summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNavan Chauhan <navanchauhan@gmail.com>2023-10-04 14:36:45 -0600
committerNavan Chauhan <navanchauhan@gmail.com>2023-10-04 14:36:45 -0600
commit1c3ae60504d15236c1d8c1d3443012377c85d031 (patch)
tree2102bc308c1af6af75da8c59e2726057297b38c7
parent1c16ad701ece04045dda859f673e5a85092acbdf (diff)
added phase 3
-rw-r--r--Content/posts/2023-10-04-bomb-lab.md278
-rw-r--r--Resources/assets/bomb-lab/phase-3.pngbin0 -> 69063 bytes
-rw-r--r--docs/assets/bomb-lab/phase-3.pngbin0 -> 69063 bytes
-rw-r--r--docs/feed.rss274
-rw-r--r--docs/index.html4
-rw-r--r--docs/posts/2023-10-04-bomb-lab.html278
-rw-r--r--docs/posts/index.html4
7 files changed, 820 insertions, 18 deletions
diff --git a/Content/posts/2023-10-04-bomb-lab.md b/Content/posts/2023-10-04-bomb-lab.md
index 4919f61..fdbf87c 100644
--- a/Content/posts/2023-10-04-bomb-lab.md
+++ b/Content/posts/2023-10-04-bomb-lab.md
@@ -1,15 +1,19 @@
---
date: 2023-10-04 13:12
-description: Introduction, Phase 1 and Phase 2 of Bomb Lab for CSCI 2400 Lab - 2
+description: Introduction, Phases 1-3 of Bomb Lab for CSCI 2400 Lab - 2
tags: gdb, reverse-engineering, c++, csci2400, assembly
---
-# Bomb Lab
+# Bomb Lab Phases 1 & 2
## Introduction
Lab 2 for CSCI 2400 - Computer Systems.
+I like using objdump to disassemble the code and see a broad overview of what is happening.
+
+`objdump -d bomb > dis.txt`
+
## Phase 1
```
@@ -179,3 +183,273 @@ Breakpoint 1, 0x00005555555555eb in phase_2 ()
Continuing.
That's number 2. Keep going!
```
+
+## Phase 3
+
+Let us look at the disassembled code first
+
+```
+0000000000001638 <phase_3>:
+ 1638: f3 0f 1e fa endbr64
+ 163c: 48 83 ec 18 sub $0x18,%rsp
+ 1640: 48 8d 4c 24 07 lea 0x7(%rsp),%rcx
+ 1645: 48 8d 54 24 0c lea 0xc(%rsp),%rdx
+ 164a: 4c 8d 44 24 08 lea 0x8(%rsp),%r8
+ 164f: 48 8d 35 60 1b 00 00 lea 0x1b60(%rip),%rsi # 31b6 <_IO_stdin_used+0x1b6>
+ 1656: b8 00 00 00 00 mov $0x0,%eax
+ 165b: e8 80 fc ff ff call 12e0 <__isoc99_sscanf@plt>
+ 1660: 83 f8 02 cmp $0x2,%eax
+ 1663: 7e 20 jle 1685 <phase_3+0x4d>
+ 1665: 83 7c 24 0c 07 cmpl $0x7,0xc(%rsp)
+ 166a: 0f 87 0d 01 00 00 ja 177d <phase_3+0x145>
+ 1670: 8b 44 24 0c mov 0xc(%rsp),%eax
+ 1674: 48 8d 15 55 1b 00 00 lea 0x1b55(%rip),%rdx # 31d0 <_IO_stdin_used+0x1d0>
+ 167b: 48 63 04 82 movslq (%rdx,%rax,4),%rax
+ 167f: 48 01 d0 add %rdx,%rax
+ 1682: 3e ff e0 notrack jmp *%rax
+ 1685: e8 c0 06 00 00 call 1d4a <explode_bomb>
+ 168a: eb d9 jmp 1665 <phase_3+0x2d>
+ 168c: b8 63 00 00 00 mov $0x63,%eax
+ 1691: 81 7c 24 08 3d 02 00 cmpl $0x23d,0x8(%rsp)
+ 1698: 00
+ 1699: 0f 84 e8 00 00 00 je 1787 <phase_3+0x14f>
+ 169f: e8 a6 06 00 00 call 1d4a <explode_bomb>
+ 16a4: b8 63 00 00 00 mov $0x63,%eax
+ 16a9: e9 d9 00 00 00 jmp 1787 <phase_3+0x14f>
+ 16ae: b8 61 00 00 00 mov $0x61,%eax
+ 16b3: 81 7c 24 08 27 01 00 cmpl $0x127,0x8(%rsp)
+ 16ba: 00
+ 16bb: 0f 84 c6 00 00 00 je 1787 <phase_3+0x14f>
+ 16c1: e8 84 06 00 00 call 1d4a <explode_bomb>
+ 16c6: b8 61 00 00 00 mov $0x61,%eax
+ 16cb: e9 b7 00 00 00 jmp 1787 <phase_3+0x14f>
+ 16d0: b8 78 00 00 00 mov $0x78,%eax
+ 16d5: 81 7c 24 08 e7 02 00 cmpl $0x2e7,0x8(%rsp)
+ 16dc: 00
+ 16dd: 0f 84 a4 00 00 00 je 1787 <phase_3+0x14f>
+ 16e3: e8 62 06 00 00 call 1d4a <explode_bomb>
+ 16e8: b8 78 00 00 00 mov $0x78,%eax
+ 16ed: e9 95 00 00 00 jmp 1787 <phase_3+0x14f>
+ 16f2: b8 64 00 00 00 mov $0x64,%eax
+ 16f7: 81 7c 24 08 80 02 00 cmpl $0x280,0x8(%rsp)
+ 16fe: 00
+ 16ff: 0f 84 82 00 00 00 je 1787 <phase_3+0x14f>
+ 1705: e8 40 06 00 00 call 1d4a <explode_bomb>
+ 170a: b8 64 00 00 00 mov $0x64,%eax
+ 170f: eb 76 jmp 1787 <phase_3+0x14f>
+ 1711: b8 6d 00 00 00 mov $0x6d,%eax
+ 1716: 81 7c 24 08 ff 02 00 cmpl $0x2ff,0x8(%rsp)
+ 171d: 00
+ 171e: 74 67 je 1787 <phase_3+0x14f>
+ 1720: e8 25 06 00 00 call 1d4a <explode_bomb>
+ 1725: b8 6d 00 00 00 mov $0x6d,%eax
+ 172a: eb 5b jmp 1787 <phase_3+0x14f>
+ 172c: b8 71 00 00 00 mov $0x71,%eax
+ 1731: 81 7c 24 08 75 03 00 cmpl $0x375,0x8(%rsp)
+ 1738: 00
+ 1739: 74 4c je 1787 <phase_3+0x14f>
+ 173b: e8 0a 06 00 00 call 1d4a <explode_bomb>
+ 1740: b8 71 00 00 00 mov $0x71,%eax
+ 1745: eb 40 jmp 1787 <phase_3+0x14f>
+ 1747: b8 79 00 00 00 mov $0x79,%eax
+ 174c: 81 7c 24 08 94 02 00 cmpl $0x294,0x8(%rsp)
+ 1753: 00
+ 1754: 74 31 je 1787 <phase_3+0x14f>
+ 1756: e8 ef 05 00 00 call 1d4a <explode_bomb>
+ 175b: b8 79 00 00 00 mov $0x79,%eax
+ 1760: eb 25 jmp 1787 <phase_3+0x14f>
+ 1762: b8 79 00 00 00 mov $0x79,%eax
+ 1767: 81 7c 24 08 88 02 00 cmpl $0x288,0x8(%rsp)
+ 176e: 00
+ 176f: 74 16 je 1787 <phase_3+0x14f>
+ 1771: e8 d4 05 00 00 call 1d4a <explode_bomb>
+ 1776: b8 79 00 00 00 mov $0x79,%eax
+ 177b: eb 0a jmp 1787 <phase_3+0x14f>
+ 177d: e8 c8 05 00 00 call 1d4a <explode_bomb>
+ 1782: b8 68 00 00 00 mov $0x68,%eax
+ 1787: 38 44 24 07 cmp %al,0x7(%rsp)
+ 178b: 75 05 jne 1792 <phase_3+0x15a>
+ 178d: 48 83 c4 18 add $0x18,%rsp
+ 1791: c3 ret
+ 1792: e8 b3 05 00 00 call 1d4a <explode_bomb>
+ 1797: eb f4 jmp 178d <phase_3+0x155>
+```
+
+```
+...
+ 165b: e8 80 fc ff ff call 12e0 <__isoc99_sscanf@plt>
+...
+```
+
+We can see that `scanf` is being called which means we need to figure out what datatype(s) the program is expecting.
+
+Because I do not want to enter the solutions to phases 1 and 2 again and again, I am goig to pass a file which has these solutions.
+
+```
+jovyan@jupyter-nach6988:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex 'break phase_3' -ex 'break explode_bomb' -ex 'run' -args ./bomb sol.txt
+GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1
+Copyright (C) 2022 Free Software Foundation, Inc.
+License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
+This is free software: you are free to change and redistribute it.
+There is NO WARRANTY, to the extent permitted by law.
+Type "show copying" and "show warranty" for details.
+This GDB was configured as "x86_64-linux-gnu".
+Type "show configuration" for configuration details.
+For bug reporting instructions, please see:
+<https://www.gnu.org/software/gdb/bugs/>.
+Find the GDB manual and other documentation resources online at:
+ <http://www.gnu.org/software/gdb/documentation/>.
+
+For help, type "help".
+Type "apropos word" to search for commands related to "word"...
+Reading symbols from ./bomb...
+Breakpoint 1 at 0x1638
+Breakpoint 2 at 0x1d4a
+Starting program: /home/jovyan/lab2-bomblab-navanchauhan/bombbomb/bomb sol.txt
+[Thread debugging using libthread_db enabled]
+Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
+Welcome to my fiendish little bomb. You have 6 phases with
+which to blow yourself up. Have a nice day!
+Phase 1 defused. How about the next one?
+That's number 2. Keep going!
+random string
+
+Breakpoint 1, 0x0000555555555638 in phase_3 ()
+(gdb) disas
+Dump of assembler code for function phase_3:
+=> 0x0000555555555638 <+0>: endbr64
+ 0x000055555555563c <+4>: sub $0x18,%rsp
+ 0x0000555555555640 <+8>: lea 0x7(%rsp),%rcx
+ 0x0000555555555645 <+13>: lea 0xc(%rsp),%rdx
+ 0x000055555555564a <+18>: lea 0x8(%rsp),%r8
+ 0x000055555555564f <+23>: lea 0x1b60(%rip),%rsi # 0x5555555571b6
+ 0x0000555555555656 <+30>: mov $0x0,%eax
+ 0x000055555555565b <+35>: call 0x5555555552e0 <__isoc99_sscanf@plt>
+ 0x0000555555555660 <+40>: cmp $0x2,%eax
+ 0x0000555555555663 <+43>: jle 0x555555555685 <phase_3+77>
+ 0x0000555555555665 <+45>: cmpl $0x7,0xc(%rsp)
+ 0x000055555555566a <+50>: ja 0x55555555577d <phase_3+325>
+ 0x0000555555555670 <+56>: mov 0xc(%rsp),%eax
+ 0x0000555555555674 <+60>: lea 0x1b55(%rip),%rdx # 0x5555555571d0
+ 0x000055555555567b <+67>: movslq (%rdx,%rax,4),%rax
+ 0x000055555555567f <+71>: add %rdx,%rax
+ 0x0000555555555682 <+74>: notrack jmp *%rax
+ 0x0000555555555685 <+77>: call 0x555555555d4a <explode_bomb>
+ 0x000055555555568a <+82>: jmp 0x555555555665 <phase_3+45>
+ 0x000055555555568c <+84>: mov $0x63,%eax
+ 0x0000555555555691 <+89>: cmpl $0x23d,0x8(%rsp)
+ 0x0000555555555699 <+97>: je 0x555555555787 <phase_3+335>
+ 0x000055555555569f <+103>: call 0x555555555d4a <explode_bomb>
+ 0x00005555555556a4 <+108>: mov $0x63,%eax
+ 0x00005555555556a9 <+113>: jmp 0x555555555787 <phase_3+335>
+--Type <RET> for more, q to quit, c to continue without paging--
+```
+
+
+`gdb` has thankfully marked the address which is being passed to `scanf`. We can access the value:
+
+```
+(gdb) x/1s 0x5555555571b6
+0x5555555571b6: "%d %c %d"
+(gdb)
+```
+
+BINGO! The program expects an integer, character, and another integer. Onwards.
+
+```
+ 0x0000555555555660 <+40>: cmp $0x2,%eax
+ 0x0000555555555663 <+43>: jle 0x555555555685 <phase_3+77>
+...
+ 0x0000555555555685 <+77>: call 0x555555555d4a <explode_bomb>
+```
+
+The program checks whether `scanf` returns a value <= 2, if it does then it calls the `explode_bomb` function.
+
+*Note: `scanf` returns the number of fields that were succesfully converted and assigned*
+
+```
+ 0x0000555555555665 <+45>: cmpl $0x7,0xc(%rsp)
+ 0x000055555555566a <+50>: ja 0x55555555577d <phase_3+325>
+...
+ 0x000055555555577d <+325>: call 0x555555555d4a <explode_bomb>
+```
+
+Similarly, the program checks and ensures the returned value is not > 7.
+
+
+```
+ 0x0000555555555670 <+56>: mov 0xc(%rsp),%eax
+ 0x0000555555555674 <+60>: lea 0x1b55(%rip),%rdx # 0x5555555571d0
+ 0x000055555555567b <+67>: movslq (%rdx,%rax,4),%rax
+ 0x000055555555567f <+71>: add %rdx,%rax
+ 0x0000555555555682 <+74>: notrack jmp *%rax
+ 0x0000555555555685 <+77>: call 0x555555555d4a <explode_bomb>
+```
+
+* `0x0000555555555670 <+56>: mov 0xc(%rsp),%eax` - Moves value located at `0xc` (12 in Decimal) bytes above the stack pointer to `%eax` register.
+* `0x0000555555555674 <+60>: lea 0x1b55(%rip),%rdx # 0x5555555571d0` - This instruction calculates an effective address by adding `0x1b55` to the current instruction pointer (`%rip`). The result is stored in the `%rdx` register.
+* `0x000055555555567b <+67>: movslq (%rdx,%rax,4),%rax`
+ * `movslq` stands for "move with sign-extension from a 32-bit value to a 64-bit value." (if the 32-bit value is negative, the 64-bit result will have all its upper 32 bits set to 1; otherwise, they'll be set to 0).
+ * `(%rdx,%rax,4)` - First start with the value in the %rdx register, then add to it the value in the %rax register multiplied by 4.
+ * `%rax` - Destination Register
+* `0x000055555555567f <+71>: add %rdx,%rax` - Adds base address in `%rdx` to the offset in `%rax`
+* `0x0000555555555682 <+74>: notrack jmp *%rax` - Jumps to the address stored in `%rax`
+* `0x0000555555555685 <+77>: call 0x555555555d4a <explode_bomb>` - If we are unable to jump to the specified instruction, call `explode_bomb`
+
+Let us try to run the program again with a valid input for the first number and see what the program is computing for the address.
+
+I used the input: `3 c 123`.
+
+To check what is the computed address, we can switch to the asm layout by running `layout asm`, and then going through instructions `ni` or `si` until we reach the line `movslq (%rdx,%rax,4),%rax`
+
+`%rax` should hold the value 3.
+
+```
+(gdb) print $rax
+$1 = 3
+```
+
+![Screenshot of GDB terminal depicting us checking the value of the instruction to be jumped to](/assets/bomb-lab/phase-3.png)
+
+We can see that this makes us jump to `<phase_3+186>` (Continue to step through the code by using `ni`)
+
+```
+ 0x00005555555556f2 <+186>: mov $0x64,%eax
+ 0x00005555555556f7 <+191>: cmpl $0x280,0x8(%rsp)
+ 0x00005555555556ff <+199>: je 0x555555555787 <phase_3+335>
+ 0x0000555555555705 <+205>: call 0x555555555d4a <explode_bomb>
+```
+
+We see that `0x64` (Decimal 100) is being stored in `%eax`. Then, the program compares `0x280` (Decimal 640) with memory address `0x8` bytes above the stack pointer (`%rsp`). If the values are equal, then it jumps to `<phase_3+335>`, otherwise `explode_bomb` is called.
+
+```
+ 0x0000555555555787 <+335>: cmp %al,0x7(%rsp)
+ 0x000055555555578b <+339>: jne 0x555555555792 <phase_3+346>
+ 0x000055555555578d <+341>: add $0x18,%rsp
+ 0x0000555555555791 <+345>: ret
+ 0x0000555555555792 <+346>: call 0x555555555d4a <explode_bomb>
+```
+
+Here, the program is comparing the value of our given character to the value stored in `%al` (lower 8 bits of `EAX`), and checks if they are not equal.
+
+Knowing that the character is stored at an offset of 7 bytes to `%rsp`, we can print and check the value by running:
+
+```
+(gdb) x/1cw $rsp+7
+c
+(gdb) print $al
+$1 = 100
+```
+
+We can simply lookup the [ASCII table](https://www.cs.cmu.edu/~pattis/15-1XX/common/handouts/ascii.html), and see that 100 in decimal stands for the character `d`. Let us try this answer:
+
+```
+...
+That's number 2. Keep going!
+3 d 640
+
+Breakpoint 1, 0x0000555555555638 in phase_3 ()
+(gdb) continue
+Continuing.
+Halfway there!
+```
diff --git a/Resources/assets/bomb-lab/phase-3.png b/Resources/assets/bomb-lab/phase-3.png
new file mode 100644
index 0000000..b247a5b
--- /dev/null
+++ b/Resources/assets/bomb-lab/phase-3.png
Binary files differ
diff --git a/docs/assets/bomb-lab/phase-3.png b/docs/assets/bomb-lab/phase-3.png
new file mode 100644
index 0000000..b247a5b
--- /dev/null
+++ b/docs/assets/bomb-lab/phase-3.png
Binary files differ
diff --git a/docs/feed.rss b/docs/feed.rss
index 8b5469b..c43a5b5 100644
--- a/docs/feed.rss
+++ b/docs/feed.rss
@@ -4,8 +4,8 @@
<title>Navan's Archive</title>
<description>Rare Tips, Tricks and Posts</description>
<link>https://web.navan.dev/</link><language>en</language>
- <lastBuildDate>Wed, 04 Oct 2023 13:16:44 -0000</lastBuildDate>
- <pubDate>Wed, 04 Oct 2023 13:16:44 -0000</pubDate>
+ <lastBuildDate>Wed, 04 Oct 2023 14:36:29 -0000</lastBuildDate>
+ <pubDate>Wed, 04 Oct 2023 14:36:29 -0000</pubDate>
<ttl>250</ttl>
<atom:link href="https://web.navan.dev/feed.rss" rel="self" type="application/rss+xml"/>
@@ -3212,19 +3212,23 @@ logger.info("rdkit-{} installation finished!".format(rdkit.__version__))
https://web.navan.dev/posts/2023-10-04-bomb-lab.html
</guid>
<title>
- Bomb Lab
+ Bomb Lab Phases 1 &amp; 2
</title>
<description>
- Introduction, Phase 1 and Phase 2 of Bomb Lab for CSCI 2400 Lab - 2
+ Introduction, Phases 1-3 of Bomb Lab for CSCI 2400 Lab - 2
</description>
<link>https://web.navan.dev/posts/2023-10-04-bomb-lab.html</link>
<pubDate>Wed, 04 Oct 2023 13:12:00 -0000</pubDate>
- <content:encoded><![CDATA[<h1>Bomb Lab</h1>
+ <content:encoded><![CDATA[<h1>Bomb Lab Phases 1 &amp; 2</h1>
<h2>Introduction</h2>
<p>Lab 2 for CSCI 2400 - Computer Systems. </p>
+<p>I like using objdump to disassemble the code and see a broad overview of what is happening. </p>
+
+<p><code>objdump -d bomb &gt; dis.txt</code></p>
+
<h2>Phase 1</h2>
<pre><code>jovyan@jupyter-nach6988:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex 'break phase_1' -ex 'break explode_bomb' -ex 'run' ./bomb
@@ -3384,6 +3388,266 @@ Breakpoint 1, 0x00005555555555eb in phase_2 ()
Continuing.
That's number 2. Keep going!
</code></pre>
+
+<h2>Phase 3</h2>
+
+<p>Let us look at the disassembled code first</p>
+
+<pre><code>0000000000001638 &lt;phase_3&gt;:
+ 1638: f3 0f 1e fa endbr64
+ 163c: 48 83 ec 18 sub $0x18,%rsp
+ 1640: 48 8d 4c 24 07 lea 0x7(%rsp),%rcx
+ 1645: 48 8d 54 24 0c lea 0xc(%rsp),%rdx
+ 164a: 4c 8d 44 24 08 lea 0x8(%rsp),%r8
+ 164f: 48 8d 35 60 1b 00 00 lea 0x1b60(%rip),%rsi # 31b6 &lt;_IO_stdin_used+0x1b6&gt;
+ 1656: b8 00 00 00 00 mov $0x0,%eax
+ 165b: e8 80 fc ff ff call 12e0 &lt;__isoc99_sscanf@plt&gt;
+ 1660: 83 f8 02 cmp $0x2,%eax
+ 1663: 7e 20 jle 1685 &lt;phase_3+0x4d&gt;
+ 1665: 83 7c 24 0c 07 cmpl $0x7,0xc(%rsp)
+ 166a: 0f 87 0d 01 00 00 ja 177d &lt;phase_3+0x145&gt;
+ 1670: 8b 44 24 0c mov 0xc(%rsp),%eax
+ 1674: 48 8d 15 55 1b 00 00 lea 0x1b55(%rip),%rdx # 31d0 &lt;_IO_stdin_used+0x1d0&gt;
+ 167b: 48 63 04 82 movslq (%rdx,%rax,4),%rax
+ 167f: 48 01 d0 add %rdx,%rax
+ 1682: 3e ff e0 notrack jmp *%rax
+ 1685: e8 c0 06 00 00 call 1d4a &lt;explode_bomb&gt;
+ 168a: eb d9 jmp 1665 &lt;phase_3+0x2d&gt;
+ 168c: b8 63 00 00 00 mov $0x63,%eax
+ 1691: 81 7c 24 08 3d 02 00 cmpl $0x23d,0x8(%rsp)
+ 1698: 00
+ 1699: 0f 84 e8 00 00 00 je 1787 &lt;phase_3+0x14f&gt;
+ 169f: e8 a6 06 00 00 call 1d4a &lt;explode_bomb&gt;
+ 16a4: b8 63 00 00 00 mov $0x63,%eax
+ 16a9: e9 d9 00 00 00 jmp 1787 &lt;phase_3+0x14f&gt;
+ 16ae: b8 61 00 00 00 mov $0x61,%eax
+ 16b3: 81 7c 24 08 27 01 00 cmpl $0x127,0x8(%rsp)
+ 16ba: 00
+ 16bb: 0f 84 c6 00 00 00 je 1787 &lt;phase_3+0x14f&gt;
+ 16c1: e8 84 06 00 00 call 1d4a &lt;explode_bomb&gt;
+ 16c6: b8 61 00 00 00 mov $0x61,%eax
+ 16cb: e9 b7 00 00 00 jmp 1787 &lt;phase_3+0x14f&gt;
+ 16d0: b8 78 00 00 00 mov $0x78,%eax
+ 16d5: 81 7c 24 08 e7 02 00 cmpl $0x2e7,0x8(%rsp)
+ 16dc: 00
+ 16dd: 0f 84 a4 00 00 00 je 1787 &lt;phase_3+0x14f&gt;
+ 16e3: e8 62 06 00 00 call 1d4a &lt;explode_bomb&gt;
+ 16e8: b8 78 00 00 00 mov $0x78,%eax
+ 16ed: e9 95 00 00 00 jmp 1787 &lt;phase_3+0x14f&gt;
+ 16f2: b8 64 00 00 00 mov $0x64,%eax
+ 16f7: 81 7c 24 08 80 02 00 cmpl $0x280,0x8(%rsp)
+ 16fe: 00
+ 16ff: 0f 84 82 00 00 00 je 1787 &lt;phase_3+0x14f&gt;
+ 1705: e8 40 06 00 00 call 1d4a &lt;explode_bomb&gt;
+ 170a: b8 64 00 00 00 mov $0x64,%eax
+ 170f: eb 76 jmp 1787 &lt;phase_3+0x14f&gt;
+ 1711: b8 6d 00 00 00 mov $0x6d,%eax
+ 1716: 81 7c 24 08 ff 02 00 cmpl $0x2ff,0x8(%rsp)
+ 171d: 00
+ 171e: 74 67 je 1787 &lt;phase_3+0x14f&gt;
+ 1720: e8 25 06 00 00 call 1d4a &lt;explode_bomb&gt;
+ 1725: b8 6d 00 00 00 mov $0x6d,%eax
+ 172a: eb 5b jmp 1787 &lt;phase_3+0x14f&gt;
+ 172c: b8 71 00 00 00 mov $0x71,%eax
+ 1731: 81 7c 24 08 75 03 00 cmpl $0x375,0x8(%rsp)
+ 1738: 00
+ 1739: 74 4c je 1787 &lt;phase_3+0x14f&gt;
+ 173b: e8 0a 06 00 00 call 1d4a &lt;explode_bomb&gt;
+ 1740: b8 71 00 00 00 mov $0x71,%eax
+ 1745: eb 40 jmp 1787 &lt;phase_3+0x14f&gt;
+ 1747: b8 79 00 00 00 mov $0x79,%eax
+ 174c: 81 7c 24 08 94 02 00 cmpl $0x294,0x8(%rsp)
+ 1753: 00
+ 1754: 74 31 je 1787 &lt;phase_3+0x14f&gt;
+ 1756: e8 ef 05 00 00 call 1d4a &lt;explode_bomb&gt;
+ 175b: b8 79 00 00 00 mov $0x79,%eax
+ 1760: eb 25 jmp 1787 &lt;phase_3+0x14f&gt;
+ 1762: b8 79 00 00 00 mov $0x79,%eax
+ 1767: 81 7c 24 08 88 02 00 cmpl $0x288,0x8(%rsp)
+ 176e: 00
+ 176f: 74 16 je 1787 &lt;phase_3+0x14f&gt;
+ 1771: e8 d4 05 00 00 call 1d4a &lt;explode_bomb&gt;
+ 1776: b8 79 00 00 00 mov $0x79,%eax
+ 177b: eb 0a jmp 1787 &lt;phase_3+0x14f&gt;
+ 177d: e8 c8 05 00 00 call 1d4a &lt;explode_bomb&gt;
+ 1782: b8 68 00 00 00 mov $0x68,%eax
+ 1787: 38 44 24 07 cmp %al,0x7(%rsp)
+ 178b: 75 05 jne 1792 &lt;phase_3+0x15a&gt;
+ 178d: 48 83 c4 18 add $0x18,%rsp
+ 1791: c3 ret
+ 1792: e8 b3 05 00 00 call 1d4a &lt;explode_bomb&gt;
+ 1797: eb f4 jmp 178d &lt;phase_3+0x155&gt;
+</code></pre>
+
+<pre><code>...
+ 165b: e8 80 fc ff ff call 12e0 &lt;__isoc99_sscanf@plt&gt;
+...
+</code></pre>
+
+<p>We can see that <code>scanf</code> is being called which means we need to figure out what datatype(s) the program is expecting.</p>
+
+<p>Because I do not want to enter the solutions to phases 1 and 2 again and again, I am goig to pass a file which has these solutions.</p>
+
+<pre><code>jovyan@jupyter-nach6988:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex 'break phase_3' -ex 'break explode_bomb' -ex 'run' -args ./bomb sol.txt
+GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1
+Copyright (C) 2022 Free Software Foundation, Inc.
+License GPLv3+: GNU GPL version 3 or later &lt;http://gnu.org/licenses/gpl.html&gt;
+This is free software: you are free to change and redistribute it.
+There is NO WARRANTY, to the extent permitted by law.
+Type "show copying" and "show warranty" for details.
+This GDB was configured as "x86_64-linux-gnu".
+Type "show configuration" for configuration details.
+For bug reporting instructions, please see:
+&lt;https://www.gnu.org/software/gdb/bugs/&gt;.
+Find the GDB manual and other documentation resources online at:
+ &lt;http://www.gnu.org/software/gdb/documentation/&gt;.
+
+For help, type "help".
+Type "apropos word" to search for commands related to "word"...
+Reading symbols from ./bomb...
+Breakpoint 1 at 0x1638
+Breakpoint 2 at 0x1d4a
+Starting program: /home/jovyan/lab2-bomblab-navanchauhan/bombbomb/bomb sol.txt
+[Thread debugging using libthread_db enabled]
+Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
+Welcome to my fiendish little bomb. You have 6 phases with
+which to blow yourself up. Have a nice day!
+Phase 1 defused. How about the next one?
+That's number 2. Keep going!
+random string
+
+Breakpoint 1, 0x0000555555555638 in phase_3 ()
+(gdb) disas
+Dump of assembler code for function phase_3:
+=&gt; 0x0000555555555638 &lt;+0&gt;: endbr64
+ 0x000055555555563c &lt;+4&gt;: sub $0x18,%rsp
+ 0x0000555555555640 &lt;+8&gt;: lea 0x7(%rsp),%rcx
+ 0x0000555555555645 &lt;+13&gt;: lea 0xc(%rsp),%rdx
+ 0x000055555555564a &lt;+18&gt;: lea 0x8(%rsp),%r8
+ 0x000055555555564f &lt;+23&gt;: lea 0x1b60(%rip),%rsi # 0x5555555571b6
+ 0x0000555555555656 &lt;+30&gt;: mov $0x0,%eax
+ 0x000055555555565b &lt;+35&gt;: call 0x5555555552e0 &lt;__isoc99_sscanf@plt&gt;
+ 0x0000555555555660 &lt;+40&gt;: cmp $0x2,%eax
+ 0x0000555555555663 &lt;+43&gt;: jle 0x555555555685 &lt;phase_3+77&gt;
+ 0x0000555555555665 &lt;+45&gt;: cmpl $0x7,0xc(%rsp)
+ 0x000055555555566a &lt;+50&gt;: ja 0x55555555577d &lt;phase_3+325&gt;
+ 0x0000555555555670 &lt;+56&gt;: mov 0xc(%rsp),%eax
+ 0x0000555555555674 &lt;+60&gt;: lea 0x1b55(%rip),%rdx # 0x5555555571d0
+ 0x000055555555567b &lt;+67&gt;: movslq (%rdx,%rax,4),%rax
+ 0x000055555555567f &lt;+71&gt;: add %rdx,%rax
+ 0x0000555555555682 &lt;+74&gt;: notrack jmp *%rax
+ 0x0000555555555685 &lt;+77&gt;: call 0x555555555d4a &lt;explode_bomb&gt;
+ 0x000055555555568a &lt;+82&gt;: jmp 0x555555555665 &lt;phase_3+45&gt;
+ 0x000055555555568c &lt;+84&gt;: mov $0x63,%eax
+ 0x0000555555555691 &lt;+89&gt;: cmpl $0x23d,0x8(%rsp)
+ 0x0000555555555699 &lt;+97&gt;: je 0x555555555787 &lt;phase_3+335&gt;
+ 0x000055555555569f &lt;+103&gt;: call 0x555555555d4a &lt;explode_bomb&gt;
+ 0x00005555555556a4 &lt;+108&gt;: mov $0x63,%eax
+ 0x00005555555556a9 &lt;+113&gt;: jmp 0x555555555787 &lt;phase_3+335&gt;
+--Type &lt;RET&gt; for more, q to quit, c to continue without paging--
+</code></pre>
+
+<p><code>gdb</code> has thankfully marked the address which is being passed to <code>scanf</code>. We can access the value:</p>
+
+<pre><code>(gdb) x/1s 0x5555555571b6
+0x5555555571b6: "%d %c %d"
+(gdb)
+</code></pre>
+
+<p>BINGO! The program expects an integer, character, and another integer. Onwards.</p>
+
+<pre><code> 0x0000555555555660 &lt;+40&gt;: cmp $0x2,%eax
+ 0x0000555555555663 &lt;+43&gt;: jle 0x555555555685 &lt;phase_3+77&gt;
+...
+ 0x0000555555555685 &lt;+77&gt;: call 0x555555555d4a &lt;explode_bomb&gt;
+</code></pre>
+
+<p>The program checks whether <code>scanf</code> returns a value &lt;= 2, if it does then it calls the <code>explode_bomb</code> function. </p>
+
+<p><em>Note: <code>scanf</code> returns the number of fields that were succesfully converted and assigned</em></p>
+
+<pre><code> 0x0000555555555665 &lt;+45&gt;: cmpl $0x7,0xc(%rsp)
+ 0x000055555555566a &lt;+50&gt;: ja 0x55555555577d &lt;phase_3+325&gt;
+...
+ 0x000055555555577d &lt;+325&gt;: call 0x555555555d4a &lt;explode_bomb&gt;
+</code></pre>
+
+<p>Similarly, the program checks and ensures the returned value is not &gt; 7. </p>
+
+<pre><code> 0x0000555555555670 &lt;+56&gt;: mov 0xc(%rsp),%eax
+ 0x0000555555555674 &lt;+60&gt;: lea 0x1b55(%rip),%rdx # 0x5555555571d0
+ 0x000055555555567b &lt;+67&gt;: movslq (%rdx,%rax,4),%rax
+ 0x000055555555567f &lt;+71&gt;: add %rdx,%rax
+ 0x0000555555555682 &lt;+74&gt;: notrack jmp *%rax
+ 0x0000555555555685 &lt;+77&gt;: call 0x555555555d4a &lt;explode_bomb&gt;
+</code></pre>
+
+<ul>
+<li><code>0x0000555555555670 &lt;+56&gt;: mov 0xc(%rsp),%eax</code> - Moves value located at <code>0xc</code> (12 in Decimal) bytes above the stack pointer to <code>%eax</code> register. </li>
+<li><code>0x0000555555555674 &lt;+60&gt;: lea 0x1b55(%rip),%rdx # 0x5555555571d0</code> - This instruction calculates an effective address by adding <code>0x1b55</code> to the current instruction pointer (<code>%rip</code>). The result is stored in the <code>%rdx</code> register. </li>
+<li><code>0x000055555555567b &lt;+67&gt;: movslq (%rdx,%rax,4),%rax</code>
+<ul>
+<li><code>movslq</code> stands for "move with sign-extension from a 32-bit value to a 64-bit value." (if the 32-bit value is negative, the 64-bit result will have all its upper 32 bits set to 1; otherwise, they'll be set to 0). </li>
+<li><code>(%rdx,%rax,4)</code> - First start with the value in the %rdx register, then add to it the value in the %rax register multiplied by 4.</li>
+<li><code>%rax</code> - Destination Register</li>
+</ul></li>
+<li><code>0x000055555555567f &lt;+71&gt;: add %rdx,%rax</code> - Adds base address in <code>%rdx</code> to the offset in <code>%rax</code> </li>
+<li><code>0x0000555555555682 &lt;+74&gt;: notrack jmp *%rax</code> - Jumps to the address stored in <code>%rax</code></li>
+<li><code>0x0000555555555685 &lt;+77&gt;: call 0x555555555d4a &lt;explode_bomb&gt;</code> - If we are unable to jump to the specified instruction, call <code>explode_bomb</code></li>
+</ul>
+
+<p>Let us try to run the program again with a valid input for the first number and see what the program is computing for the address.</p>
+
+<p>I used the input: <code>3 c 123</code>.</p>
+
+<p>To check what is the computed address, we can switch to the asm layout by running <code>layout asm</code>, and then going through instructions <code>ni</code> or <code>si</code> until we reach the line <code>movslq (%rdx,%rax,4),%rax</code></p>
+
+<p><code>%rax</code> should hold the value 3.</p>
+
+<pre><code>(gdb) print $rax
+$1 = 3
+</code></pre>
+
+<p><img src="/assets/bomb-lab/phase-3.png" alt="Screenshot of GDB terminal depicting us checking the value of the instruction to be jumped to" /></p>
+
+<p>We can see that this makes us jump to <code>&lt;phase_3+186&gt;</code> (Continue to step through the code by using <code>ni</code>)</p>
+
+<pre><code> 0x00005555555556f2 &lt;+186&gt;: mov $0x64,%eax
+ 0x00005555555556f7 &lt;+191&gt;: cmpl $0x280,0x8(%rsp)
+ 0x00005555555556ff &lt;+199&gt;: je 0x555555555787 &lt;phase_3+335&gt;
+ 0x0000555555555705 &lt;+205&gt;: call 0x555555555d4a &lt;explode_bomb&gt;
+</code></pre>
+
+<p>We see that <code>0x64</code> (Decimal 100) is being stored in <code>%eax</code>. Then, the program compares <code>0x280</code> (Decimal 640) with memory address <code>0x8</code> bytes above the stack pointer (<code>%rsp</code>). If the values are equal, then it jumps to <code>&lt;phase_3+335&gt;</code>, otherwise <code>explode_bomb</code> is called.</p>
+
+<pre><code> 0x0000555555555787 &lt;+335&gt;: cmp %al,0x7(%rsp)
+ 0x000055555555578b &lt;+339&gt;: jne 0x555555555792 &lt;phase_3+346&gt;
+ 0x000055555555578d &lt;+341&gt;: add $0x18,%rsp
+ 0x0000555555555791 &lt;+345&gt;: ret
+ 0x0000555555555792 &lt;+346&gt;: call 0x555555555d4a &lt;explode_bomb&gt;
+</code></pre>
+
+<p>Here, the program is comparing the value of our given character to the value stored in <code>%al</code> (lower 8 bits of <code>EAX</code>), and checks if they are not equal.</p>
+
+<p>Knowing that the character is stored at an offset of 7 bytes to <code>%rsp</code>, we can print and check the value by running:</p>
+
+<pre><code>(gdb) x/1cw $rsp+7
+c
+(gdb) print $al
+$1 = 100
+</code></pre>
+
+<p>We can simply lookup the <a rel="noopener" target="_blank" href="https://www.cs.cmu.edu/~pattis/15-1XX/common/handouts/ascii.html">ASCII table</a>, and see that 100 in decimal stands for the character <code>d</code>. Let us try this answer:</p>
+
+<pre><code>...
+That's number 2. Keep going!
+3 d 640
+
+Breakpoint 1, 0x0000555555555638 in phase_3 ()
+(gdb) continue
+Continuing.
+Halfway there!
+</code></pre>
]]></content:encoded>
</item>
diff --git a/docs/index.html b/docs/index.html
index 364d637..33b6879 100644
--- a/docs/index.html
+++ b/docs/index.html
@@ -59,9 +59,9 @@
<ul>
- <li><a href="/posts/2023-10-04-bomb-lab.html">Bomb Lab</a></li>
+ <li><a href="/posts/2023-10-04-bomb-lab.html">Bomb Lab Phases 1 &amp; 2</a></li>
<ul>
- <li>Introduction, Phase 1 and Phase 2 of Bomb Lab for CSCI 2400 Lab - 2</li>
+ <li>Introduction, Phases 1-3 of Bomb Lab for CSCI 2400 Lab - 2</li>
<li>Published On: 2023-10-04 13:12</li>
<li>Tags:
diff --git a/docs/posts/2023-10-04-bomb-lab.html b/docs/posts/2023-10-04-bomb-lab.html
index 4dfff05..6f2ef59 100644
--- a/docs/posts/2023-10-04-bomb-lab.html
+++ b/docs/posts/2023-10-04-bomb-lab.html
@@ -6,16 +6,16 @@
<link rel="stylesheet" href="/assets/sakura.css" />
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
- <title>Bomb Lab</title>
+ <title>Bomb Lab Phases 1 &amp; 2</title>
<meta name="og:site_name" content="Navan Chauhan" />
<link rel="canonical" href="https://web.navan.dev/" />
<meta name="twitter:url" content="https://web.navan.dev/" />
<meta name="og:url" content="https://web.navan.dev/" />
- <meta name="twitter:title" content="Bomb Lab" />
- <meta name="og:title" content="Bomb Lab" />
- <meta name="description" content="Introduction, Phase 1 and Phase 2 of Bomb Lab for CSCI 2400 Lab - 2" />
- <meta name="twitter:description" content="Introduction, Phase 1 and Phase 2 of Bomb Lab for CSCI 2400 Lab - 2" />
- <meta name="og:description" content="Introduction, Phase 1 and Phase 2 of Bomb Lab for CSCI 2400 Lab - 2" />
+ <meta name="twitter:title" content="Bomb Lab Phases 1 &amp; 2" />
+ <meta name="og:title" content="Bomb Lab Phases 1 &amp; 2" />
+ <meta name="description" content="Introduction, Phases 1-3 of Bomb Lab for CSCI 2400 Lab - 2" />
+ <meta name="twitter:description" content="Introduction, Phases 1-3 of Bomb Lab for CSCI 2400 Lab - 2" />
+ <meta name="og:description" content="Introduction, Phases 1-3 of Bomb Lab for CSCI 2400 Lab - 2" />
<meta name="twitter:card" content="summary_large_image" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<link rel="shortcut icon" href="/images/favicon.png" type="image/png" />
@@ -54,12 +54,16 @@
<main>
- <h1>Bomb Lab</h1>
+ <h1>Bomb Lab Phases 1 &amp; 2</h1>
<h2>Introduction</h2>
<p>Lab 2 for CSCI 2400 - Computer Systems. </p>
+<p>I like using objdump to disassemble the code and see a broad overview of what is happening. </p>
+
+<p><code>objdump -d bomb &gt; dis.txt</code></p>
+
<h2>Phase 1</h2>
<pre><code>jovyan@jupyter-nach6988:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex 'break phase_1' -ex 'break explode_bomb' -ex 'run' ./bomb
@@ -220,6 +224,266 @@ Continuing.
That's number 2. Keep going!
</code></pre>
+<h2>Phase 3</h2>
+
+<p>Let us look at the disassembled code first</p>
+
+<pre><code>0000000000001638 &lt;phase_3&gt;:
+ 1638: f3 0f 1e fa endbr64
+ 163c: 48 83 ec 18 sub $0x18,%rsp
+ 1640: 48 8d 4c 24 07 lea 0x7(%rsp),%rcx
+ 1645: 48 8d 54 24 0c lea 0xc(%rsp),%rdx
+ 164a: 4c 8d 44 24 08 lea 0x8(%rsp),%r8
+ 164f: 48 8d 35 60 1b 00 00 lea 0x1b60(%rip),%rsi # 31b6 &lt;_IO_stdin_used+0x1b6&gt;
+ 1656: b8 00 00 00 00 mov $0x0,%eax
+ 165b: e8 80 fc ff ff call 12e0 &lt;__isoc99_sscanf@plt&gt;
+ 1660: 83 f8 02 cmp $0x2,%eax
+ 1663: 7e 20 jle 1685 &lt;phase_3+0x4d&gt;
+ 1665: 83 7c 24 0c 07 cmpl $0x7,0xc(%rsp)
+ 166a: 0f 87 0d 01 00 00 ja 177d &lt;phase_3+0x145&gt;
+ 1670: 8b 44 24 0c mov 0xc(%rsp),%eax
+ 1674: 48 8d 15 55 1b 00 00 lea 0x1b55(%rip),%rdx # 31d0 &lt;_IO_stdin_used+0x1d0&gt;
+ 167b: 48 63 04 82 movslq (%rdx,%rax,4),%rax
+ 167f: 48 01 d0 add %rdx,%rax
+ 1682: 3e ff e0 notrack jmp *%rax
+ 1685: e8 c0 06 00 00 call 1d4a &lt;explode_bomb&gt;
+ 168a: eb d9 jmp 1665 &lt;phase_3+0x2d&gt;
+ 168c: b8 63 00 00 00 mov $0x63,%eax
+ 1691: 81 7c 24 08 3d 02 00 cmpl $0x23d,0x8(%rsp)
+ 1698: 00
+ 1699: 0f 84 e8 00 00 00 je 1787 &lt;phase_3+0x14f&gt;
+ 169f: e8 a6 06 00 00 call 1d4a &lt;explode_bomb&gt;
+ 16a4: b8 63 00 00 00 mov $0x63,%eax
+ 16a9: e9 d9 00 00 00 jmp 1787 &lt;phase_3+0x14f&gt;
+ 16ae: b8 61 00 00 00 mov $0x61,%eax
+ 16b3: 81 7c 24 08 27 01 00 cmpl $0x127,0x8(%rsp)
+ 16ba: 00
+ 16bb: 0f 84 c6 00 00 00 je 1787 &lt;phase_3+0x14f&gt;
+ 16c1: e8 84 06 00 00 call 1d4a &lt;explode_bomb&gt;
+ 16c6: b8 61 00 00 00 mov $0x61,%eax
+ 16cb: e9 b7 00 00 00 jmp 1787 &lt;phase_3+0x14f&gt;
+ 16d0: b8 78 00 00 00 mov $0x78,%eax
+ 16d5: 81 7c 24 08 e7 02 00 cmpl $0x2e7,0x8(%rsp)
+ 16dc: 00
+ 16dd: 0f 84 a4 00 00 00 je 1787 &lt;phase_3+0x14f&gt;
+ 16e3: e8 62 06 00 00 call 1d4a &lt;explode_bomb&gt;
+ 16e8: b8 78 00 00 00 mov $0x78,%eax
+ 16ed: e9 95 00 00 00 jmp 1787 &lt;phase_3+0x14f&gt;
+ 16f2: b8 64 00 00 00 mov $0x64,%eax
+ 16f7: 81 7c 24 08 80 02 00 cmpl $0x280,0x8(%rsp)
+ 16fe: 00
+ 16ff: 0f 84 82 00 00 00 je 1787 &lt;phase_3+0x14f&gt;
+ 1705: e8 40 06 00 00 call 1d4a &lt;explode_bomb&gt;
+ 170a: b8 64 00 00 00 mov $0x64,%eax
+ 170f: eb 76 jmp 1787 &lt;phase_3+0x14f&gt;
+ 1711: b8 6d 00 00 00 mov $0x6d,%eax
+ 1716: 81 7c 24 08 ff 02 00 cmpl $0x2ff,0x8(%rsp)
+ 171d: 00
+ 171e: 74 67 je 1787 &lt;phase_3+0x14f&gt;
+ 1720: e8 25 06 00 00 call 1d4a &lt;explode_bomb&gt;
+ 1725: b8 6d 00 00 00 mov $0x6d,%eax
+ 172a: eb 5b jmp 1787 &lt;phase_3+0x14f&gt;
+ 172c: b8 71 00 00 00 mov $0x71,%eax
+ 1731: 81 7c 24 08 75 03 00 cmpl $0x375,0x8(%rsp)
+ 1738: 00
+ 1739: 74 4c je 1787 &lt;phase_3+0x14f&gt;
+ 173b: e8 0a 06 00 00 call 1d4a &lt;explode_bomb&gt;
+ 1740: b8 71 00 00 00 mov $0x71,%eax
+ 1745: eb 40 jmp 1787 &lt;phase_3+0x14f&gt;
+ 1747: b8 79 00 00 00 mov $0x79,%eax
+ 174c: 81 7c 24 08 94 02 00 cmpl $0x294,0x8(%rsp)
+ 1753: 00
+ 1754: 74 31 je 1787 &lt;phase_3+0x14f&gt;
+ 1756: e8 ef 05 00 00 call 1d4a &lt;explode_bomb&gt;
+ 175b: b8 79 00 00 00 mov $0x79,%eax
+ 1760: eb 25 jmp 1787 &lt;phase_3+0x14f&gt;
+ 1762: b8 79 00 00 00 mov $0x79,%eax
+ 1767: 81 7c 24 08 88 02 00 cmpl $0x288,0x8(%rsp)
+ 176e: 00
+ 176f: 74 16 je 1787 &lt;phase_3+0x14f&gt;
+ 1771: e8 d4 05 00 00 call 1d4a &lt;explode_bomb&gt;
+ 1776: b8 79 00 00 00 mov $0x79,%eax
+ 177b: eb 0a jmp 1787 &lt;phase_3+0x14f&gt;
+ 177d: e8 c8 05 00 00 call 1d4a &lt;explode_bomb&gt;
+ 1782: b8 68 00 00 00 mov $0x68,%eax
+ 1787: 38 44 24 07 cmp %al,0x7(%rsp)
+ 178b: 75 05 jne 1792 &lt;phase_3+0x15a&gt;
+ 178d: 48 83 c4 18 add $0x18,%rsp
+ 1791: c3 ret
+ 1792: e8 b3 05 00 00 call 1d4a &lt;explode_bomb&gt;
+ 1797: eb f4 jmp 178d &lt;phase_3+0x155&gt;
+</code></pre>
+
+<pre><code>...
+ 165b: e8 80 fc ff ff call 12e0 &lt;__isoc99_sscanf@plt&gt;
+...
+</code></pre>
+
+<p>We can see that <code>scanf</code> is being called which means we need to figure out what datatype(s) the program is expecting.</p>
+
+<p>Because I do not want to enter the solutions to phases 1 and 2 again and again, I am goig to pass a file which has these solutions.</p>
+
+<pre><code>jovyan@jupyter-nach6988:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex 'break phase_3' -ex 'break explode_bomb' -ex 'run' -args ./bomb sol.txt
+GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1
+Copyright (C) 2022 Free Software Foundation, Inc.
+License GPLv3+: GNU GPL version 3 or later &lt;http://gnu.org/licenses/gpl.html&gt;
+This is free software: you are free to change and redistribute it.
+There is NO WARRANTY, to the extent permitted by law.
+Type "show copying" and "show warranty" for details.
+This GDB was configured as "x86_64-linux-gnu".
+Type "show configuration" for configuration details.
+For bug reporting instructions, please see:
+&lt;https://www.gnu.org/software/gdb/bugs/&gt;.
+Find the GDB manual and other documentation resources online at:
+ &lt;http://www.gnu.org/software/gdb/documentation/&gt;.
+
+For help, type "help".
+Type "apropos word" to search for commands related to "word"...
+Reading symbols from ./bomb...
+Breakpoint 1 at 0x1638
+Breakpoint 2 at 0x1d4a
+Starting program: /home/jovyan/lab2-bomblab-navanchauhan/bombbomb/bomb sol.txt
+[Thread debugging using libthread_db enabled]
+Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
+Welcome to my fiendish little bomb. You have 6 phases with
+which to blow yourself up. Have a nice day!
+Phase 1 defused. How about the next one?
+That's number 2. Keep going!
+random string
+
+Breakpoint 1, 0x0000555555555638 in phase_3 ()
+(gdb) disas
+Dump of assembler code for function phase_3:
+=&gt; 0x0000555555555638 &lt;+0&gt;: endbr64
+ 0x000055555555563c &lt;+4&gt;: sub $0x18,%rsp
+ 0x0000555555555640 &lt;+8&gt;: lea 0x7(%rsp),%rcx
+ 0x0000555555555645 &lt;+13&gt;: lea 0xc(%rsp),%rdx
+ 0x000055555555564a &lt;+18&gt;: lea 0x8(%rsp),%r8
+ 0x000055555555564f &lt;+23&gt;: lea 0x1b60(%rip),%rsi # 0x5555555571b6
+ 0x0000555555555656 &lt;+30&gt;: mov $0x0,%eax
+ 0x000055555555565b &lt;+35&gt;: call 0x5555555552e0 &lt;__isoc99_sscanf@plt&gt;
+ 0x0000555555555660 &lt;+40&gt;: cmp $0x2,%eax
+ 0x0000555555555663 &lt;+43&gt;: jle 0x555555555685 &lt;phase_3+77&gt;
+ 0x0000555555555665 &lt;+45&gt;: cmpl $0x7,0xc(%rsp)
+ 0x000055555555566a &lt;+50&gt;: ja 0x55555555577d &lt;phase_3+325&gt;
+ 0x0000555555555670 &lt;+56&gt;: mov 0xc(%rsp),%eax
+ 0x0000555555555674 &lt;+60&gt;: lea 0x1b55(%rip),%rdx # 0x5555555571d0
+ 0x000055555555567b &lt;+67&gt;: movslq (%rdx,%rax,4),%rax
+ 0x000055555555567f &lt;+71&gt;: add %rdx,%rax
+ 0x0000555555555682 &lt;+74&gt;: notrack jmp *%rax
+ 0x0000555555555685 &lt;+77&gt;: call 0x555555555d4a &lt;explode_bomb&gt;
+ 0x000055555555568a &lt;+82&gt;: jmp 0x555555555665 &lt;phase_3+45&gt;
+ 0x000055555555568c &lt;+84&gt;: mov $0x63,%eax
+ 0x0000555555555691 &lt;+89&gt;: cmpl $0x23d,0x8(%rsp)
+ 0x0000555555555699 &lt;+97&gt;: je 0x555555555787 &lt;phase_3+335&gt;
+ 0x000055555555569f &lt;+103&gt;: call 0x555555555d4a &lt;explode_bomb&gt;
+ 0x00005555555556a4 &lt;+108&gt;: mov $0x63,%eax
+ 0x00005555555556a9 &lt;+113&gt;: jmp 0x555555555787 &lt;phase_3+335&gt;
+--Type &lt;RET&gt; for more, q to quit, c to continue without paging--
+</code></pre>
+
+<p><code>gdb</code> has thankfully marked the address which is being passed to <code>scanf</code>. We can access the value:</p>
+
+<pre><code>(gdb) x/1s 0x5555555571b6
+0x5555555571b6: "%d %c %d"
+(gdb)
+</code></pre>
+
+<p>BINGO! The program expects an integer, character, and another integer. Onwards.</p>
+
+<pre><code> 0x0000555555555660 &lt;+40&gt;: cmp $0x2,%eax
+ 0x0000555555555663 &lt;+43&gt;: jle 0x555555555685 &lt;phase_3+77&gt;
+...
+ 0x0000555555555685 &lt;+77&gt;: call 0x555555555d4a &lt;explode_bomb&gt;
+</code></pre>
+
+<p>The program checks whether <code>scanf</code> returns a value &lt;= 2, if it does then it calls the <code>explode_bomb</code> function. </p>
+
+<p><em>Note: <code>scanf</code> returns the number of fields that were succesfully converted and assigned</em></p>
+
+<pre><code> 0x0000555555555665 &lt;+45&gt;: cmpl $0x7,0xc(%rsp)
+ 0x000055555555566a &lt;+50&gt;: ja 0x55555555577d &lt;phase_3+325&gt;
+...
+ 0x000055555555577d &lt;+325&gt;: call 0x555555555d4a &lt;explode_bomb&gt;
+</code></pre>
+
+<p>Similarly, the program checks and ensures the returned value is not &gt; 7. </p>
+
+<pre><code> 0x0000555555555670 &lt;+56&gt;: mov 0xc(%rsp),%eax
+ 0x0000555555555674 &lt;+60&gt;: lea 0x1b55(%rip),%rdx # 0x5555555571d0
+ 0x000055555555567b &lt;+67&gt;: movslq (%rdx,%rax,4),%rax
+ 0x000055555555567f &lt;+71&gt;: add %rdx,%rax
+ 0x0000555555555682 &lt;+74&gt;: notrack jmp *%rax
+ 0x0000555555555685 &lt;+77&gt;: call 0x555555555d4a &lt;explode_bomb&gt;
+</code></pre>
+
+<ul>
+<li><code>0x0000555555555670 &lt;+56&gt;: mov 0xc(%rsp),%eax</code> - Moves value located at <code>0xc</code> (12 in Decimal) bytes above the stack pointer to <code>%eax</code> register. </li>
+<li><code>0x0000555555555674 &lt;+60&gt;: lea 0x1b55(%rip),%rdx # 0x5555555571d0</code> - This instruction calculates an effective address by adding <code>0x1b55</code> to the current instruction pointer (<code>%rip</code>). The result is stored in the <code>%rdx</code> register. </li>
+<li><code>0x000055555555567b &lt;+67&gt;: movslq (%rdx,%rax,4),%rax</code>
+<ul>
+<li><code>movslq</code> stands for "move with sign-extension from a 32-bit value to a 64-bit value." (if the 32-bit value is negative, the 64-bit result will have all its upper 32 bits set to 1; otherwise, they'll be set to 0). </li>
+<li><code>(%rdx,%rax,4)</code> - First start with the value in the %rdx register, then add to it the value in the %rax register multiplied by 4.</li>
+<li><code>%rax</code> - Destination Register</li>
+</ul></li>
+<li><code>0x000055555555567f &lt;+71&gt;: add %rdx,%rax</code> - Adds base address in <code>%rdx</code> to the offset in <code>%rax</code> </li>
+<li><code>0x0000555555555682 &lt;+74&gt;: notrack jmp *%rax</code> - Jumps to the address stored in <code>%rax</code></li>
+<li><code>0x0000555555555685 &lt;+77&gt;: call 0x555555555d4a &lt;explode_bomb&gt;</code> - If we are unable to jump to the specified instruction, call <code>explode_bomb</code></li>
+</ul>
+
+<p>Let us try to run the program again with a valid input for the first number and see what the program is computing for the address.</p>
+
+<p>I used the input: <code>3 c 123</code>.</p>
+
+<p>To check what is the computed address, we can switch to the asm layout by running <code>layout asm</code>, and then going through instructions <code>ni</code> or <code>si</code> until we reach the line <code>movslq (%rdx,%rax,4),%rax</code></p>
+
+<p><code>%rax</code> should hold the value 3.</p>
+
+<pre><code>(gdb) print $rax
+$1 = 3
+</code></pre>
+
+<p><img src="/assets/bomb-lab/phase-3.png" alt="Screenshot of GDB terminal depicting us checking the value of the instruction to be jumped to" /></p>
+
+<p>We can see that this makes us jump to <code>&lt;phase_3+186&gt;</code> (Continue to step through the code by using <code>ni</code>)</p>
+
+<pre><code> 0x00005555555556f2 &lt;+186&gt;: mov $0x64,%eax
+ 0x00005555555556f7 &lt;+191&gt;: cmpl $0x280,0x8(%rsp)
+ 0x00005555555556ff &lt;+199&gt;: je 0x555555555787 &lt;phase_3+335&gt;
+ 0x0000555555555705 &lt;+205&gt;: call 0x555555555d4a &lt;explode_bomb&gt;
+</code></pre>
+
+<p>We see that <code>0x64</code> (Decimal 100) is being stored in <code>%eax</code>. Then, the program compares <code>0x280</code> (Decimal 640) with memory address <code>0x8</code> bytes above the stack pointer (<code>%rsp</code>). If the values are equal, then it jumps to <code>&lt;phase_3+335&gt;</code>, otherwise <code>explode_bomb</code> is called.</p>
+
+<pre><code> 0x0000555555555787 &lt;+335&gt;: cmp %al,0x7(%rsp)
+ 0x000055555555578b &lt;+339&gt;: jne 0x555555555792 &lt;phase_3+346&gt;
+ 0x000055555555578d &lt;+341&gt;: add $0x18,%rsp
+ 0x0000555555555791 &lt;+345&gt;: ret
+ 0x0000555555555792 &lt;+346&gt;: call 0x555555555d4a &lt;explode_bomb&gt;
+</code></pre>
+
+<p>Here, the program is comparing the value of our given character to the value stored in <code>%al</code> (lower 8 bits of <code>EAX</code>), and checks if they are not equal.</p>
+
+<p>Knowing that the character is stored at an offset of 7 bytes to <code>%rsp</code>, we can print and check the value by running:</p>
+
+<pre><code>(gdb) x/1cw $rsp+7
+c
+(gdb) print $al
+$1 = 100
+</code></pre>
+
+<p>We can simply lookup the <a rel="noopener" target="_blank" href="https://www.cs.cmu.edu/~pattis/15-1XX/common/handouts/ascii.html">ASCII table</a>, and see that 100 in decimal stands for the character <code>d</code>. Let us try this answer:</p>
+
+<pre><code>...
+That's number 2. Keep going!
+3 d 640
+
+Breakpoint 1, 0x0000555555555638 in phase_3 ()
+(gdb) continue
+Continuing.
+Halfway there!
+</code></pre>
+
<blockquote>If you have scrolled this far, consider subscribing to my mailing list <a href="https://listmonk.navan.dev/subscription/form">here.</a> You can subscribe to either a specific type of post you are interested in, or subscribe to everything with the "Everything" list.</blockquote>
<script data-isso="//comments.navan.dev/"
src="//comments.navan.dev/js/embed.min.js"></script>
diff --git a/docs/posts/index.html b/docs/posts/index.html
index 3898f25..e24bc07 100644
--- a/docs/posts/index.html
+++ b/docs/posts/index.html
@@ -62,9 +62,9 @@
<ul>
- <li><a href="/posts/2023-10-04-bomb-lab.html">Bomb Lab</a></li>
+ <li><a href="/posts/2023-10-04-bomb-lab.html">Bomb Lab Phases 1 &amp; 2</a></li>
<ul>
- <li>Introduction, Phase 1 and Phase 2 of Bomb Lab for CSCI 2400 Lab - 2</li>
+ <li>Introduction, Phases 1-3 of Bomb Lab for CSCI 2400 Lab - 2</li>
<li>Published On: 2023-10-04 13:12</li>
<li>Tags: