goal for the students is to defuse as many phases as possible. You signed in with another tab or window. Now you can see there are a few loops. Assignment #3: Bomb Lab - CS356 Introduction to Computer Systems Can you still use Commanders Strike if the only attack available to forego is an attack against an ally? We can get the full assembly code using an object dump: objdump -d path/to/binary > temp.txt. You can tell, makebomb.pl to use a specific variant by using the "-p" option. As we have learned from the past phases, fixed values are almost always important. Then we can get the range of the first argument from the line. Then you get the answer to be the pair(7, 0). start Each time a student defuses a, bomb phase or causes an explosion, the bomb sends a short HTTP, message, called an "autoresult string," to an HTTP "result server,", which simply appends the autoresult string to a "scoreboard log file. CIA_MKUltraBrainwashing_Drugs . CMU Bomb Lab with Radare2 Phase 1 | by Mark Higgins - Medium (Add 16 each time), ecx is compared to rsp, which is 15, so we need ecx to equal to 15, Changing the second input does not affect the ecx, first input is directly correlated to edx. Bomb_Lab/Analysis.md at master MarkHyphen/Bomb_Lab GitHub Each of you will work with a special "binary bomb". This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. The user input is then, 4 5 1 6 2 3. In this part, we are given two functions phase_4() and func4(). PHASE 3. is "defused." Less than two and the bomb detonates. CS107 Assignment 5: Binary bomb - Stanford University A binary bomb is a program that consists of a . I have given a detailed explanation for phase_5 here: https://techiekarthik.hashnode.dev/cmu-bomblab-walkthrough?t=1676391915473#heading-phase-5. Make sure you update this. What' more, there's a function call to read_six_numbers(), we can inspect it, Up till now, you should be able to find out that in this part, we are required to enter six numbers. A binary bomb is a program that consists of a sequence of phases. A Mad Programmer got really mad and created a slew of binary bombs. Binary Bomb Lab :: Phase 6 - Zach Alexander Using layout asm, we can see the assembly code as we step through the program. The "main daemon" starts and nannies the, request server, result server, and report deamon, ensuring that, exactly one of these processes (and itself) is running at any point in, time. Are you sure you want to create this branch? Binary Bomb Lab :: Phase 6. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. For example, after a function has finished executing, this command can be used to check the value of $rax to see the function output. Add abcdef as your Phase 5 solution in answers.txt, load the binary in r2's Debug mode, run analysis, then dcu sym.phase_5. If the student enters the expected string, then that phase. You have 6 phases with Also note that the binary follow the AT&T standard so instruction operations are reversed (e.g. On line <phase_4+16>, the <phase_4> function is pushing a fixed value stored at memory address 0x8049808 onto the stack right before a call to scanf is made. this is binary bomb lab phase 5.I didn't solve phase 5. Halfway there! Going back to the code for phase_2, we see that the first number has to be 1. First, setup your bomb directory. phase_2() - This phase is about typing in a code. If the function succeeds, it follows the green arrow on the right to the third box. func4() - This function was rather difficult for me to get through logically and so I ultimately had to take it as somewhat as a black box. We do this by typing, Then we request a bomb for ourselves by pointing a Web browser at, After saving our bomb to disk, we untar it, copy it to a host in the, approved list in src/config.h, and then explode and defuse it a couple, of times to make sure that the explosions and diffusion are properly, recorded on the scoreboard, which we check at, Once we're satisfied that everything is OK, we stop the lab, Once we go live, we type "make stop" and "make start" as often as we. Each message contains a BombID, a phase, and an indication of the, event that occurred. Each phase expects the student to enter a particular string, on stdin. Servers run quietly, so they. There was a bunch of manipulation of stack space but there was nothing in the stack at that location and so it is likely a bunch of leg work.