diff options
author | Navan Chauhan <navanchauhan@gmail.com> | 2023-10-04 20:05:17 -0600 |
---|---|---|
committer | Navan Chauhan <navanchauhan@gmail.com> | 2023-10-04 20:05:17 -0600 |
commit | fafd62dd9c374f9ab3075ee0a023d6c68d380e1e (patch) | |
tree | f073fdc4939f211ef942cb46967707bb96b367e4 | |
parent | 6b57097c8fd34e86658a7b8e8ac3080c23c462b4 (diff) |
finished bomb lab 1-6
-rw-r--r-- | Content/posts/2023-10-04-bomb-lab.md | 153 | ||||
-rw-r--r-- | docs/feed.rss | 1045 | ||||
-rw-r--r-- | docs/index.html | 4 | ||||
-rw-r--r-- | docs/posts/2023-10-04-bomb-lab.html | 1047 | ||||
-rw-r--r-- | docs/posts/index.html | 4 |
5 files changed, 1265 insertions, 988 deletions
diff --git a/Content/posts/2023-10-04-bomb-lab.md b/Content/posts/2023-10-04-bomb-lab.md index d72322f..c805279 100644 --- a/Content/posts/2023-10-04-bomb-lab.md +++ b/Content/posts/2023-10-04-bomb-lab.md @@ -1,23 +1,29 @@ --- date: 2023-10-04 13:12 -description: Introduction, Phases 1-5 of Bomb Lab for CSCI 2400 Lab - 2 +description: Walkthrough of Phases 1-6 of Bomb Lab for CSCI 2400 Computer Systems Lab 2 tags: gdb, reverse-engineering, c++, csci2400, assembly --- -# Bomb Lab Phases 1-5 +# Bomb Lab ## Introduction -Lab 2 for CSCI 2400 - Computer Systems. +Lab 2 for CSCI 2400 @ CU Boulder - Computer Systems -I like using objdump to disassemble the code and see a broad overview of what is happening. +> The nefarious Dr. Evil has planted a slew of “binary bombs” on our class machines. A binary bomb is a program that consists of a sequence of phases. Each phase expects you to type a particular string on stdin. If you type the correct string, then the phase is defused and the bomb proceeds to the next phase. Otherwise, the bomb explodes by printing "BOOM!!!" and then terminating. The bomb is defused when every phase has been defused. + +> There are too many bombs for us to deal with, so we are giving each student a bomb to defuse. Your mission, which you have no choice but to accept, is to defuse your bomb before the due date. Good luck, and welcome to the bomb squad! + +I like using objdump to disassemble the code and get a broad overview of what is happening before I start. `objdump -d bomb > dis.txt` +*Note: I am not sure about the history of the bomb lab. I think it started at CMU.* + ## Phase 1 -``` -jovyan@jupyter-nach6988:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex 'break phase_1' -ex 'break explode_bomb' -ex 'run' ./bomb +```shell +joxxxn@jupyter-nxxh6xx8:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex 'break phase_1' -ex 'break explode_bomb' -ex 'run' ./bomb GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1 Copyright (C) 2022 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> @@ -36,7 +42,7 @@ Type "apropos word" to search for commands related to "word"... Reading symbols from ./bomb... Breakpoint 1 at 0x15c7 Breakpoint 2 at 0x1d4a -Starting program: /home/jovyan/lab2-bomblab-navanchauhan/bombbomb/bomb +Starting program: /home/joxxxn/lab2-bomblab-navanchauhan/bombbomb/bomb [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Welcome to my fiendish little bomb. You have 6 phases with @@ -68,7 +74,7 @@ $1 = 93824992244048 ## Phase 2 -``` +```shell Phase 1 defused. How about the next one? 1 2 3 4 5 6 @@ -106,7 +112,7 @@ End of assembler dump. (gdb) ``` -``` +```shell 0x00005555555555fd <+18>: cmpl $0x0,(%rsp) 0x0000555555555601 <+22>: js 0x55555555560d <phase_2+34> ... @@ -116,7 +122,7 @@ End of assembler dump. The program first compares if the first number is not 0. If the number is not 0, then the `cmpl` instruction returns a negative value. The `js` instruction stands for jump if sign -> causing a jump to the specified address if the sign bit is set. This would result in the explode_bomb function being called. -``` +```shell 0x0000555555555603 <+24>: mov %rsp,%rbp 0x0000555555555606 <+27>: mov $0x1,%ebx ``` @@ -129,13 +135,13 @@ By executing `mov %rsp,%rbp` we are setting the base pointer (`%rbp`) to point t Now, for the second instruction `mov $0x1,%ebx`, we are initalising the `%ebx` register with the value 1. Based on the assembly code, you can see that this is being used as a counter/index for the loop. -``` +```shell 0x000055555555560b <+32>: jmp 0x555555555620 <phase_2+53> ``` The program now jumps to <phase_2+53> -``` +```shell 0x0000555555555620 <+53>: mov %ebx,%eax 0x0000555555555622 <+55>: add 0x0(%rbp),%eax 0x0000555555555625 <+58>: cmp %eax,0x4(%rbp) @@ -150,7 +156,7 @@ Then, the value at the memory location pointed by `%rbp` is added to the value i `je 0x555555555614 <phase_2+41>` - The program will jump to `phase_2+41` if the previous `cmp` instruction determined the values as equal. -``` +```shell 0x0000555555555614 <+41>: add $0x1,%ebx 0x0000555555555617 <+44>: add $0x4,%rbp 0x000055555555561b <+48>: cmp $0x6,%ebx @@ -173,7 +179,7 @@ Thus, * 6th number = 10 (prev value) + 5 = 15 -``` +```shell ... Phase 1 defused. How about the next one? 0 1 3 6 10 15 @@ -188,7 +194,7 @@ That's number 2. Keep going! Let us look at the disassembled code first -``` +```shell 0000000000001638 <phase_3>: 1638: f3 0f 1e fa endbr64 163c: 48 83 ec 18 sub $0x18,%rsp @@ -275,7 +281,7 @@ Let us look at the disassembled code first 1797: eb f4 jmp 178d <phase_3+0x155> ``` -``` +```shell ... 165b: e8 80 fc ff ff call 12e0 <__isoc99_sscanf@plt> ... @@ -285,8 +291,8 @@ We can see that `scanf` is being called which means we need to figure out what d Because I do not want to enter the solutions to phases 1 and 2 again and again, I am goig to pass a file which has these solutions. -``` -jovyan@jupyter-nach6988:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex 'break phase_3' -ex 'break explode_bomb' -ex 'run' -args ./bomb sol.txt +```shell +joxxxn@jupyter-nxxh6xx8:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex 'break phase_3' -ex 'break explode_bomb' -ex 'run' -args ./bomb sol.txt GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1 Copyright (C) 2022 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> @@ -305,7 +311,7 @@ Type "apropos word" to search for commands related to "word"... Reading symbols from ./bomb... Breakpoint 1 at 0x1638 Breakpoint 2 at 0x1d4a -Starting program: /home/jovyan/lab2-bomblab-navanchauhan/bombbomb/bomb sol.txt +Starting program: /home/joxxxn/lab2-bomblab-navanchauhan/bombbomb/bomb sol.txt [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Welcome to my fiendish little bomb. You have 6 phases with @@ -348,7 +354,7 @@ Dump of assembler code for function phase_3: `gdb` has thankfully marked the address which is being passed to `scanf`. We can access the value: -``` +```shell (gdb) x/1s 0x5555555571b6 0x5555555571b6: "%d %c %d" (gdb) @@ -356,7 +362,7 @@ Dump of assembler code for function phase_3: BINGO! The program expects an integer, character, and another integer. Onwards. -``` +```shell 0x0000555555555660 <+40>: cmp $0x2,%eax 0x0000555555555663 <+43>: jle 0x555555555685 <phase_3+77> ... @@ -367,7 +373,7 @@ The program checks whether `scanf` returns a value <= 2, if it does then it call *Note: `scanf` returns the number of fields that were succesfully converted and assigned* -``` +```shell 0x0000555555555665 <+45>: cmpl $0x7,0xc(%rsp) 0x000055555555566a <+50>: ja 0x55555555577d <phase_3+325> ... @@ -377,7 +383,7 @@ The program checks whether `scanf` returns a value <= 2, if it does then it call Similarly, the program checks and ensures the returned value is not > 7. -``` +```shell 0x0000555555555670 <+56>: mov 0xc(%rsp),%eax 0x0000555555555674 <+60>: lea 0x1b55(%rip),%rdx # 0x5555555571d0 0x000055555555567b <+67>: movslq (%rdx,%rax,4),%rax @@ -413,7 +419,7 @@ $1 = 3 We can see that this makes us jump to `<phase_3+186>` (Continue to step through the code by using `ni`) -``` +```shell 0x00005555555556f2 <+186>: mov $0x64,%eax 0x00005555555556f7 <+191>: cmpl $0x280,0x8(%rsp) 0x00005555555556ff <+199>: je 0x555555555787 <phase_3+335> @@ -422,7 +428,7 @@ We can see that this makes us jump to `<phase_3+186>` (Continue to step through We see that `0x64` (Decimal 100) is being stored in `%eax`. Then, the program compares `0x280` (Decimal 640) with memory address `0x8` bytes above the stack pointer (`%rsp`). If the values are equal, then it jumps to `<phase_3+335>`, otherwise `explode_bomb` is called. -``` +```shell 0x0000555555555787 <+335>: cmp %al,0x7(%rsp) 0x000055555555578b <+339>: jne 0x555555555792 <phase_3+346> 0x000055555555578d <+341>: add $0x18,%rsp @@ -434,7 +440,7 @@ Here, the program is comparing the value of our given character to the value sto Knowing that the character is stored at an offset of 7 bytes to `%rsp`, we can print and check the value by running: -``` +```shell (gdb) x/1cw $rsp+7 c (gdb) print $al @@ -443,7 +449,7 @@ $1 = 100 We can simply lookup the [ASCII table](https://www.cs.cmu.edu/~pattis/15-1XX/common/handouts/ascii.html), and see that 100 in decimal stands for the character `d`. Let us try this answer: -``` +```shell ... That's number 2. Keep going! 3 d 640 @@ -456,8 +462,8 @@ Halfway there! ## Phase 4 -``` -jovyan@jupyter-nach6988:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex 'break phase_4' -ex 'break explode_bomb' -ex 'run' -args ./bomb sol.txt +```shell +joxxxn@jupyter-nxxh6xx8:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex 'break phase_4' -ex 'break explode_bomb' -ex 'run' -args ./bomb sol.txt GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1 Copyright (C) 2022 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> @@ -476,7 +482,7 @@ Type "apropos word" to search for commands related to "word"... Reading symbols from ./bomb... Breakpoint 1 at 0x17d3 Breakpoint 2 at 0x1d4a -Starting program: /home/jovyan/lab2-bomblab-navanchauhan/bombbomb/bomb sol.txt +Starting program: /home/joxxxn/lab2-bomblab-navanchauhan/bombbomb/bomb sol.txt [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Welcome to my fiendish little bomb. You have 6 phases with @@ -518,28 +524,28 @@ End of assembler dump. Again, `gdb` has marked the string being passed to `scanf` -``` +```shell (gdb) x/1s 0x5555555573a6 0x5555555573a6: "%d %d" ``` Okay, so this time we are supposed to enter 2 numbers. -``` +```shell 0x00005555555557f6 <+35>: cmp $0x2,%eax 0x00005555555557f9 <+38>: jne 0x555555555802 <phase_4+47> ``` Checks if there were 2 values read from calling `scanf`, if not -> jump to `<phase_4+47>` which calls `<explode_bomb>`. -``` +```shell 0x00005555555557fb <+40>: cmpl $0xe,0xc(%rsp) 0x0000555555555800 <+45>: jbe 0x555555555807 <phase_4+52> ``` Compare `0xe` (14 in Decimal) and value stored at `$rsp` + `0xc` bytes (Decimal 12). If this condition is met (<= 14), jump to `<phase_4+52>`. If not, then explode bomb. -``` +```shell ... 0x0000555555555807 <+52>: mov $0xe,%edx 0x000055555555580c <+57>: mov $0x0,%esi @@ -557,7 +563,7 @@ Compare `0xe` (14 in Decimal) and value stored at `$rsp` + `0xc` bytes (Decimal Let us look into `func4` -``` +```shell (gdb) disas func4 Dump of assembler code for function func4: 0x0000555555555799 <+0>: endbr64 @@ -586,7 +592,7 @@ This looks like a recursive function :( (I hate recursive functions) Let's annotate the instructions. -``` +```shell endbr64 sub $0x8,%rsp // subtract 8 bytes from the stack pointer mov %edx,%ecx // Move the value in register %edx to %ecx @@ -633,14 +639,14 @@ Okay, so we know that the number needed to be passed to `func4` is 5. But, what If we go back to the code for `<phase_4>`, we can see that: -``` +```shell 0x000055555555581f <+76>: cmpl $0x2,0x8(%rsp) 0x0000555555555824 <+81>: je 0x55555555582b <phase_4+88> ``` The value at `$rsp+8` should be equal to 2. So, let us try passing `5 2` as our input. -``` +```shell ... Phase 1 defused. How about the next one? That's number 2. Keep going! @@ -655,7 +661,7 @@ So you got that one. Try this one. ## Phase 5 -``` +```shell So you got that one. Try this one. test string @@ -695,7 +701,7 @@ End of assembler dump. (gdb) ``` -``` +```shell ... 0x000055555555583c <+12>: call 0x555555555b10 <string_length> 0x0000555555555841 <+17>: cmp $0x6,%eax @@ -723,7 +729,7 @@ We can also see a similar pattern compared to Phase 2, where we had a loop: We can check the reference string we need, which `gdb` has marked as `# 0x5555555571bf`, and the lookup table marked as `# 0x5555555571f0 <array.0>` -``` +```shell (gdb) x/s 0x5555555571bf 0x5555555571bf: "bruins" (gdb) x/s 0x5555555571f0 @@ -761,7 +767,7 @@ s -> g Let us try out this answer: -``` +```shell ... That's number 2. Keep going! Halfway there! @@ -778,7 +784,7 @@ Awesome! ## Phase 6 -``` +```shell Good work! On to the next... test string @@ -887,7 +893,7 @@ Again, we see the familiar `read_six_digits` function. Let us analyse this function in chunks: -``` +```shell 0x00005555555558bb <+34>: call 0x555555555d97 <read_six_numbers> 0x00005555555558c0 <+39>: mov %r14,%r12 0x00005555555558c3 <+42>: mov $0x1,%r15d @@ -902,7 +908,7 @@ Let us analyse this function in chunks: 2.3. `mov %r14,%r13`: The value is also copied to `%r13` 3. Jump to start of loop: -``` +```shell 0x0000555555555997 <+254>: mov %r14,%rbp 0x000055555555599a <+257>: mov (%r14),%eax 0x000055555555599d <+260>: sub $0x1,%eax @@ -920,21 +926,21 @@ Let us analyse this function in chunks: => All numbers should be between 1 and 6. -``` +```shell 0x00005555555559a9 <+272>: cmp $0x5,%r15d 0x00005555555559ad <+276>: jg 0x5555555558f9 <phase_6+96> ``` This checks if the value stored in `%r15` is > 5, if it is then it jumps somewhere else. This validates our assumption that `%r15` is acting as a counter. -``` +```shell 0x00005555555559b3 <+282>: mov %r15,%rbx 0x00005555555559b6 <+285>: jmp 0x5555555558e8 <phase_6+79> ``` Let us jump to +79 -``` +```shell 0x00005555555558e8 <+79>: mov 0x0(%r13,%rbx,4),%eax 0x00005555555558ed <+84>: cmp %eax,0x0(%rbp) 0x00005555555558f0 <+87>: jne 0x5555555558db <phase_6+66> @@ -944,7 +950,7 @@ Let us jump to +79 This section deals with checking if all the numbers in the sequence are unique or not. Thus, we need to ensure out 6 digits are unique -``` +```shell 0x00005555555558db <+66>: add $0x1,%rbx // Increments by 1 0x00005555555558df <+70>: cmp $0x5,%ebx 0x00005555555558e2 <+73>: jg 0x55555555598f <phase_6+246> // Jump if > 5 (Loop iterations are complete) @@ -961,7 +967,7 @@ After stepping through the instructions, we can also see that the numbers are be Let us try to figure out what ` 0x0000555555555928 <+143>: lea 0x3d01(%rip),%rdx # 0x555555559630 <node1>` is: -``` +```shell (gdb) x/30wx 0x555555559630 0x555555559630 <node1>: 0x000000d9 0x00000001 0x55559640 0x00005555 0x555555559640 <node2>: 0x000003ab 0x00000002 0x55559650 0x00005555 @@ -993,4 +999,49 @@ struct node { }; ``` -Let us convert the values into decimal +Let us convert the values into decimal: + +``` +0x000000d9 -> 217 +0x000003ab -> 939 +0x0000014f -> 335 +0x000000a1 -> 161 +0x000001b3 -> 435 +0x000002da -> 730 +``` + +**Missing Notes** + +To re-arrange this linked list in descending order, we would arrange it as follows: + +``` +Node 2 -> Node 6 -> Node 5 -> Node 3 -> Node 1 -> Node 4 +``` + +Since we also need to apply the transformation: `7 - x`: + +``` +(7-2) -> (7-6) -> ... -> (7-4) +``` + +Final answer: `5 1 2 4 6 3` + +Let us try the answer: + +``` +... +That's number 2. Keep going! +Halfway there! +So you got that one. Try this one. +Good work! On to the next... +5 1 2 4 6 3 + +Breakpoint 1, 0x0000555555555899 in phase_6 () +(gdb) continue +Continuing. +Congratulations! You've defused the bomb! +Your instructor has been notified and will verify your solution. +[Inferior 1 (process 1754) exited normally] +``` + +But, what about the secret phase?
\ No newline at end of file diff --git a/docs/feed.rss b/docs/feed.rss index 17c12c3..b1ead9e 100644 --- a/docs/feed.rss +++ b/docs/feed.rss @@ -4,8 +4,8 @@ <title>Navan's Archive</title> <description>Rare Tips, Tricks and Posts</description> <link>https://web.navan.dev/</link><language>en</language> - <lastBuildDate>Wed, 04 Oct 2023 16:58:57 -0000</lastBuildDate> - <pubDate>Wed, 04 Oct 2023 16:58:57 -0000</pubDate> + <lastBuildDate>Wed, 04 Oct 2023 20:05:03 -0000</lastBuildDate> + <pubDate>Wed, 04 Oct 2023 20:05:03 -0000</pubDate> <ttl>250</ttl> <atom:link href="https://web.navan.dev/feed.rss" rel="self" type="application/rss+xml"/> @@ -3212,141 +3212,160 @@ logger.info("rdkit-{} installation finished!".format(rdkit.__version__)) https://web.navan.dev/posts/2023-10-04-bomb-lab.html </guid> <title> - Bomb Lab Phases 1-5 + Bomb Lab </title> <description> - Introduction, Phases 1-5 of Bomb Lab for CSCI 2400 Lab - 2 + Walkthrough of Phases 1-6 of Bomb Lab for CSCI 2400 Computer Systems Lab 2 </description> <link>https://web.navan.dev/posts/2023-10-04-bomb-lab.html</link> <pubDate>Wed, 04 Oct 2023 13:12:00 -0000</pubDate> - <content:encoded><![CDATA[<h1>Bomb Lab Phases 1-5</h1> + <content:encoded><![CDATA[<h1>Bomb Lab</h1> <h2>Introduction</h2> -<p>Lab 2 for CSCI 2400 - Computer Systems. </p> +<p>Lab 2 for CSCI 2400 @ CU Boulder - Computer Systems</p> -<p>I like using objdump to disassemble the code and see a broad overview of what is happening. </p> +<blockquote> + <p>The nefarious Dr. Evil has planted a slew of “binary bombs” on our class machines. A binary bomb is a program that consists of a sequence of phases. Each phase expects you to type a particular string on stdin. If you type the correct string, then the phase is defused and the bomb proceeds to the next phase. Otherwise, the bomb explodes by printing "BOOM!!!" and then terminating. The bomb is defused when every phase has been defused.</p> +</blockquote> + +<blockquote> + <p>There are too many bombs for us to deal with, so we are giving each student a bomb to defuse. Your mission, which you have no choice but to accept, is to defuse your bomb before the due date. Good luck, and welcome to the bomb squad!</p> +</blockquote> + +<p>I like using objdump to disassemble the code and get a broad overview of what is happening before I start. </p> <p><code>objdump -d bomb > dis.txt</code></p> +<p><em>Note: I am not sure about the history of the bomb lab. I think it started at CMU.</em></p> + <h2>Phase 1</h2> -<pre><code>jovyan@jupyter-nach6988:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex 'break phase_1' -ex 'break explode_bomb' -ex 'run' ./bomb -GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1 -Copyright (C) 2022 Free Software Foundation, Inc. -License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> +<div class="codehilite"> +<pre><span></span><code>joxxxn@jupyter-nxxh6xx8:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex <span class="s1">'break phase_1'</span> -ex <span class="s1">'break explode_bomb'</span> -ex <span class="s1">'run'</span> ./bomb +GNU gdb <span class="o">(</span>Ubuntu <span class="m">12</span>.1-0ubuntu1~22.04<span class="o">)</span> <span class="m">12</span>.1 +Copyright <span class="o">(</span>C<span class="o">)</span> <span class="m">2022</span> Free Software Foundation, Inc. +License GPLv3+: GNU GPL version <span class="m">3</span> or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. -Type "show copying" and "show warranty" for details. -This GDB was configured as "x86_64-linux-gnu". -Type "show configuration" for configuration details. +Type <span class="s2">"show copying"</span> and <span class="s2">"show warranty"</span> <span class="k">for</span> details. +This GDB was configured as <span class="s2">"x86_64-linux-gnu"</span>. +Type <span class="s2">"show configuration"</span> <span class="k">for</span> configuration details. For bug reporting instructions, please see: <https://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. -For help, type "help". -Type "apropos word" to search for commands related to "word"... +For help, <span class="nb">type</span> <span class="s2">"help"</span>. +Type <span class="s2">"apropos word"</span> to search <span class="k">for</span> commands related to <span class="s2">"word"</span>... Reading symbols from ./bomb... -Breakpoint 1 at 0x15c7 -Breakpoint 2 at 0x1d4a -Starting program: /home/jovyan/lab2-bomblab-navanchauhan/bombbomb/bomb -[Thread debugging using libthread_db enabled] -Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". -Welcome to my fiendish little bomb. You have 6 phases with +Breakpoint <span class="m">1</span> at 0x15c7 +Breakpoint <span class="m">2</span> at 0x1d4a +Starting program: /home/joxxxn/lab2-bomblab-navanchauhan/bombbomb/bomb +<span class="o">[</span>Thread debugging using libthread_db enabled<span class="o">]</span> +Using host libthread_db library <span class="s2">"/lib/x86_64-linux-gnu/libthread_db.so.1"</span>. +Welcome to my fiendish little bomb. You have <span class="m">6</span> phases with which to blow yourself up. Have a nice day! -test string - -Breakpoint 1, 0x00005555555555c7 in phase_1 () -(gdb) dias phase_1 -Undefined command: "dias". Try "help". -(gdb) disas phase_1 -Dump of assembler code for function phase_1: -=> 0x00005555555555c7 <+0>: endbr64 - 0x00005555555555cb <+4>: sub $0x8,%rsp - 0x00005555555555cf <+8>: lea 0x1b7a(%rip),%rsi # 0x555555557150 +<span class="nb">test</span> string + +Breakpoint <span class="m">1</span>, 0x00005555555555c7 <span class="k">in</span> phase_1 <span class="o">()</span> +<span class="o">(</span>gdb<span class="o">)</span> dias phase_1 +Undefined command: <span class="s2">"dias"</span>. Try <span class="s2">"help"</span>. +<span class="o">(</span>gdb<span class="o">)</span> disas phase_1 +Dump of assembler code <span class="k">for</span> <span class="k">function</span> phase_1: +<span class="o">=</span>> 0x00005555555555c7 <+0>: endbr64 + 0x00005555555555cb <+4>: sub <span class="nv">$0</span>x8,%rsp + 0x00005555555555cf <+8>: lea 0x1b7a<span class="o">(</span>%rip<span class="o">)</span>,%rsi <span class="c1"># 0x555555557150</span> 0x00005555555555d6 <+15>: call 0x555555555b31 <strings_not_equal> - 0x00005555555555db <+20>: test %eax,%eax + 0x00005555555555db <+20>: <span class="nb">test</span> %eax,%eax 0x00005555555555dd <+22>: jne 0x5555555555e4 <phase_1+29> - 0x00005555555555df <+24>: add $0x8,%rsp + 0x00005555555555df <+24>: add <span class="nv">$0</span>x8,%rsp 0x00005555555555e3 <+28>: ret 0x00005555555555e4 <+29>: call 0x555555555d4a <explode_bomb> 0x00005555555555e9 <+34>: jmp 0x5555555555df <phase_1+24> End of assembler dump. -(gdb) print 0x555555557150 -$1 = 93824992244048 -(gdb) x/1s 0x555555557150 -0x555555557150: "Controlling complexity is the essence of computer programming." -(gdb) +<span class="o">(</span>gdb<span class="o">)</span> print 0x555555557150 +<span class="nv">$1</span> <span class="o">=</span> <span class="m">93824992244048</span> +<span class="o">(</span>gdb<span class="o">)</span> x/1s 0x555555557150 +0x555555557150: <span class="s2">"Controlling complexity is the essence of computer programming."</span> +<span class="o">(</span>gdb<span class="o">)</span> </code></pre> +</div> <h2>Phase 2</h2> -<pre><code>Phase 1 defused. How about the next one? -1 2 3 4 5 6 +<div class="codehilite"> +<pre><span></span><code>Phase <span class="m">1</span> defused. How about the next one? +<span class="m">1</span> <span class="m">2</span> <span class="m">3</span> <span class="m">4</span> <span class="m">5</span> <span class="m">6</span> -Breakpoint 1, 0x00005555555555eb in phase_2 () -(gdb) disas -Dump of assembler code for function phase_2: -=> 0x00005555555555eb <+0>: endbr64 +Breakpoint <span class="m">1</span>, 0x00005555555555eb <span class="k">in</span> phase_2 <span class="o">()</span> +<span class="o">(</span>gdb<span class="o">)</span> disas +Dump of assembler code <span class="k">for</span> <span class="k">function</span> phase_2: +<span class="o">=</span>> 0x00005555555555eb <+0>: endbr64 0x00005555555555ef <+4>: push %rbp 0x00005555555555f0 <+5>: push %rbx - 0x00005555555555f1 <+6>: sub $0x28,%rsp + 0x00005555555555f1 <+6>: sub <span class="nv">$0</span>x28,%rsp 0x00005555555555f5 <+10>: mov %rsp,%rsi 0x00005555555555f8 <+13>: call 0x555555555d97 <read_six_numbers> - 0x00005555555555fd <+18>: cmpl $0x0,(%rsp) + 0x00005555555555fd <+18>: cmpl <span class="nv">$0</span>x0,<span class="o">(</span>%rsp<span class="o">)</span> 0x0000555555555601 <+22>: js 0x55555555560d <phase_2+34> 0x0000555555555603 <+24>: mov %rsp,%rbp - 0x0000555555555606 <+27>: mov $0x1,%ebx + 0x0000555555555606 <+27>: mov <span class="nv">$0</span>x1,%ebx 0x000055555555560b <+32>: jmp 0x555555555620 <phase_2+53> 0x000055555555560d <+34>: call 0x555555555d4a <explode_bomb> 0x0000555555555612 <+39>: jmp 0x555555555603 <phase_2+24> - 0x0000555555555614 <+41>: add $0x1,%ebx - 0x0000555555555617 <+44>: add $0x4,%rbp - 0x000055555555561b <+48>: cmp $0x6,%ebx + 0x0000555555555614 <+41>: add <span class="nv">$0</span>x1,%ebx + 0x0000555555555617 <+44>: add <span class="nv">$0</span>x4,%rbp + 0x000055555555561b <+48>: cmp <span class="nv">$0</span>x6,%ebx 0x000055555555561e <+51>: je 0x555555555631 <phase_2+70> 0x0000555555555620 <+53>: mov %ebx,%eax - 0x0000555555555622 <+55>: add 0x0(%rbp),%eax - 0x0000555555555625 <+58>: cmp %eax,0x4(%rbp) + 0x0000555555555622 <+55>: add 0x0<span class="o">(</span>%rbp<span class="o">)</span>,%eax + 0x0000555555555625 <+58>: cmp %eax,0x4<span class="o">(</span>%rbp<span class="o">)</span> 0x0000555555555628 <+61>: je 0x555555555614 <phase_2+41> 0x000055555555562a <+63>: call 0x555555555d4a <explode_bomb> 0x000055555555562f <+68>: jmp 0x555555555614 <phase_2+41> - 0x0000555555555631 <+70>: add $0x28,%rsp + 0x0000555555555631 <+70>: add <span class="nv">$0</span>x28,%rsp 0x0000555555555635 <+74>: pop %rbx 0x0000555555555636 <+75>: pop %rbp 0x0000555555555637 <+76>: ret End of assembler dump. -(gdb) +<span class="o">(</span>gdb<span class="o">)</span> </code></pre> +</div> -<pre><code> 0x00005555555555fd <+18>: cmpl $0x0,(%rsp) +<div class="codehilite"> +<pre><span></span><code> 0x00005555555555fd <+18>: cmpl <span class="nv">$0</span>x0,<span class="o">(</span>%rsp<span class="o">)</span> 0x0000555555555601 <+22>: js 0x55555555560d <phase_2+34> ... 0x000055555555560d <+34>: call 0x555555555d4a <explode_bomb> </code></pre> +</div> -<p>The program first compares if the first number is not 0. If the number is not 0, then the <code>cmpl</code> instruction returns a negative value. The <code>js</code> instruction stands for jump if sign -> causing a jump to the specified address if the sign bit is set. This would result in the explode_bomb function being called.</p> - -<pre><code> 0x0000555555555603 <+24>: mov %rsp,%rbp - 0x0000555555555606 <+27>: mov $0x1,%ebx -</code></pre> +<p>The program first compares if the first number is not 0. If the number is not 0, then the <code>cmpl</code> instruction returns a negative value. The <code>js</code> instruction stands for jump if sign -> causing a jump to the specified address if the sign bit is set. This would result in the explode_bomb function being called. + <div class="codehilite"> + <pre><span></span><code>0x0000555555555603 <+24>: mov %rsp,%rbp + 0x0000555555555606 <+27>: mov <span class="nv">$0</span>x1,%ebx + </code></pre> + </div></p> <p><code>%rsp</code> in x86-64 asm, is the stack pointer i.e. it points to the top of the current stack frame. Since the program just read six numbers, the top of the stack (<code>%rsp</code>) contains the address of the first number.</p> <p>By executing <code>mov %rsp,%rbp</code> we are setting the base pointer (<code>%rbp</code>) to point to this address.</p> -<p>Now, for the second instruction <code>mov $0x1,%ebx</code>, we are initalising the <code>%ebx</code> register with the value 1. Based on the assembly code, you can see that this is being used as a counter/index for the loop.</p> - -<pre><code> 0x000055555555560b <+32>: jmp 0x555555555620 <phase_2+53> -</code></pre> - -<p>The program now jumps to <phase_2+53></p> - -<pre><code> 0x0000555555555620 <+53>: mov %ebx,%eax - 0x0000555555555622 <+55>: add 0x0(%rbp),%eax - 0x0000555555555625 <+58>: cmp %eax,0x4(%rbp) +<p>Now, for the second instruction <code>mov $0x1,%ebx</code>, we are initalising the <code>%ebx</code> register with the value 1. Based on the assembly code, you can see that this is being used as a counter/index for the loop. + <div class="codehilite"> + <pre><span></span><code>0x000055555555560b <+32>: jmp 0x555555555620 <phase_2+53> + </code></pre> + </div></p> + +<p>The program now jumps to <phase_2+53> + <div class="codehilite"> + <pre><span></span><code>0x0000555555555620 <+53>: mov %ebx,%eax + 0x0000555555555622 <+55>: add 0x0<span class="o">(</span>%rbp<span class="o">)</span>,%eax + 0x0000555555555625 <+58>: cmp %eax,0x4<span class="o">(</span>%rbp<span class="o">)</span> 0x0000555555555628 <+61>: je 0x555555555614 <phase_2+41> -</code></pre> + </code></pre> + </div></p> <p>Here, the value from <code>%ebx</code> is copied to the <code>%eax</code> register. For this iteration, the value should be 1.</p> @@ -3354,17 +3373,18 @@ End of assembler dump. <p><code>cmp %eax,0x4(%rbp)</code> - The instruction compares the value in %eax to the value at the memory address <code>%rbp + 4</code>. Since Integers in this context are stored using a word of memory of 4 bytes, this indicates it checks against the second number in the sequence.</p> -<p><code>je 0x555555555614 <phase_2+41></code> - The program will jump to <code>phase_2+41</code> if the previous <code>cmp</code> instruction determined the values as equal. </p> - -<pre><code> 0x0000555555555614 <+41>: add $0x1,%ebx - 0x0000555555555617 <+44>: add $0x4,%rbp - 0x000055555555561b <+48>: cmp $0x6,%ebx - 0x000055555555561e <+51>: je 0x555555555631 <phase_2+70> +<p><code>je 0x555555555614 <phase_2+41></code> - The program will jump to <code>phase_2+41</code> if the previous <code>cmp</code> instruction determined the values as equal. + <div class="codehilite"> + <pre><span></span><code>0x0000555555555614 <+41>: add <span class="nv">$0</span>x1,%ebx + 0x0000555555555617 <+44>: add <span class="nv">$0</span>x4,%rbp + 0x000055555555561b <+48>: cmp <span class="nv">$0</span>x6,%ebx + 0x000055555555561e <+51>: je 0x555555555631 <phase<em>2+70> 0x0000555555555620 <+53>: mov %ebx,%eax - 0x0000555555555622 <+55>: add 0x0(%rbp),%eax - 0x0000555555555625 <+58>: cmp %eax,0x4(%rbp) - 0x0000555555555628 <+61>: je 0x555555555614 <phase_2+41> -</code></pre> + 0x0000555555555622 <+55>: add 0x0<span class="o">(</span>%rbp<span class="o">)</span>,%eax + 0x0000555555555625 <+58>: cmp %eax,0x4<span class="o">(</span>%rbp<span class="o">)</span> + 0x0000555555555628 <+61>: je 0x555555555614 <phase</em>2+41> + </code></pre> + </div></p> <p>Here, we can see that the program increments <code>%ebx</code> by 1, adds a 4 byte offset to <code>%rbp</code> (the number we will be matching now), and checks if <code>%ebx</code> is equal to 6. If it is, it breaks the loop and jumps to <code><phase_2+70></code> succesfully finishing this stage.</p> @@ -3379,208 +3399,223 @@ End of assembler dump. <li>6th number = 10 (prev value) + 5 = 15</li> </ul> -<pre><code>... -Phase 1 defused. How about the next one? -0 1 3 6 10 15 +<div class="codehilite"> +<pre><span></span><code>... +Phase <span class="m">1</span> defused. How about the next one? +<span class="m">0</span> <span class="m">1</span> <span class="m">3</span> <span class="m">6</span> <span class="m">10</span> <span class="m">15</span> -Breakpoint 1, 0x00005555555555eb in phase_2 () -(gdb) continue +Breakpoint <span class="m">1</span>, 0x00005555555555eb <span class="k">in</span> phase_2 <span class="o">()</span> +<span class="o">(</span>gdb<span class="o">)</span> <span class="k">continue</span> Continuing. -That's number 2. Keep going! +That<span class="err">'</span>s number <span class="m">2</span>. Keep going! </code></pre> +</div> <h2>Phase 3</h2> <p>Let us look at the disassembled code first</p> -<pre><code>0000000000001638 <phase_3>: - 1638: f3 0f 1e fa endbr64 - 163c: 48 83 ec 18 sub $0x18,%rsp - 1640: 48 8d 4c 24 07 lea 0x7(%rsp),%rcx - 1645: 48 8d 54 24 0c lea 0xc(%rsp),%rdx - 164a: 4c 8d 44 24 08 lea 0x8(%rsp),%r8 - 164f: 48 8d 35 60 1b 00 00 lea 0x1b60(%rip),%rsi # 31b6 <_IO_stdin_used+0x1b6> - 1656: b8 00 00 00 00 mov $0x0,%eax - 165b: e8 80 fc ff ff call 12e0 <__isoc99_sscanf@plt> - 1660: 83 f8 02 cmp $0x2,%eax - 1663: 7e 20 jle 1685 <phase_3+0x4d> - 1665: 83 7c 24 0c 07 cmpl $0x7,0xc(%rsp) - 166a: 0f 87 0d 01 00 00 ja 177d <phase_3+0x145> - 1670: 8b 44 24 0c mov 0xc(%rsp),%eax - 1674: 48 8d 15 55 1b 00 00 lea 0x1b55(%rip),%rdx # 31d0 <_IO_stdin_used+0x1d0> - 167b: 48 63 04 82 movslq (%rdx,%rax,4),%rax - 167f: 48 01 d0 add %rdx,%rax - 1682: 3e ff e0 notrack jmp *%rax - 1685: e8 c0 06 00 00 call 1d4a <explode_bomb> - 168a: eb d9 jmp 1665 <phase_3+0x2d> - 168c: b8 63 00 00 00 mov $0x63,%eax - 1691: 81 7c 24 08 3d 02 00 cmpl $0x23d,0x8(%rsp) - 1698: 00 - 1699: 0f 84 e8 00 00 00 je 1787 <phase_3+0x14f> - 169f: e8 a6 06 00 00 call 1d4a <explode_bomb> - 16a4: b8 63 00 00 00 mov $0x63,%eax - 16a9: e9 d9 00 00 00 jmp 1787 <phase_3+0x14f> - 16ae: b8 61 00 00 00 mov $0x61,%eax - 16b3: 81 7c 24 08 27 01 00 cmpl $0x127,0x8(%rsp) - 16ba: 00 - 16bb: 0f 84 c6 00 00 00 je 1787 <phase_3+0x14f> - 16c1: e8 84 06 00 00 call 1d4a <explode_bomb> - 16c6: b8 61 00 00 00 mov $0x61,%eax - 16cb: e9 b7 00 00 00 jmp 1787 <phase_3+0x14f> - 16d0: b8 78 00 00 00 mov $0x78,%eax - 16d5: 81 7c 24 08 e7 02 00 cmpl $0x2e7,0x8(%rsp) - 16dc: 00 - 16dd: 0f 84 a4 00 00 00 je 1787 <phase_3+0x14f> - 16e3: e8 62 06 00 00 call 1d4a <explode_bomb> - 16e8: b8 78 00 00 00 mov $0x78,%eax - 16ed: e9 95 00 00 00 jmp 1787 <phase_3+0x14f> - 16f2: b8 64 00 00 00 mov $0x64,%eax - 16f7: 81 7c 24 08 80 02 00 cmpl $0x280,0x8(%rsp) - 16fe: 00 - 16ff: 0f 84 82 00 00 00 je 1787 <phase_3+0x14f> - 1705: e8 40 06 00 00 call 1d4a <explode_bomb> - 170a: b8 64 00 00 00 mov $0x64,%eax - 170f: eb 76 jmp 1787 <phase_3+0x14f> - 1711: b8 6d 00 00 00 mov $0x6d,%eax - 1716: 81 7c 24 08 ff 02 00 cmpl $0x2ff,0x8(%rsp) - 171d: 00 - 171e: 74 67 je 1787 <phase_3+0x14f> - 1720: e8 25 06 00 00 call 1d4a <explode_bomb> - 1725: b8 6d 00 00 00 mov $0x6d,%eax - 172a: eb 5b jmp 1787 <phase_3+0x14f> - 172c: b8 71 00 00 00 mov $0x71,%eax - 1731: 81 7c 24 08 75 03 00 cmpl $0x375,0x8(%rsp) - 1738: 00 - 1739: 74 4c je 1787 <phase_3+0x14f> - 173b: e8 0a 06 00 00 call 1d4a <explode_bomb> - 1740: b8 71 00 00 00 mov $0x71,%eax - 1745: eb 40 jmp 1787 <phase_3+0x14f> - 1747: b8 79 00 00 00 mov $0x79,%eax - 174c: 81 7c 24 08 94 02 00 cmpl $0x294,0x8(%rsp) - 1753: 00 - 1754: 74 31 je 1787 <phase_3+0x14f> - 1756: e8 ef 05 00 00 call 1d4a <explode_bomb> - 175b: b8 79 00 00 00 mov $0x79,%eax - 1760: eb 25 jmp 1787 <phase_3+0x14f> - 1762: b8 79 00 00 00 mov $0x79,%eax - 1767: 81 7c 24 08 88 02 00 cmpl $0x288,0x8(%rsp) - 176e: 00 - 176f: 74 16 je 1787 <phase_3+0x14f> - 1771: e8 d4 05 00 00 call 1d4a <explode_bomb> - 1776: b8 79 00 00 00 mov $0x79,%eax - 177b: eb 0a jmp 1787 <phase_3+0x14f> - 177d: e8 c8 05 00 00 call 1d4a <explode_bomb> - 1782: b8 68 00 00 00 mov $0x68,%eax - 1787: 38 44 24 07 cmp %al,0x7(%rsp) - 178b: 75 05 jne 1792 <phase_3+0x15a> - 178d: 48 83 c4 18 add $0x18,%rsp - 1791: c3 ret - 1792: e8 b3 05 00 00 call 1d4a <explode_bomb> - 1797: eb f4 jmp 178d <phase_3+0x155> +<div class="codehilite"> +<pre><span></span><code><span class="m">0000000000001638</span> <phase_3>: + <span class="m">1638</span>: f3 0f 1e fa endbr64 + 163c: <span class="m">48</span> <span class="m">83</span> ec <span class="m">18</span> sub <span class="nv">$0</span>x18,%rsp + <span class="m">1640</span>: <span class="m">48</span> 8d 4c <span class="m">24</span> <span class="m">07</span> lea 0x7<span class="o">(</span>%rsp<span class="o">)</span>,%rcx + <span class="m">1645</span>: <span class="m">48</span> 8d <span class="m">54</span> <span class="m">24</span> 0c lea 0xc<span class="o">(</span>%rsp<span class="o">)</span>,%rdx + 164a: 4c 8d <span class="m">44</span> <span class="m">24</span> <span class="m">08</span> lea 0x8<span class="o">(</span>%rsp<span class="o">)</span>,%r8 + 164f: <span class="m">48</span> 8d <span class="m">35</span> <span class="m">60</span> 1b <span class="m">00</span> <span class="m">00</span> lea 0x1b60<span class="o">(</span>%rip<span class="o">)</span>,%rsi <span class="c1"># 31b6 <_IO_stdin_used+0x1b6></span> + <span class="m">1656</span>: b8 <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> mov <span class="nv">$0</span>x0,%eax + 165b: e8 <span class="m">80</span> <span class="nb">fc</span> ff ff call 12e0 <__isoc99_sscanf@plt> + <span class="m">1660</span>: <span class="m">83</span> f8 <span class="m">02</span> cmp <span class="nv">$0</span>x2,%eax + <span class="m">1663</span>: 7e <span class="m">20</span> jle <span class="m">1685</span> <phase_3+0x4d> + <span class="m">1665</span>: <span class="m">83</span> 7c <span class="m">24</span> 0c <span class="m">07</span> cmpl <span class="nv">$0</span>x7,0xc<span class="o">(</span>%rsp<span class="o">)</span> + 166a: 0f <span class="m">87</span> 0d <span class="m">01</span> <span class="m">00</span> <span class="m">00</span> ja 177d <phase_3+0x145> + <span class="m">1670</span>: 8b <span class="m">44</span> <span class="m">24</span> 0c mov 0xc<span class="o">(</span>%rsp<span class="o">)</span>,%eax + <span class="m">1674</span>: <span class="m">48</span> 8d <span class="m">15</span> <span class="m">55</span> 1b <span class="m">00</span> <span class="m">00</span> lea 0x1b55<span class="o">(</span>%rip<span class="o">)</span>,%rdx <span class="c1"># 31d0 <_IO_stdin_used+0x1d0></span> + 167b: <span class="m">48</span> <span class="m">63</span> <span class="m">04</span> <span class="m">82</span> movslq <span class="o">(</span>%rdx,%rax,4<span class="o">)</span>,%rax + 167f: <span class="m">48</span> <span class="m">01</span> d0 add %rdx,%rax + <span class="m">1682</span>: 3e ff e0 notrack jmp *%rax + <span class="m">1685</span>: e8 c0 <span class="m">06</span> <span class="m">00</span> <span class="m">00</span> call 1d4a <explode_bomb> + 168a: eb d9 jmp <span class="m">1665</span> <phase_3+0x2d> + 168c: b8 <span class="m">63</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> mov <span class="nv">$0</span>x63,%eax + <span class="m">1691</span>: <span class="m">81</span> 7c <span class="m">24</span> <span class="m">08</span> 3d <span class="m">02</span> <span class="m">00</span> cmpl <span class="nv">$0</span>x23d,0x8<span class="o">(</span>%rsp<span class="o">)</span> + <span class="m">1698</span>: <span class="m">00</span> + <span class="m">1699</span>: 0f <span class="m">84</span> e8 <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> je <span class="m">1787</span> <phase_3+0x14f> + 169f: e8 a6 <span class="m">06</span> <span class="m">00</span> <span class="m">00</span> call 1d4a <explode_bomb> + 16a4: b8 <span class="m">63</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> mov <span class="nv">$0</span>x63,%eax + 16a9: e9 d9 <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> jmp <span class="m">1787</span> <phase_3+0x14f> + 16ae: b8 <span class="m">61</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> mov <span class="nv">$0</span>x61,%eax + 16b3: <span class="m">81</span> 7c <span class="m">24</span> <span class="m">08</span> <span class="m">27</span> <span class="m">01</span> <span class="m">00</span> cmpl <span class="nv">$0</span>x127,0x8<span class="o">(</span>%rsp<span class="o">)</span> + 16ba: <span class="m">00</span> + 16bb: 0f <span class="m">84</span> c6 <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> je <span class="m">1787</span> <phase_3+0x14f> + 16c1: e8 <span class="m">84</span> <span class="m">06</span> <span class="m">00</span> <span class="m">00</span> call 1d4a <explode_bomb> + 16c6: b8 <span class="m">61</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> mov <span class="nv">$0</span>x61,%eax + 16cb: e9 b7 <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> jmp <span class="m">1787</span> <phase_3+0x14f> + 16d0: b8 <span class="m">78</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> mov <span class="nv">$0</span>x78,%eax + 16d5: <span class="m">81</span> 7c <span class="m">24</span> <span class="m">08</span> e7 <span class="m">02</span> <span class="m">00</span> cmpl <span class="nv">$0</span>x2e7,0x8<span class="o">(</span>%rsp<span class="o">)</span> + 16dc: <span class="m">00</span> + 16dd: 0f <span class="m">84</span> a4 <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> je <span class="m">1787</span> <phase_3+0x14f> + 16e3: e8 <span class="m">62</span> <span class="m">06</span> <span class="m">00</span> <span class="m">00</span> call 1d4a <explode_bomb> + 16e8: b8 <span class="m">78</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> mov <span class="nv">$0</span>x78,%eax + 16ed: e9 <span class="m">95</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> jmp <span class="m">1787</span> <phase_3+0x14f> + 16f2: b8 <span class="m">64</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> mov <span class="nv">$0</span>x64,%eax + 16f7: <span class="m">81</span> 7c <span class="m">24</span> <span class="m">08</span> <span class="m">80</span> <span class="m">02</span> <span class="m">00</span> cmpl <span class="nv">$0</span>x280,0x8<span class="o">(</span>%rsp<span class="o">)</span> + 16fe: <span class="m">00</span> + 16ff: 0f <span class="m">84</span> <span class="m">82</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> je <span class="m">1787</span> <phase_3+0x14f> + <span class="m">1705</span>: e8 <span class="m">40</span> <span class="m">06</span> <span class="m">00</span> <span class="m">00</span> call 1d4a <explode_bomb> + 170a: b8 <span class="m">64</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> mov <span class="nv">$0</span>x64,%eax + 170f: eb <span class="m">76</span> jmp <span class="m">1787</span> <phase_3+0x14f> + <span class="m">1711</span>: b8 6d <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> mov <span class="nv">$0</span>x6d,%eax + <span class="m">1716</span>: <span class="m">81</span> 7c <span class="m">24</span> <span class="m">08</span> ff <span class="m">02</span> <span class="m">00</span> cmpl <span class="nv">$0</span>x2ff,0x8<span class="o">(</span>%rsp<span class="o">)</span> + 171d: <span class="m">00</span> + 171e: <span class="m">74</span> <span class="m">67</span> je <span class="m">1787</span> <phase_3+0x14f> + <span class="m">1720</span>: e8 <span class="m">25</span> <span class="m">06</span> <span class="m">00</span> <span class="m">00</span> call 1d4a <explode_bomb> + <span class="m">1725</span>: b8 6d <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> mov <span class="nv">$0</span>x6d,%eax + 172a: eb 5b jmp <span class="m">1787</span> <phase_3+0x14f> + 172c: b8 <span class="m">71</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> mov <span class="nv">$0</span>x71,%eax + <span class="m">1731</span>: <span class="m">81</span> 7c <span class="m">24</span> <span class="m">08</span> <span class="m">75</span> <span class="m">03</span> <span class="m">00</span> cmpl <span class="nv">$0</span>x375,0x8<span class="o">(</span>%rsp<span class="o">)</span> + <span class="m">1738</span>: <span class="m">00</span> + <span class="m">1739</span>: <span class="m">74</span> 4c je <span class="m">1787</span> <phase_3+0x14f> + 173b: e8 0a <span class="m">06</span> <span class="m">00</span> <span class="m">00</span> call 1d4a <explode_bomb> + <span class="m">1740</span>: b8 <span class="m">71</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> mov <span class="nv">$0</span>x71,%eax + <span class="m">1745</span>: eb <span class="m">40</span> jmp <span class="m">1787</span> <phase_3+0x14f> + <span class="m">1747</span>: b8 <span class="m">79</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> mov <span class="nv">$0</span>x79,%eax + 174c: <span class="m">81</span> 7c <span class="m">24</span> <span class="m">08</span> <span class="m">94</span> <span class="m">02</span> <span class="m">00</span> cmpl <span class="nv">$0</span>x294,0x8<span class="o">(</span>%rsp<span class="o">)</span> + <span class="m">1753</span>: <span class="m">00</span> + <span class="m">1754</span>: <span class="m">74</span> <span class="m">31</span> je <span class="m">1787</span> <phase_3+0x14f> + <span class="m">1756</span>: e8 ef <span class="m">05</span> <span class="m">00</span> <span class="m">00</span> call 1d4a <explode_bomb> + 175b: b8 <span class="m">79</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> mov <span class="nv">$0</span>x79,%eax + <span class="m">1760</span>: eb <span class="m">25</span> jmp <span class="m">1787</span> <phase_3+0x14f> + <span class="m">1762</span>: b8 <span class="m">79</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> mov <span class="nv">$0</span>x79,%eax + <span class="m">1767</span>: <span class="m">81</span> 7c <span class="m">24</span> <span class="m">08</span> <span class="m">88</span> <span class="m">02</span> <span class="m">00</span> cmpl <span class="nv">$0</span>x288,0x8<span class="o">(</span>%rsp<span class="o">)</span> + 176e: <span class="m">00</span> + 176f: <span class="m">74</span> <span class="m">16</span> je <span class="m">1787</span> <phase_3+0x14f> + <span class="m">1771</span>: e8 d4 <span class="m">05</span> <span class="m">00</span> <span class="m">00</span> call 1d4a <explode_bomb> + <span class="m">1776</span>: b8 <span class="m">79</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> mov <span class="nv">$0</span>x79,%eax + 177b: eb 0a jmp <span class="m">1787</span> <phase_3+0x14f> + 177d: e8 c8 <span class="m">05</span> <span class="m">00</span> <span class="m">00</span> call 1d4a <explode_bomb> + <span class="m">1782</span>: b8 <span class="m">68</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> mov <span class="nv">$0</span>x68,%eax + <span class="m">1787</span>: <span class="m">38</span> <span class="m">44</span> <span class="m">24</span> <span class="m">07</span> cmp %al,0x7<span class="o">(</span>%rsp<span class="o">)</span> + 178b: <span class="m">75</span> <span class="m">05</span> jne <span class="m">1792</span> <phase_3+0x15a> + 178d: <span class="m">48</span> <span class="m">83</span> c4 <span class="m">18</span> add <span class="nv">$0</span>x18,%rsp + <span class="m">1791</span>: c3 ret + <span class="m">1792</span>: e8 b3 <span class="m">05</span> <span class="m">00</span> <span class="m">00</span> call 1d4a <explode_bomb> + <span class="m">1797</span>: eb f4 jmp 178d <phase_3+0x155> </code></pre> +</div> -<pre><code>... - 165b: e8 80 fc ff ff call 12e0 <__isoc99_sscanf@plt> +<div class="codehilite"> +<pre><span></span><code>... + 165b: e8 <span class="m">80</span> <span class="nb">fc</span> ff ff call 12e0 <__isoc99_sscanf@plt> ... </code></pre> +</div> <p>We can see that <code>scanf</code> is being called which means we need to figure out what datatype(s) the program is expecting.</p> <p>Because I do not want to enter the solutions to phases 1 and 2 again and again, I am goig to pass a file which has these solutions.</p> -<pre><code>jovyan@jupyter-nach6988:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex 'break phase_3' -ex 'break explode_bomb' -ex 'run' -args ./bomb sol.txt -GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1 -Copyright (C) 2022 Free Software Foundation, Inc. -License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> +<div class="codehilite"> +<pre><span></span><code>joxxxn@jupyter-nxxh6xx8:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex <span class="s1">'break phase_3'</span> -ex <span class="s1">'break explode_bomb'</span> -ex <span class="s1">'run'</span> -args ./bomb sol.txt +GNU gdb <span class="o">(</span>Ubuntu <span class="m">12</span>.1-0ubuntu1~22.04<span class="o">)</span> <span class="m">12</span>.1 +Copyright <span class="o">(</span>C<span class="o">)</span> <span class="m">2022</span> Free Software Foundation, Inc. +License GPLv3+: GNU GPL version <span class="m">3</span> or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. -Type "show copying" and "show warranty" for details. -This GDB was configured as "x86_64-linux-gnu". -Type "show configuration" for configuration details. +Type <span class="s2">"show copying"</span> and <span class="s2">"show warranty"</span> <span class="k">for</span> details. +This GDB was configured as <span class="s2">"x86_64-linux-gnu"</span>. +Type <span class="s2">"show configuration"</span> <span class="k">for</span> configuration details. For bug reporting instructions, please see: <https://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. -For help, type "help". -Type "apropos word" to search for commands related to "word"... +For help, <span class="nb">type</span> <span class="s2">"help"</span>. +Type <span class="s2">"apropos word"</span> to search <span class="k">for</span> commands related to <span class="s2">"word"</span>... Reading symbols from ./bomb... -Breakpoint 1 at 0x1638 -Breakpoint 2 at 0x1d4a -Starting program: /home/jovyan/lab2-bomblab-navanchauhan/bombbomb/bomb sol.txt -[Thread debugging using libthread_db enabled] -Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". -Welcome to my fiendish little bomb. You have 6 phases with +Breakpoint <span class="m">1</span> at 0x1638 +Breakpoint <span class="m">2</span> at 0x1d4a +Starting program: /home/joxxxn/lab2-bomblab-navanchauhan/bombbomb/bomb sol.txt +<span class="o">[</span>Thread debugging using libthread_db enabled<span class="o">]</span> +Using host libthread_db library <span class="s2">"/lib/x86_64-linux-gnu/libthread_db.so.1"</span>. +Welcome to my fiendish little bomb. You have <span class="m">6</span> phases with which to blow yourself up. Have a nice day! -Phase 1 defused. How about the next one? -That's number 2. Keep going! +Phase <span class="m">1</span> defused. How about the next one? +That<span class="err">'</span>s number <span class="m">2</span>. Keep going! random string -Breakpoint 1, 0x0000555555555638 in phase_3 () -(gdb) disas -Dump of assembler code for function phase_3: -=> 0x0000555555555638 <+0>: endbr64 - 0x000055555555563c <+4>: sub $0x18,%rsp - 0x0000555555555640 <+8>: lea 0x7(%rsp),%rcx - 0x0000555555555645 <+13>: lea 0xc(%rsp),%rdx - 0x000055555555564a <+18>: lea 0x8(%rsp),%r8 - 0x000055555555564f <+23>: lea 0x1b60(%rip),%rsi # 0x5555555571b6 - 0x0000555555555656 <+30>: mov $0x0,%eax +Breakpoint <span class="m">1</span>, 0x0000555555555638 <span class="k">in</span> phase_3 <span class="o">()</span> +<span class="o">(</span>gdb<span class="o">)</span> disas +Dump of assembler code <span class="k">for</span> <span class="k">function</span> phase_3: +<span class="o">=</span>> 0x0000555555555638 <+0>: endbr64 + 0x000055555555563c <+4>: sub <span class="nv">$0</span>x18,%rsp + 0x0000555555555640 <+8>: lea 0x7<span class="o">(</span>%rsp<span class="o">)</span>,%rcx + 0x0000555555555645 <+13>: lea 0xc<span class="o">(</span>%rsp<span class="o">)</span>,%rdx + 0x000055555555564a <+18>: lea 0x8<span class="o">(</span>%rsp<span class="o">)</span>,%r8 + 0x000055555555564f <+23>: lea 0x1b60<span class="o">(</span>%rip<span class="o">)</span>,%rsi <span class="c1"># 0x5555555571b6</span> + 0x0000555555555656 <+30>: mov <span class="nv">$0</span>x0,%eax 0x000055555555565b <+35>: call 0x5555555552e0 <__isoc99_sscanf@plt> - 0x0000555555555660 <+40>: cmp $0x2,%eax + 0x0000555555555660 <+40>: cmp <span class="nv">$0</span>x2,%eax 0x0000555555555663 <+43>: jle 0x555555555685 <phase_3+77> - 0x0000555555555665 <+45>: cmpl $0x7,0xc(%rsp) + 0x0000555555555665 <+45>: cmpl <span class="nv">$0</span>x7,0xc<span class="o">(</span>%rsp<span class="o">)</span> 0x000055555555566a <+50>: ja 0x55555555577d <phase_3+325> - 0x0000555555555670 <+56>: mov 0xc(%rsp),%eax - 0x0000555555555674 <+60>: lea 0x1b55(%rip),%rdx # 0x5555555571d0 - 0x000055555555567b <+67>: movslq (%rdx,%rax,4),%rax + 0x0000555555555670 <+56>: mov 0xc<span class="o">(</span>%rsp<span class="o">)</span>,%eax + 0x0000555555555674 <+60>: lea 0x1b55<span class="o">(</span>%rip<span class="o">)</span>,%rdx <span class="c1"># 0x5555555571d0</span> + 0x000055555555567b <+67>: movslq <span class="o">(</span>%rdx,%rax,4<span class="o">)</span>,%rax 0x000055555555567f <+71>: add %rdx,%rax 0x0000555555555682 <+74>: notrack jmp *%rax 0x0000555555555685 <+77>: call 0x555555555d4a <explode_bomb> 0x000055555555568a <+82>: jmp 0x555555555665 <phase_3+45> - 0x000055555555568c <+84>: mov $0x63,%eax - 0x0000555555555691 <+89>: cmpl $0x23d,0x8(%rsp) + 0x000055555555568c <+84>: mov <span class="nv">$0</span>x63,%eax + 0x0000555555555691 <+89>: cmpl <span class="nv">$0</span>x23d,0x8<span class="o">(</span>%rsp<span class="o">)</span> 0x0000555555555699 <+97>: je 0x555555555787 <phase_3+335> 0x000055555555569f <+103>: call 0x555555555d4a <explode_bomb> - 0x00005555555556a4 <+108>: mov $0x63,%eax + 0x00005555555556a4 <+108>: mov <span class="nv">$0</span>x63,%eax 0x00005555555556a9 <+113>: jmp 0x555555555787 <phase_3+335> ---Type <RET> for more, q to quit, c to continue without paging-- +--Type <RET> <span class="k">for</span> more, q to quit, c to <span class="k">continue</span> without paging-- </code></pre> +</div> <p><code>gdb</code> has thankfully marked the address which is being passed to <code>scanf</code>. We can access the value:</p> -<pre><code>(gdb) x/1s 0x5555555571b6 -0x5555555571b6: "%d %c %d" -(gdb) +<div class="codehilite"> +<pre><span></span><code><span class="o">(</span>gdb<span class="o">)</span> x/1s 0x5555555571b6 +0x5555555571b6: <span class="s2">"%d %c %d"</span> +<span class="o">(</span>gdb<span class="o">)</span> </code></pre> +</div> <p>BINGO! The program expects an integer, character, and another integer. Onwards.</p> -<pre><code> 0x0000555555555660 <+40>: cmp $0x2,%eax +<div class="codehilite"> +<pre><span></span><code> 0x0000555555555660 <+40>: cmp <span class="nv">$0</span>x2,%eax 0x0000555555555663 <+43>: jle 0x555555555685 <phase_3+77> ... 0x0000555555555685 <+77>: call 0x555555555d4a <explode_bomb> </code></pre> +</div> <p>The program checks whether <code>scanf</code> returns a value <= 2, if it does then it calls the <code>explode_bomb</code> function. </p> <p><em>Note: <code>scanf</code> returns the number of fields that were succesfully converted and assigned</em></p> -<pre><code> 0x0000555555555665 <+45>: cmpl $0x7,0xc(%rsp) +<div class="codehilite"> +<pre><span></span><code> 0x0000555555555665 <+45>: cmpl <span class="nv">$0</span>x7,0xc<span class="o">(</span>%rsp<span class="o">)</span> 0x000055555555566a <+50>: ja 0x55555555577d <phase_3+325> ... 0x000055555555577d <+325>: call 0x555555555d4a <explode_bomb> </code></pre> +</div> -<p>Similarly, the program checks and ensures the returned value is not > 7. </p> - -<pre><code> 0x0000555555555670 <+56>: mov 0xc(%rsp),%eax - 0x0000555555555674 <+60>: lea 0x1b55(%rip),%rdx # 0x5555555571d0 - 0x000055555555567b <+67>: movslq (%rdx,%rax,4),%rax +<p>Similarly, the program checks and ensures the returned value is not > 7. + <div class="codehilite"> + <pre><span></span><code>0x0000555555555670 <+56>: mov 0xc<span class="o">(</span>%rsp<span class="o">)</span>,%eax + 0x0000555555555674 <+60>: lea 0x1b55<span class="o">(</span>%rip<span class="o">)</span>,%rdx <span class="c1"># 0x5555555571d0</span> + 0x000055555555567b <+67>: movslq <span class="o">(</span>%rdx,%rax,4<span class="o">)</span>,%rax 0x000055555555567f <+71>: add %rdx,%rax 0x0000555555555682 <+74>: notrack jmp *%rax 0x0000555555555685 <+77>: call 0x555555555d4a <explode_bomb> -</code></pre> + </code></pre> + </div></p> <ul> <li><code>0x0000555555555670 <+56>: mov 0xc(%rsp),%eax</code> - Moves value located at <code>0xc</code> (12 in Decimal) bytes above the stack pointer to <code>%eax</code> register. </li> @@ -3610,137 +3645,151 @@ $1 = 3 <p><img src="/assets/bomb-lab/phase-3.png" alt="Screenshot of GDB terminal depicting us checking the value of the instruction to be jumped to" /></p> -<p>We can see that this makes us jump to <code><phase_3+186></code> (Continue to step through the code by using <code>ni</code>)</p> - -<pre><code> 0x00005555555556f2 <+186>: mov $0x64,%eax - 0x00005555555556f7 <+191>: cmpl $0x280,0x8(%rsp) - 0x00005555555556ff <+199>: je 0x555555555787 <phase_3+335> - 0x0000555555555705 <+205>: call 0x555555555d4a <explode_bomb> -</code></pre> - -<p>We see that <code>0x64</code> (Decimal 100) is being stored in <code>%eax</code>. Then, the program compares <code>0x280</code> (Decimal 640) with memory address <code>0x8</code> bytes above the stack pointer (<code>%rsp</code>). If the values are equal, then it jumps to <code><phase_3+335></code>, otherwise <code>explode_bomb</code> is called.</p> - -<pre><code> 0x0000555555555787 <+335>: cmp %al,0x7(%rsp) - 0x000055555555578b <+339>: jne 0x555555555792 <phase_3+346> - 0x000055555555578d <+341>: add $0x18,%rsp - 0x0000555555555791 <+345>: ret - 0x0000555555555792 <+346>: call 0x555555555d4a <explode_bomb> -</code></pre> +<p>We can see that this makes us jump to <code><phase_3+186></code> (Continue to step through the code by using <code>ni</code>) + <div class="codehilite"> + <pre><span></span><code>0x00005555555556f2 <+186>: mov <span class="nv">$0</span>x64,%eax + 0x00005555555556f7 <+191>: cmpl <span class="nv">$0</span>x280,0x8<span class="o">(</span>%rsp<span class="o">)</span> + 0x00005555555556ff <+199>: je 0x555555555787 <phase<em>3+335> + 0x0000555555555705 <+205>: call 0x555555555d4a <explode</em>bomb> + </code></pre> + </div></p> + +<p>We see that <code>0x64</code> (Decimal 100) is being stored in <code>%eax</code>. Then, the program compares <code>0x280</code> (Decimal 640) with memory address <code>0x8</code> bytes above the stack pointer (<code>%rsp</code>). If the values are equal, then it jumps to <code><phase_3+335></code>, otherwise <code>explode_bomb</code> is called. + <div class="codehilite"> + <pre><span></span><code>0x0000555555555787 <+335>: cmp %al,0x7<span class="o">(</span>%rsp<span class="o">)</span> + 0x000055555555578b <+339>: jne 0x555555555792 <phase<em>3+346> + 0x000055555555578d <+341>: add <span class="nv">$0</span>x18,%rsp + 0x0000555555555791 <+345>: ret <br /> + 0x0000555555555792 <+346>: call 0x555555555d4a <explode</em>bomb> + </code></pre> + </div></p> <p>Here, the program is comparing the value of our given character to the value stored in <code>%al</code> (lower 8 bits of <code>EAX</code>), and checks if they are not equal.</p> <p>Knowing that the character is stored at an offset of 7 bytes to <code>%rsp</code>, we can print and check the value by running:</p> -<pre><code>(gdb) x/1cw $rsp+7 +<div class="codehilite"> +<pre><span></span><code><span class="o">(</span>gdb<span class="o">)</span> x/1cw <span class="nv">$rsp</span>+7 c -(gdb) print $al -$1 = 100 +<span class="o">(</span>gdb<span class="o">)</span> print <span class="nv">$al</span> +<span class="nv">$1</span> <span class="o">=</span> <span class="m">100</span> </code></pre> +</div> <p>We can simply lookup the <a rel="noopener" target="_blank" href="https://www.cs.cmu.edu/~pattis/15-1XX/common/handouts/ascii.html">ASCII table</a>, and see that 100 in decimal stands for the character <code>d</code>. Let us try this answer:</p> -<pre><code>... -That's number 2. Keep going! -3 d 640 +<div class="codehilite"> +<pre><span></span><code>... +That<span class="err">'</span>s number <span class="m">2</span>. Keep going! +<span class="m">3</span> d <span class="m">640</span> -Breakpoint 1, 0x0000555555555638 in phase_3 () -(gdb) continue +Breakpoint <span class="m">1</span>, 0x0000555555555638 <span class="k">in</span> phase_3 <span class="o">()</span> +<span class="o">(</span>gdb<span class="o">)</span> <span class="k">continue</span> Continuing. Halfway there! </code></pre> +</div> <h2>Phase 4</h2> -<pre><code>jovyan@jupyter-nach6988:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex 'break phase_4' -ex 'break explode_bomb' -ex 'run' -args ./bomb sol.txt -GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1 -Copyright (C) 2022 Free Software Foundation, Inc. -License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> +<div class="codehilite"> +<pre><span></span><code>joxxxn@jupyter-nxxh6xx8:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex <span class="s1">'break phase_4'</span> -ex <span class="s1">'break explode_bomb'</span> -ex <span class="s1">'run'</span> -args ./bomb sol.txt +GNU gdb <span class="o">(</span>Ubuntu <span class="m">12</span>.1-0ubuntu1~22.04<span class="o">)</span> <span class="m">12</span>.1 +Copyright <span class="o">(</span>C<span class="o">)</span> <span class="m">2022</span> Free Software Foundation, Inc. +License GPLv3+: GNU GPL version <span class="m">3</span> or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. -Type "show copying" and "show warranty" for details. -This GDB was configured as "x86_64-linux-gnu". -Type "show configuration" for configuration details. +Type <span class="s2">"show copying"</span> and <span class="s2">"show warranty"</span> <span class="k">for</span> details. +This GDB was configured as <span class="s2">"x86_64-linux-gnu"</span>. +Type <span class="s2">"show configuration"</span> <span class="k">for</span> configuration details. For bug reporting instructions, please see: <https://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. -For help, type "help". -Type "apropos word" to search for commands related to "word"... +For help, <span class="nb">type</span> <span class="s2">"help"</span>. +Type <span class="s2">"apropos word"</span> to search <span class="k">for</span> commands related to <span class="s2">"word"</span>... Reading symbols from ./bomb... -Breakpoint 1 at 0x17d3 -Breakpoint 2 at 0x1d4a -Starting program: /home/jovyan/lab2-bomblab-navanchauhan/bombbomb/bomb sol.txt -[Thread debugging using libthread_db enabled] -Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". -Welcome to my fiendish little bomb. You have 6 phases with +Breakpoint <span class="m">1</span> at 0x17d3 +Breakpoint <span class="m">2</span> at 0x1d4a +Starting program: /home/joxxxn/lab2-bomblab-navanchauhan/bombbomb/bomb sol.txt +<span class="o">[</span>Thread debugging using libthread_db enabled<span class="o">]</span> +Using host libthread_db library <span class="s2">"/lib/x86_64-linux-gnu/libthread_db.so.1"</span>. +Welcome to my fiendish little bomb. You have <span class="m">6</span> phases with which to blow yourself up. Have a nice day! -Phase 1 defused. How about the next one? -That's number 2. Keep going! +Phase <span class="m">1</span> defused. How about the next one? +That<span class="err">'</span>s number <span class="m">2</span>. Keep going! Halfway there! -test string - -Breakpoint 1, 0x00005555555557d3 in phase_4 () -(gdb) disas phase_4 -Dump of assembler code for function phase_4: -=> 0x00005555555557d3 <+0>: endbr64 - 0x00005555555557d7 <+4>: sub $0x18,%rsp - 0x00005555555557db <+8>: lea 0x8(%rsp),%rcx - 0x00005555555557e0 <+13>: lea 0xc(%rsp),%rdx - 0x00005555555557e5 <+18>: lea 0x1bba(%rip),%rsi # 0x5555555573a6 - 0x00005555555557ec <+25>: mov $0x0,%eax +<span class="nb">test</span> string + +Breakpoint <span class="m">1</span>, 0x00005555555557d3 <span class="k">in</span> phase_4 <span class="o">()</span> +<span class="o">(</span>gdb<span class="o">)</span> disas phase_4 +Dump of assembler code <span class="k">for</span> <span class="k">function</span> phase_4: +<span class="o">=</span>> 0x00005555555557d3 <+0>: endbr64 + 0x00005555555557d7 <+4>: sub <span class="nv">$0</span>x18,%rsp + 0x00005555555557db <+8>: lea 0x8<span class="o">(</span>%rsp<span class="o">)</span>,%rcx + 0x00005555555557e0 <+13>: lea 0xc<span class="o">(</span>%rsp<span class="o">)</span>,%rdx + 0x00005555555557e5 <+18>: lea 0x1bba<span class="o">(</span>%rip<span class="o">)</span>,%rsi <span class="c1"># 0x5555555573a6</span> + 0x00005555555557ec <+25>: mov <span class="nv">$0</span>x0,%eax 0x00005555555557f1 <+30>: call 0x5555555552e0 <__isoc99_sscanf@plt> - 0x00005555555557f6 <+35>: cmp $0x2,%eax + 0x00005555555557f6 <+35>: cmp <span class="nv">$0</span>x2,%eax 0x00005555555557f9 <+38>: jne 0x555555555802 <phase_4+47> - 0x00005555555557fb <+40>: cmpl $0xe,0xc(%rsp) + 0x00005555555557fb <+40>: cmpl <span class="nv">$0</span>xe,0xc<span class="o">(</span>%rsp<span class="o">)</span> 0x0000555555555800 <+45>: jbe 0x555555555807 <phase_4+52> 0x0000555555555802 <+47>: call 0x555555555d4a <explode_bomb> - 0x0000555555555807 <+52>: mov $0xe,%edx - 0x000055555555580c <+57>: mov $0x0,%esi - 0x0000555555555811 <+62>: mov 0xc(%rsp),%edi + 0x0000555555555807 <+52>: mov <span class="nv">$0</span>xe,%edx + 0x000055555555580c <+57>: mov <span class="nv">$0</span>x0,%esi + 0x0000555555555811 <+62>: mov 0xc<span class="o">(</span>%rsp<span class="o">)</span>,%edi 0x0000555555555815 <+66>: call 0x555555555799 <func4> - 0x000055555555581a <+71>: cmp $0x2,%eax + 0x000055555555581a <+71>: cmp <span class="nv">$0</span>x2,%eax 0x000055555555581d <+74>: jne 0x555555555826 <phase_4+83> - 0x000055555555581f <+76>: cmpl $0x2,0x8(%rsp) + 0x000055555555581f <+76>: cmpl <span class="nv">$0</span>x2,0x8<span class="o">(</span>%rsp<span class="o">)</span> 0x0000555555555824 <+81>: je 0x55555555582b <phase_4+88> 0x0000555555555826 <+83>: call 0x555555555d4a <explode_bomb> - 0x000055555555582b <+88>: add $0x18,%rsp + 0x000055555555582b <+88>: add <span class="nv">$0</span>x18,%rsp 0x000055555555582f <+92>: ret End of assembler dump. -(gdb) +<span class="o">(</span>gdb<span class="o">)</span> </code></pre> +</div> <p>Again, <code>gdb</code> has marked the string being passed to <code>scanf</code></p> -<pre><code>(gdb) x/1s 0x5555555573a6 -0x5555555573a6: "%d %d" +<div class="codehilite"> +<pre><span></span><code><span class="o">(</span>gdb<span class="o">)</span> x/1s 0x5555555573a6 +0x5555555573a6: <span class="s2">"%d %d"</span> </code></pre> +</div> -<p>Okay, so this time we are supposed to enter 2 numbers.</p> - -<pre><code> 0x00005555555557f6 <+35>: cmp $0x2,%eax +<p>Okay, so this time we are supposed to enter 2 numbers. + <div class="codehilite"> + <pre><span></span><code>0x00005555555557f6 <+35>: cmp <span class="nv">$0</span>x2,%eax 0x00005555555557f9 <+38>: jne 0x555555555802 <phase_4+47> -</code></pre> - -<p>Checks if there were 2 values read from calling <code>scanf</code>, if not -> jump to <code><phase_4+47></code> which calls <code><explode_bomb></code>.</p> + </code></pre> + </div></p> -<pre><code> 0x00005555555557fb <+40>: cmpl $0xe,0xc(%rsp) +<p>Checks if there were 2 values read from calling <code>scanf</code>, if not -> jump to <code><phase_4+47></code> which calls <code><explode_bomb></code>. + <div class="codehilite"> + <pre><span></span><code>0x00005555555557fb <+40>: cmpl <span class="nv">$0</span>xe,0xc<span class="o">(</span>%rsp<span class="o">)</span> 0x0000555555555800 <+45>: jbe 0x555555555807 <phase_4+52> -</code></pre> + </code></pre> + </div></p> <p>Compare <code>0xe</code> (14 in Decimal) and value stored at <code>$rsp</code> + <code>0xc</code> bytes (Decimal 12). If this condition is met (<= 14), jump to <code><phase_4+52></code>. If not, then explode bomb.</p> -<pre><code>... - 0x0000555555555807 <+52>: mov $0xe,%edx - 0x000055555555580c <+57>: mov $0x0,%esi - 0x0000555555555811 <+62>: mov 0xc(%rsp),%edi +<div class="codehilite"> +<pre><span></span><code>... + 0x0000555555555807 <+52>: mov <span class="nv">$0</span>xe,%edx + 0x000055555555580c <+57>: mov <span class="nv">$0</span>x0,%esi + 0x0000555555555811 <+62>: mov 0xc<span class="o">(</span>%rsp<span class="o">)</span>,%edi 0x0000555555555815 <+66>: call 0x555555555799 <func4> - 0x000055555555581a <+71>: cmp $0x2,%eax + 0x000055555555581a <+71>: cmp <span class="nv">$0</span>x2,%eax 0x000055555555581d <+74>: jne 0x555555555826 <phase_4+83> - 0x000055555555581f <+76>: cmpl $0x2,0x8(%rsp) + 0x000055555555581f <+76>: cmpl <span class="nv">$0</span>x2,0x8<span class="o">(</span>%rsp<span class="o">)</span> 0x0000555555555824 <+81>: je 0x55555555582b <phase_4+88> 0x0000555555555826 <+83>: call 0x555555555d4a <explode_bomb> </code></pre> +</div> <ul> <li><code>0x0000555555555815 <+66>: call 0x555555555799 <func4></code> calls another function called <code>func4</code></li> @@ -3749,55 +3798,59 @@ End of assembler dump. <p>Let us look into <code>func4</code></p> -<pre><code>(gdb) disas func4 -Dump of assembler code for function func4: +<div class="codehilite"> +<pre><span></span><code><span class="o">(</span>gdb<span class="o">)</span> disas func4 +Dump of assembler code <span class="k">for</span> <span class="k">function</span> func4: 0x0000555555555799 <+0>: endbr64 - 0x000055555555579d <+4>: sub $0x8,%rsp + 0x000055555555579d <+4>: sub <span class="nv">$0</span>x8,%rsp 0x00005555555557a1 <+8>: mov %edx,%ecx 0x00005555555557a3 <+10>: sub %esi,%ecx 0x00005555555557a5 <+12>: shr %ecx 0x00005555555557a7 <+14>: add %esi,%ecx 0x00005555555557a9 <+16>: cmp %edi,%ecx 0x00005555555557ab <+18>: ja 0x5555555557b9 <func4+32> - 0x00005555555557ad <+20>: mov $0x0,%eax + 0x00005555555557ad <+20>: mov <span class="nv">$0</span>x0,%eax 0x00005555555557b2 <+25>: jb 0x5555555557c5 <func4+44> - 0x00005555555557b4 <+27>: add $0x8,%rsp + 0x00005555555557b4 <+27>: add <span class="nv">$0</span>x8,%rsp 0x00005555555557b8 <+31>: ret - 0x00005555555557b9 <+32>: lea -0x1(%rcx),%edx + 0x00005555555557b9 <+32>: lea -0x1<span class="o">(</span>%rcx<span class="o">)</span>,%edx 0x00005555555557bc <+35>: call 0x555555555799 <func4> 0x00005555555557c1 <+40>: add %eax,%eax 0x00005555555557c3 <+42>: jmp 0x5555555557b4 <func4+27> - 0x00005555555557c5 <+44>: lea 0x1(%rcx),%esi + 0x00005555555557c5 <+44>: lea 0x1<span class="o">(</span>%rcx<span class="o">)</span>,%esi 0x00005555555557c8 <+47>: call 0x555555555799 <func4> - 0x00005555555557cd <+52>: lea 0x1(%rax,%rax,1),%eax + 0x00005555555557cd <+52>: lea 0x1<span class="o">(</span>%rax,%rax,1<span class="o">)</span>,%eax 0x00005555555557d1 <+56>: jmp 0x5555555557b4 <func4+27> </code></pre> +</div> <p>This looks like a recursive function :( (I hate recursive functions)</p> <p>Let's annotate the instructions.</p> -<pre><code>endbr64 -sub $0x8,%rsp // subtract 8 bytes from the stack pointer -mov %edx,%ecx // Move the value in register %edx to %ecx -sub %esi,%ecx // Subtract the value in %esi from %ecx -shr %ecx // Right shift the value in %ecx by one bit (dividing the value by 2) -add %esi,%ecx // Add the value in %esi to %ecx +<div class="codehilite"> +<pre><span></span><code>endbr64 +sub <span class="nv">$0</span>x8,%rsp // subtract <span class="m">8</span> bytes from the stack pointer +mov %edx,%ecx // Move the value <span class="k">in</span> register %edx to %ecx +sub %esi,%ecx // Subtract the value <span class="k">in</span> %esi from %ecx +shr %ecx // Right <span class="nb">shift</span> the value <span class="k">in</span> %ecx by one bit <span class="o">(</span>dividing the value by <span class="m">2</span><span class="o">)</span> +add %esi,%ecx // Add the value <span class="k">in</span> %esi to %ecx cmp %edi,%ecx // Compare ja 0x5555555557b9 <func4+32> // If %ecx > %edi -> jump to instruction at offset +32 -mov $0x0,%eax // Move 0 to %eax +mov <span class="nv">$0</span>x0,%eax // Move <span class="m">0</span> to %eax jb 0x5555555557c5 <func4+44> // If %ecx < %edi -> jump to instruction at offset +44. -add $0x8,%rsp // add 8 bytes to the stack pointer -ret // return -lea -0x1(%rcx),%edx // LEA of $rxc - 1 into $edx +add <span class="nv">$0</span>x8,%rsp // add <span class="m">8</span> bytes to the stack pointer +ret // <span class="k">return</span> +lea -0x1<span class="o">(</span>%rcx<span class="o">)</span>,%edx // LEA of <span class="nv">$rxc</span> - <span class="m">1</span> into <span class="nv">$edx</span> call 0x555555555799 <func4> // Call itself -add %eax,%eax // Double the value in %eax +add %eax,%eax // Double the value <span class="k">in</span> %eax jmp 0x5555555557b4 <func4+27> // jump to the instruction at offset +27 -lea 0x1(%rcx),%esi +lea 0x1<span class="o">(</span>%rcx<span class="o">)</span>,%esi call 0x555555555799 <func4> -lea 0x1(%rax,%rax,1),%eax // LEA of %rax * 2 + 1 into $eax +lea 0x1<span class="o">(</span>%rax,%rax,1<span class="o">)</span>,%eax // LEA of %rax * <span class="m">2</span> + <span class="m">1</span> into <span class="nv">$eax</span> jmp 0x5555555557b4 <func4+27> </code></pre> +</div> <p>We can either try to compute the values by hand, or write a simple script in Python to get the answer.</p> @@ -3822,57 +3875,61 @@ jmp 0x5555555557b4 <func4+27> <p>Okay, so we know that the number needed to be passed to <code>func4</code> is 5. But, what about the second digit?</p> -<p>If we go back to the code for <code><phase_4></code>, we can see that:</p> - -<pre><code> 0x000055555555581f <+76>: cmpl $0x2,0x8(%rsp) +<p>If we go back to the code for <code><phase_4></code>, we can see that: + <div class="codehilite"> + <pre><span></span><code>0x000055555555581f <+76>: cmpl <span class="nv">$0</span>x2,0x8<span class="o">(</span>%rsp<span class="o">)</span> 0x0000555555555824 <+81>: je 0x55555555582b <phase_4+88> -</code></pre> + </code></pre> + </div></p> <p>The value at <code>$rsp+8</code> should be equal to 2. So, let us try passing <code>5 2</code> as our input.</p> -<pre><code>... -Phase 1 defused. How about the next one? -That's number 2. Keep going! +<div class="codehilite"> +<pre><span></span><code>... +Phase <span class="m">1</span> defused. How about the next one? +That<span class="err">'</span>s number <span class="m">2</span>. Keep going! Halfway there! -5 2 +<span class="m">5</span> <span class="m">2</span> -Breakpoint 1, 0x00005555555557d3 in phase_4 () -(gdb) continue +Breakpoint <span class="m">1</span>, 0x00005555555557d3 <span class="k">in</span> phase_4 <span class="o">()</span> +<span class="o">(</span>gdb<span class="o">)</span> <span class="k">continue</span> Continuing. So you got that one. Try this one. </code></pre> +</div> <h2>Phase 5</h2> -<pre><code>So you got that one. Try this one. -test string +<div class="codehilite"> +<pre><span></span><code>So you got that one. Try this one. +<span class="nb">test</span> string -Breakpoint 1, 0x0000555555555830 in phase_5 () -(gdb) disas phase_5 -Dump of assembler code for function phase_5: -=> 0x0000555555555830 <+0>: endbr64 +Breakpoint <span class="m">1</span>, 0x0000555555555830 <span class="k">in</span> phase_5 <span class="o">()</span> +<span class="o">(</span>gdb<span class="o">)</span> disas phase_5 +Dump of assembler code <span class="k">for</span> <span class="k">function</span> phase_5: +<span class="o">=</span>> 0x0000555555555830 <+0>: endbr64 0x0000555555555834 <+4>: push %rbx - 0x0000555555555835 <+5>: sub $0x10,%rsp + 0x0000555555555835 <+5>: sub <span class="nv">$0</span>x10,%rsp 0x0000555555555839 <+9>: mov %rdi,%rbx 0x000055555555583c <+12>: call 0x555555555b10 <string_length> - 0x0000555555555841 <+17>: cmp $0x6,%eax + 0x0000555555555841 <+17>: cmp <span class="nv">$0</span>x6,%eax 0x0000555555555844 <+20>: jne 0x55555555588b <phase_5+91> - 0x0000555555555846 <+22>: mov $0x0,%eax - 0x000055555555584b <+27>: lea 0x199e(%rip),%rcx # 0x5555555571f0 <array.0> - 0x0000555555555852 <+34>: movzbl (%rbx,%rax,1),%edx - 0x0000555555555856 <+38>: and $0xf,%edx - 0x0000555555555859 <+41>: movzbl (%rcx,%rdx,1),%edx - 0x000055555555585d <+45>: mov %dl,0x9(%rsp,%rax,1) - 0x0000555555555861 <+49>: add $0x1,%rax - 0x0000555555555865 <+53>: cmp $0x6,%rax + 0x0000555555555846 <+22>: mov <span class="nv">$0</span>x0,%eax + 0x000055555555584b <+27>: lea 0x199e<span class="o">(</span>%rip<span class="o">)</span>,%rcx <span class="c1"># 0x5555555571f0 <array.0></span> + 0x0000555555555852 <+34>: movzbl <span class="o">(</span>%rbx,%rax,1<span class="o">)</span>,%edx + 0x0000555555555856 <+38>: and <span class="nv">$0</span>xf,%edx + 0x0000555555555859 <+41>: movzbl <span class="o">(</span>%rcx,%rdx,1<span class="o">)</span>,%edx + 0x000055555555585d <+45>: mov %dl,0x9<span class="o">(</span>%rsp,%rax,1<span class="o">)</span> + 0x0000555555555861 <+49>: add <span class="nv">$0</span>x1,%rax + 0x0000555555555865 <+53>: cmp <span class="nv">$0</span>x6,%rax 0x0000555555555869 <+57>: jne 0x555555555852 <phase_5+34> - 0x000055555555586b <+59>: movb $0x0,0xf(%rsp) - 0x0000555555555870 <+64>: lea 0x9(%rsp),%rdi - 0x0000555555555875 <+69>: lea 0x1943(%rip),%rsi # 0x5555555571bf + 0x000055555555586b <+59>: movb <span class="nv">$0</span>x0,0xf<span class="o">(</span>%rsp<span class="o">)</span> + 0x0000555555555870 <+64>: lea 0x9<span class="o">(</span>%rsp<span class="o">)</span>,%rdi + 0x0000555555555875 <+69>: lea 0x1943<span class="o">(</span>%rip<span class="o">)</span>,%rsi <span class="c1"># 0x5555555571bf</span> 0x000055555555587c <+76>: call 0x555555555b31 <strings_not_equal> - 0x0000555555555881 <+81>: test %eax,%eax + 0x0000555555555881 <+81>: <span class="nb">test</span> %eax,%eax 0x0000555555555883 <+83>: jne 0x555555555892 <phase_5+98> - 0x0000555555555885 <+85>: add $0x10,%rsp + 0x0000555555555885 <+85>: add <span class="nv">$0</span>x10,%rsp 0x0000555555555889 <+89>: pop %rbx 0x000055555555588a <+90>: ret 0x000055555555588b <+91>: call 0x555555555d4a <explode_bomb> @@ -3880,17 +3937,20 @@ Dump of assembler code for function phase_5: 0x0000555555555892 <+98>: call 0x555555555d4a <explode_bomb> 0x0000555555555897 <+103>: jmp 0x555555555885 <phase_5+85> End of assembler dump. -(gdb) +<span class="o">(</span>gdb<span class="o">)</span> </code></pre> +</div> -<pre><code>... +<div class="codehilite"> +<pre><span></span><code>... 0x000055555555583c <+12>: call 0x555555555b10 <string_length> - 0x0000555555555841 <+17>: cmp $0x6,%eax + 0x0000555555555841 <+17>: cmp <span class="nv">$0</span>x6,%eax 0x0000555555555844 <+20>: jne 0x55555555588b <phase_5+91> ... 0x000055555555588b <+91>: call 0x555555555d4a <explode_bomb> ... </code></pre> +</div> <p>First things first, these instructions check to make sure the passed string is of length 6, otherwise <code>explode_bomb</code> is called.</p> @@ -3914,12 +3974,14 @@ End of assembler dump. <p>We can check the reference string we need, which <code>gdb</code> has marked as <code># 0x5555555571bf</code>, and the lookup table marked as <code># 0x5555555571f0 <array.0></code></p> -<pre><code>(gdb) x/s 0x5555555571bf -0x5555555571bf: "bruins" -(gdb) x/s 0x5555555571f0 -0x5555555571f0 <array.0>: "maduiersnfotvbylSo you think you can stop the bomb with ctrl-c, do you?" -(gdb) +<div class="codehilite"> +<pre><span></span><code><span class="o">(</span>gdb<span class="o">)</span> x/s 0x5555555571bf +0x5555555571bf: <span class="s2">"bruins"</span> +<span class="o">(</span>gdb<span class="o">)</span> x/s 0x5555555571f0 +0x5555555571f0 <array.0>: <span class="s2">"maduiersnfotvbylSo you think you can stop the bomb with ctrl-c, do you?"</span> +<span class="o">(</span>gdb<span class="o">)</span> </code></pre> +</div> <p>To summarize the transformation process:</p> @@ -3951,115 +4013,118 @@ s -> g <p>Let us try out this answer:</p> -<pre><code>... -That's number 2. Keep going! +<div class="codehilite"> +<pre><span></span><code>... +That<span class="err">'</span>s number <span class="m">2</span>. Keep going! Halfway there! So you got that one. Try this one. mfcdhg -Breakpoint 1, 0x0000555555555830 in phase_5 () -(gdb) continue +Breakpoint <span class="m">1</span>, 0x0000555555555830 <span class="k">in</span> phase_5 <span class="o">()</span> +<span class="o">(</span>gdb<span class="o">)</span> <span class="k">continue</span> Continuing. Good work! On to the next... </code></pre> +</div> <p>Awesome!</p> <h2>Phase 6</h2> -<pre><code>Good work! On to the next... -test string +<div class="codehilite"> +<pre><span></span><code>Good work! On to the next... +<span class="nb">test</span> string -Breakpoint 1, 0x0000555555555899 in phase_6 () -(gdb) disas phase_6 -Dump of assembler code for function phase_6: -=> 0x0000555555555899 <+0>: endbr64 +Breakpoint <span class="m">1</span>, 0x0000555555555899 <span class="k">in</span> phase_6 <span class="o">()</span> +<span class="o">(</span>gdb<span class="o">)</span> disas phase_6 +Dump of assembler code <span class="k">for</span> <span class="k">function</span> phase_6: +<span class="o">=</span>> 0x0000555555555899 <+0>: endbr64 0x000055555555589d <+4>: push %r15 0x000055555555589f <+6>: push %r14 0x00005555555558a1 <+8>: push %r13 0x00005555555558a3 <+10>: push %r12 0x00005555555558a5 <+12>: push %rbp 0x00005555555558a6 <+13>: push %rbx - 0x00005555555558a7 <+14>: sub $0x68,%rsp - 0x00005555555558ab <+18>: lea 0x40(%rsp),%rax + 0x00005555555558a7 <+14>: sub <span class="nv">$0</span>x68,%rsp + 0x00005555555558ab <+18>: lea 0x40<span class="o">(</span>%rsp<span class="o">)</span>,%rax 0x00005555555558b0 <+23>: mov %rax,%r14 - 0x00005555555558b3 <+26>: mov %rax,0x8(%rsp) + 0x00005555555558b3 <+26>: mov %rax,0x8<span class="o">(</span>%rsp<span class="o">)</span> 0x00005555555558b8 <+31>: mov %rax,%rsi 0x00005555555558bb <+34>: call 0x555555555d97 <read_six_numbers> 0x00005555555558c0 <+39>: mov %r14,%r12 - 0x00005555555558c3 <+42>: mov $0x1,%r15d + 0x00005555555558c3 <+42>: mov <span class="nv">$0</span>x1,%r15d 0x00005555555558c9 <+48>: mov %r14,%r13 0x00005555555558cc <+51>: jmp 0x555555555997 <phase_6+254> 0x00005555555558d1 <+56>: call 0x555555555d4a <explode_bomb> 0x00005555555558d6 <+61>: jmp 0x5555555559a9 <phase_6+272> - 0x00005555555558db <+66>: add $0x1,%rbx - 0x00005555555558df <+70>: cmp $0x5,%ebx + 0x00005555555558db <+66>: add <span class="nv">$0</span>x1,%rbx + 0x00005555555558df <+70>: cmp <span class="nv">$0</span>x5,%ebx 0x00005555555558e2 <+73>: jg 0x55555555598f <phase_6+246> - 0x00005555555558e8 <+79>: mov 0x0(%r13,%rbx,4),%eax - 0x00005555555558ed <+84>: cmp %eax,0x0(%rbp) + 0x00005555555558e8 <+79>: mov 0x0<span class="o">(</span>%r13,%rbx,4<span class="o">)</span>,%eax + 0x00005555555558ed <+84>: cmp %eax,0x0<span class="o">(</span>%rbp<span class="o">)</span> 0x00005555555558f0 <+87>: jne 0x5555555558db <phase_6+66> 0x00005555555558f2 <+89>: call 0x555555555d4a <explode_bomb> 0x00005555555558f7 <+94>: jmp 0x5555555558db <phase_6+66> - 0x00005555555558f9 <+96>: mov 0x8(%rsp),%rdx - 0x00005555555558fe <+101>: add $0x18,%rdx - 0x0000555555555902 <+105>: mov $0x7,%ecx + 0x00005555555558f9 <+96>: mov 0x8<span class="o">(</span>%rsp<span class="o">)</span>,%rdx + 0x00005555555558fe <+101>: add <span class="nv">$0</span>x18,%rdx + 0x0000555555555902 <+105>: mov <span class="nv">$0</span>x7,%ecx 0x0000555555555907 <+110>: mov %ecx,%eax - 0x0000555555555909 <+112>: sub (%r12),%eax - 0x000055555555590d <+116>: mov %eax,(%r12) - 0x0000555555555911 <+120>: add $0x4,%r12 + 0x0000555555555909 <+112>: sub <span class="o">(</span>%r12<span class="o">)</span>,%eax + 0x000055555555590d <+116>: mov %eax,<span class="o">(</span>%r12<span class="o">)</span> + 0x0000555555555911 <+120>: add <span class="nv">$0</span>x4,%r12 0x0000555555555915 <+124>: cmp %r12,%rdx 0x0000555555555918 <+127>: jne 0x555555555907 <phase_6+110> - 0x000055555555591a <+129>: mov $0x0,%esi - 0x000055555555591f <+134>: mov 0x40(%rsp,%rsi,4),%ecx - 0x0000555555555923 <+138>: mov $0x1,%eax - 0x0000555555555928 <+143>: lea 0x3d01(%rip),%rdx # 0x555555559630 <node1> ---Type <RET> for more, q to quit, c to continue without paging-- - 0x000055555555592f <+150>: cmp $0x1,%ecx + 0x000055555555591a <+129>: mov <span class="nv">$0</span>x0,%esi + 0x000055555555591f <+134>: mov 0x40<span class="o">(</span>%rsp,%rsi,4<span class="o">)</span>,%ecx + 0x0000555555555923 <+138>: mov <span class="nv">$0</span>x1,%eax + 0x0000555555555928 <+143>: lea 0x3d01<span class="o">(</span>%rip<span class="o">)</span>,%rdx <span class="c1"># 0x555555559630 <node1></span> +--Type <RET> <span class="k">for</span> more, q to quit, c to <span class="k">continue</span> without paging-- + 0x000055555555592f <+150>: cmp <span class="nv">$0</span>x1,%ecx 0x0000555555555932 <+153>: jle 0x55555555593f <phase_6+166> - 0x0000555555555934 <+155>: mov 0x8(%rdx),%rdx - 0x0000555555555938 <+159>: add $0x1,%eax + 0x0000555555555934 <+155>: mov 0x8<span class="o">(</span>%rdx<span class="o">)</span>,%rdx + 0x0000555555555938 <+159>: add <span class="nv">$0</span>x1,%eax 0x000055555555593b <+162>: cmp %ecx,%eax 0x000055555555593d <+164>: jne 0x555555555934 <phase_6+155> - 0x000055555555593f <+166>: mov %rdx,0x10(%rsp,%rsi,8) - 0x0000555555555944 <+171>: add $0x1,%rsi - 0x0000555555555948 <+175>: cmp $0x6,%rsi + 0x000055555555593f <+166>: mov %rdx,0x10<span class="o">(</span>%rsp,%rsi,8<span class="o">)</span> + 0x0000555555555944 <+171>: add <span class="nv">$0</span>x1,%rsi + 0x0000555555555948 <+175>: cmp <span class="nv">$0</span>x6,%rsi 0x000055555555594c <+179>: jne 0x55555555591f <phase_6+134> - 0x000055555555594e <+181>: mov 0x10(%rsp),%rbx - 0x0000555555555953 <+186>: mov 0x18(%rsp),%rax - 0x0000555555555958 <+191>: mov %rax,0x8(%rbx) - 0x000055555555595c <+195>: mov 0x20(%rsp),%rdx - 0x0000555555555961 <+200>: mov %rdx,0x8(%rax) - 0x0000555555555965 <+204>: mov 0x28(%rsp),%rax - 0x000055555555596a <+209>: mov %rax,0x8(%rdx) - 0x000055555555596e <+213>: mov 0x30(%rsp),%rdx - 0x0000555555555973 <+218>: mov %rdx,0x8(%rax) - 0x0000555555555977 <+222>: mov 0x38(%rsp),%rax - 0x000055555555597c <+227>: mov %rax,0x8(%rdx) - 0x0000555555555980 <+231>: movq $0x0,0x8(%rax) - 0x0000555555555988 <+239>: mov $0x5,%ebp + 0x000055555555594e <+181>: mov 0x10<span class="o">(</span>%rsp<span class="o">)</span>,%rbx + 0x0000555555555953 <+186>: mov 0x18<span class="o">(</span>%rsp<span class="o">)</span>,%rax + 0x0000555555555958 <+191>: mov %rax,0x8<span class="o">(</span>%rbx<span class="o">)</span> + 0x000055555555595c <+195>: mov 0x20<span class="o">(</span>%rsp<span class="o">)</span>,%rdx + 0x0000555555555961 <+200>: mov %rdx,0x8<span class="o">(</span>%rax<span class="o">)</span> + 0x0000555555555965 <+204>: mov 0x28<span class="o">(</span>%rsp<span class="o">)</span>,%rax + 0x000055555555596a <+209>: mov %rax,0x8<span class="o">(</span>%rdx<span class="o">)</span> + 0x000055555555596e <+213>: mov 0x30<span class="o">(</span>%rsp<span class="o">)</span>,%rdx + 0x0000555555555973 <+218>: mov %rdx,0x8<span class="o">(</span>%rax<span class="o">)</span> + 0x0000555555555977 <+222>: mov 0x38<span class="o">(</span>%rsp<span class="o">)</span>,%rax + 0x000055555555597c <+227>: mov %rax,0x8<span class="o">(</span>%rdx<span class="o">)</span> + 0x0000555555555980 <+231>: movq <span class="nv">$0</span>x0,0x8<span class="o">(</span>%rax<span class="o">)</span> + 0x0000555555555988 <+239>: mov <span class="nv">$0</span>x5,%ebp 0x000055555555598d <+244>: jmp 0x5555555559c4 <phase_6+299> - 0x000055555555598f <+246>: add $0x1,%r15 - 0x0000555555555993 <+250>: add $0x4,%r14 + 0x000055555555598f <+246>: add <span class="nv">$0</span>x1,%r15 + 0x0000555555555993 <+250>: add <span class="nv">$0</span>x4,%r14 0x0000555555555997 <+254>: mov %r14,%rbp - 0x000055555555599a <+257>: mov (%r14),%eax - 0x000055555555599d <+260>: sub $0x1,%eax - 0x00005555555559a0 <+263>: cmp $0x5,%eax + 0x000055555555599a <+257>: mov <span class="o">(</span>%r14<span class="o">)</span>,%eax + 0x000055555555599d <+260>: sub <span class="nv">$0</span>x1,%eax + 0x00005555555559a0 <+263>: cmp <span class="nv">$0</span>x5,%eax 0x00005555555559a3 <+266>: ja 0x5555555558d1 <phase_6+56> - 0x00005555555559a9 <+272>: cmp $0x5,%r15d + 0x00005555555559a9 <+272>: cmp <span class="nv">$0</span>x5,%r15d 0x00005555555559ad <+276>: jg 0x5555555558f9 <phase_6+96> 0x00005555555559b3 <+282>: mov %r15,%rbx 0x00005555555559b6 <+285>: jmp 0x5555555558e8 <phase_6+79> - 0x00005555555559bb <+290>: mov 0x8(%rbx),%rbx - 0x00005555555559bf <+294>: sub $0x1,%ebp + 0x00005555555559bb <+290>: mov 0x8<span class="o">(</span>%rbx<span class="o">)</span>,%rbx + 0x00005555555559bf <+294>: sub <span class="nv">$0</span>x1,%ebp 0x00005555555559c2 <+297>: je 0x5555555559d5 <phase_6+316> - 0x00005555555559c4 <+299>: mov 0x8(%rbx),%rax - 0x00005555555559c8 <+303>: mov (%rax),%eax - 0x00005555555559ca <+305>: cmp %eax,(%rbx) ---Type <RET> for more, q to quit, c to continue without paging-- + 0x00005555555559c4 <+299>: mov 0x8<span class="o">(</span>%rbx<span class="o">)</span>,%rax + 0x00005555555559c8 <+303>: mov <span class="o">(</span>%rax<span class="o">)</span>,%eax + 0x00005555555559ca <+305>: cmp %eax,<span class="o">(</span>%rbx<span class="o">)</span> +--Type <RET> <span class="k">for</span> more, q to quit, c to <span class="k">continue</span> without paging-- 0x00005555555559cc <+307>: jge 0x5555555559bb <phase_6+290> 0x00005555555559ce <+309>: call 0x555555555d4a <explode_bomb> 0x00005555555559d3 <+314>: jmp 0x5555555559bb <phase_6+290> - 0x00005555555559d5 <+316>: add $0x68,%rsp + 0x00005555555559d5 <+316>: add <span class="nv">$0</span>x68,%rsp 0x00005555555559d9 <+320>: pop %rbx 0x00005555555559da <+321>: pop %rbp 0x00005555555559db <+322>: pop %r12 @@ -4068,19 +4133,21 @@ Dump of assembler code for function phase_6: 0x00005555555559e1 <+328>: pop %r15 0x00005555555559e3 <+330>: ret End of assembler dump. -(gdb) +<span class="o">(</span>gdb<span class="o">)</span> </code></pre> +</div> <p>Again, we see the familiar <code>read_six_digits</code> function.</p> -<p>Let us analyse this function in chunks:</p> - -<pre><code> 0x00005555555558bb <+34>: call 0x555555555d97 <read_six_numbers> +<p>Let us analyse this function in chunks: + <div class="codehilite"> + <pre><span></span><code>0x00005555555558bb <+34>: call 0x555555555d97 <read<em>six</em>numbers> 0x00005555555558c0 <+39>: mov %r14,%r12 - 0x00005555555558c3 <+42>: mov $0x1,%r15d + 0x00005555555558c3 <+42>: mov <span class="nv">$0</span>x1,%r15d 0x00005555555558c9 <+48>: mov %r14,%r13 0x00005555555558cc <+51>: jmp 0x555555555997 <phase_6+254> -</code></pre> + </code></pre> + </div></p> <ol> <li>Read six numbers</li> @@ -4088,18 +4155,17 @@ End of assembler dump. 2.1. <code>mov %r14,%r12</code>: <code>%r14</code> should be pointing to the location of the stack where the numbers were read into. This address is copied onto <code>%r12</code> 2.2. <code>mov $0x1,%r15d</code>: The value <code>1</code> is moved into <code>%r15</code> register (probably acting like a counter) 2.3. <code>mov %r14,%r13</code>: The value is also copied to <code>%r13</code></li> -<li>Jump to start of loop:</li> -</ol> +<li><p>Jump to start of loop:</p> -<pre><code> 0x0000555555555997 <+254>: mov %r14,%rbp - 0x000055555555599a <+257>: mov (%r14),%eax - 0x000055555555599d <+260>: sub $0x1,%eax - 0x00005555555559a0 <+263>: cmp $0x5,%eax - 0x00005555555559a3 <+266>: ja 0x5555555558d1 <phase_6+56> -</code></pre> - -<ol> -<li>Initialise register and point to first number in sequence</li> +<div class="codehilite"> +<pre><span></span><code>0x0000555555555997 <+254>: mov %r14,%rbp +0x000055555555599a <+257>: mov <span class="o">(</span>%r14<span class="o">)</span>,%eax +0x000055555555599d <+260>: sub <span class="nv">$0</span>x1,%eax +0x00005555555559a0 <+263>: cmp <span class="nv">$0</span>x5,%eax +0x00005555555559a3 <+266>: ja 0x5555555558d1 <phase_6+56> +</code></pre> +</div></li> +<li><p>Initialise register and point to first number in sequence</p></li> <li>Adjust number(s): 2.1. <code>mov (%r14),%eax</code> -> load the current number in the sequence 2.2. <code>sub $0x1,%eax</code> -> decrement number by 1</li> @@ -4108,36 +4174,40 @@ End of assembler dump. 3.2. <code>ja 0x5555555558d1 <phase_6+56></code>: jump if given value is > 5 or < 0</li> </ol> -<p>=> All numbers should be between 1 and 6.</p> - -<pre><code> 0x00005555555559a9 <+272>: cmp $0x5,%r15d +<p>=> All numbers should be between 1 and 6. + <div class="codehilite"> + <pre><span></span><code>0x00005555555559a9 <+272>: cmp <span class="nv">$0</span>x5,%r15d 0x00005555555559ad <+276>: jg 0x5555555558f9 <phase_6+96> -</code></pre> - -<p>This checks if the value stored in <code>%r15</code> is > 5, if it is then it jumps somewhere else. This validates our assumption that <code>%r15</code> is acting as a counter.</p> + </code></pre> + </div></p> -<pre><code> 0x00005555555559b3 <+282>: mov %r15,%rbx +<p>This checks if the value stored in <code>%r15</code> is > 5, if it is then it jumps somewhere else. This validates our assumption that <code>%r15</code> is acting as a counter. + <div class="codehilite"> + <pre><span></span><code>0x00005555555559b3 <+282>: mov %r15,%rbx 0x00005555555559b6 <+285>: jmp 0x5555555558e8 <phase_6+79> -</code></pre> - -<p>Let us jump to +79</p> - -<pre><code> 0x00005555555558e8 <+79>: mov 0x0(%r13,%rbx,4),%eax - 0x00005555555558ed <+84>: cmp %eax,0x0(%rbp) - 0x00005555555558f0 <+87>: jne 0x5555555558db <phase_6+66> - 0x00005555555558f2 <+89>: call 0x555555555d4a <explode_bomb> + </code></pre> + </div></p> + +<p>Let us jump to +79 + <div class="codehilite"> + <pre><span></span><code>0x00005555555558e8 <+79>: mov 0x0<span class="o">(</span>%r13,%rbx,4<span class="o">)</span>,%eax + 0x00005555555558ed <+84>: cmp %eax,0x0<span class="o">(</span>%rbp<span class="o">)</span> + 0x00005555555558f0 <+87>: jne 0x5555555558db <phase<em>6+66> + 0x00005555555558f2 <+89>: call 0x555555555d4a <explode</em>bomb> 0x00005555555558f7 <+94>: jmp 0x5555555558db <phase_6+66> -</code></pre> - -<p>This section deals with checking if all the numbers in the sequence are unique or not. Thus, we need to ensure out 6 digits are unique</p> - -<pre><code> 0x00005555555558db <+66>: add $0x1,%rbx // Increments by 1 - 0x00005555555558df <+70>: cmp $0x5,%ebx - 0x00005555555558e2 <+73>: jg 0x55555555598f <phase_6+246> // Jump if > 5 (Loop iterations are complete) - 0x00005555555558e8 <+79>: mov 0x0(%r13,%rbx,4),%eax - 0x00005555555558ed <+84>: cmp %eax,0x0(%rbp) - 0x00005555555558f0 <+87>: jne 0x5555555558db <phase_6+66> // Again, check if the number being seen is unique -</code></pre> + </code></pre> + </div></p> + +<p>This section deals with checking if all the numbers in the sequence are unique or not. Thus, we need to ensure out 6 digits are unique + <div class="codehilite"> + <pre><span></span><code>0x00005555555558db <+66>: add <span class="nv">$0</span>x1,%rbx // Increments by <span class="m">1</span> + 0x00005555555558df <+70>: cmp <span class="nv">$0</span>x5,%ebx + 0x00005555555558e2 <+73>: jg 0x55555555598f <phase<em>6+246> // Jump <span class="k">if</span> > <span class="m">5</span> <span class="o">(</span>Loop iterations are <span class="nb">complete</span><span class="o">)</span> + 0x00005555555558e8 <+79>: mov 0x0<span class="o">(</span>%r13,%rbx,4<span class="o">)</span>,%eax + 0x00005555555558ed <+84>: cmp %eax,0x0<span class="o">(</span>%rbp<span class="o">)</span> + 0x00005555555558f0 <+87>: jne 0x5555555558db <phase</em>6+66> // Again, check <span class="k">if</span> the number being seen is unique + </code></pre> + </div></p> <p>Now we know that the numbers are unique, between 1-6 (inclusive).</p> @@ -4147,7 +4217,8 @@ End of assembler dump. <p>Let us try to figure out what <code>0x0000555555555928 <+143>: lea 0x3d01(%rip),%rdx # 0x555555559630 <node1></code> is:</p> -<pre><code>(gdb) x/30wx 0x555555559630 +<div class="codehilite"> +<pre><span></span><code><span class="o">(</span>gdb<span class="o">)</span> x/30wx 0x555555559630 0x555555559630 <node1>: 0x000000d9 0x00000001 0x55559640 0x00005555 0x555555559640 <node2>: 0x000003ab 0x00000002 0x55559650 0x00005555 0x555555559650 <node3>: 0x0000014f 0x00000003 0x55559660 0x00005555 @@ -4156,7 +4227,7 @@ End of assembler dump. 0x555555559680 <host_table>: 0x555573f5 0x00005555 0x5555740f 0x00005555 0x555555559690 <host_table+16>: 0x55557429 0x00005555 0x00000000 0x00000000 0x5555555596a0 <host_table+32>: 0x00000000 0x00000000 -(gdb) x/30wx 0x555555559120 +<span class="o">(</span>gdb<span class="o">)</span> x/30wx 0x555555559120 0x555555559120 <node6>: 0x000002da 0x00000006 0x00000000 0x00000000 0x555555559130: 0x00000000 0x00000000 0x00000000 0x00000000 0x555555559140 <userid>: 0x61767861 0x38383535 0x00000000 0x00000000 @@ -4165,8 +4236,9 @@ End of assembler dump. 0x555555559170 <userid+48>: 0x00000000 0x00000000 0x00000000 0x00000000 0x555555559180 <userid+64>: 0x00000000 0x00000000 0x00000000 0x00000000 0x555555559190 <userid+80>: 0x00000000 0x00000000 -(gdb) +<span class="o">(</span>gdb<span class="o">)</span> </code></pre> +</div> <p>It appears that this is a linked list. With roughly the following structure:</p> @@ -4179,7 +4251,48 @@ End of assembler dump. </code></pre> </div> -<p>Let us convert the values into decimal</p> +<p>Let us convert the values into decimal:</p> + +<pre><code>0x000000d9 -> 217 +0x000003ab -> 939 +0x0000014f -> 335 +0x000000a1 -> 161 +0x000001b3 -> 435 +0x000002da -> 730 +</code></pre> + +<p><strong>Missing Notes</strong></p> + +<p>To re-arrange this linked list in descending order, we would arrange it as follows:</p> + +<pre><code>Node 2 -> Node 6 -> Node 5 -> Node 3 -> Node 1 -> Node 4 +</code></pre> + +<p>Since we also need to apply the transformation: <code>7 - x</code>:</p> + +<pre><code>(7-2) -> (7-6) -> ... -> (7-4) +</code></pre> + +<p>Final answer: <code>5 1 2 4 6 3</code></p> + +<p>Let us try the answer:</p> + +<pre><code>... +That's number 2. Keep going! +Halfway there! +So you got that one. Try this one. +Good work! On to the next... +5 1 2 4 6 3 + +Breakpoint 1, 0x0000555555555899 in phase_6 () +(gdb) continue +Continuing. +Congratulations! You've defused the bomb! +Your instructor has been notified and will verify your solution. +[Inferior 1 (process 1754) exited normally] +</code></pre> + +<p>But, what about the secret phase?</p> ]]></content:encoded> </item> diff --git a/docs/index.html b/docs/index.html index f743eee..9b60636 100644 --- a/docs/index.html +++ b/docs/index.html @@ -59,9 +59,9 @@ <ul> - <li><a href="/posts/2023-10-04-bomb-lab.html">Bomb Lab Phases 1-5</a></li> + <li><a href="/posts/2023-10-04-bomb-lab.html">Bomb Lab</a></li> <ul> - <li>Introduction, Phases 1-5 of Bomb Lab for CSCI 2400 Lab - 2</li> + <li>Walkthrough of Phases 1-6 of Bomb Lab for CSCI 2400 Computer Systems Lab 2</li> <li>Published On: 2023-10-04 13:12</li> <li>Tags: diff --git a/docs/posts/2023-10-04-bomb-lab.html b/docs/posts/2023-10-04-bomb-lab.html index 26c1e53..226487f 100644 --- a/docs/posts/2023-10-04-bomb-lab.html +++ b/docs/posts/2023-10-04-bomb-lab.html @@ -6,16 +6,16 @@ <link rel="stylesheet" href="/assets/sakura.css" /> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> - <title>Bomb Lab Phases 1-5</title> + <title>Bomb Lab</title> <meta name="og:site_name" content="Navan Chauhan" /> <link rel="canonical" href="https://web.navan.dev/" /> <meta name="twitter:url" content="https://web.navan.dev/" /> <meta name="og:url" content="https://web.navan.dev/" /> - <meta name="twitter:title" content="Bomb Lab Phases 1-5" /> - <meta name="og:title" content="Bomb Lab Phases 1-5" /> - <meta name="description" content="Introduction, Phases 1-5 of Bomb Lab for CSCI 2400 Lab - 2" /> - <meta name="twitter:description" content="Introduction, Phases 1-5 of Bomb Lab for CSCI 2400 Lab - 2" /> - <meta name="og:description" content="Introduction, Phases 1-5 of Bomb Lab for CSCI 2400 Lab - 2" /> + <meta name="twitter:title" content="Bomb Lab" /> + <meta name="og:title" content="Bomb Lab" /> + <meta name="description" content="Walkthrough of Phases 1-6 of Bomb Lab for CSCI 2400 Computer Systems Lab 2" /> + <meta name="twitter:description" content="Walkthrough of Phases 1-6 of Bomb Lab for CSCI 2400 Computer Systems Lab 2" /> + <meta name="og:description" content="Walkthrough of Phases 1-6 of Bomb Lab for CSCI 2400 Computer Systems Lab 2" /> <meta name="twitter:card" content="summary_large_image" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <link rel="shortcut icon" href="/images/favicon.png" type="image/png" /> @@ -54,134 +54,153 @@ <main> - <h1>Bomb Lab Phases 1-5</h1> + <h1>Bomb Lab</h1> <h2>Introduction</h2> -<p>Lab 2 for CSCI 2400 - Computer Systems. </p> +<p>Lab 2 for CSCI 2400 @ CU Boulder - Computer Systems</p> -<p>I like using objdump to disassemble the code and see a broad overview of what is happening. </p> +<blockquote> + <p>The nefarious Dr. Evil has planted a slew of “binary bombs” on our class machines. A binary bomb is a program that consists of a sequence of phases. Each phase expects you to type a particular string on stdin. If you type the correct string, then the phase is defused and the bomb proceeds to the next phase. Otherwise, the bomb explodes by printing "BOOM!!!" and then terminating. The bomb is defused when every phase has been defused.</p> +</blockquote> + +<blockquote> + <p>There are too many bombs for us to deal with, so we are giving each student a bomb to defuse. Your mission, which you have no choice but to accept, is to defuse your bomb before the due date. Good luck, and welcome to the bomb squad!</p> +</blockquote> + +<p>I like using objdump to disassemble the code and get a broad overview of what is happening before I start. </p> <p><code>objdump -d bomb > dis.txt</code></p> +<p><em>Note: I am not sure about the history of the bomb lab. I think it started at CMU.</em></p> + <h2>Phase 1</h2> -<pre><code>jovyan@jupyter-nach6988:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex 'break phase_1' -ex 'break explode_bomb' -ex 'run' ./bomb -GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1 -Copyright (C) 2022 Free Software Foundation, Inc. -License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> +<div class="codehilite"> +<pre><span></span><code>joxxxn@jupyter-nxxh6xx8:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex <span class="s1">'break phase_1'</span> -ex <span class="s1">'break explode_bomb'</span> -ex <span class="s1">'run'</span> ./bomb +GNU gdb <span class="o">(</span>Ubuntu <span class="m">12</span>.1-0ubuntu1~22.04<span class="o">)</span> <span class="m">12</span>.1 +Copyright <span class="o">(</span>C<span class="o">)</span> <span class="m">2022</span> Free Software Foundation, Inc. +License GPLv3+: GNU GPL version <span class="m">3</span> or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. -Type "show copying" and "show warranty" for details. -This GDB was configured as "x86_64-linux-gnu". -Type "show configuration" for configuration details. +Type <span class="s2">"show copying"</span> and <span class="s2">"show warranty"</span> <span class="k">for</span> details. +This GDB was configured as <span class="s2">"x86_64-linux-gnu"</span>. +Type <span class="s2">"show configuration"</span> <span class="k">for</span> configuration details. For bug reporting instructions, please see: <https://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. -For help, type "help". -Type "apropos word" to search for commands related to "word"... +For help, <span class="nb">type</span> <span class="s2">"help"</span>. +Type <span class="s2">"apropos word"</span> to search <span class="k">for</span> commands related to <span class="s2">"word"</span>... Reading symbols from ./bomb... -Breakpoint 1 at 0x15c7 -Breakpoint 2 at 0x1d4a -Starting program: /home/jovyan/lab2-bomblab-navanchauhan/bombbomb/bomb -[Thread debugging using libthread_db enabled] -Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". -Welcome to my fiendish little bomb. You have 6 phases with +Breakpoint <span class="m">1</span> at 0x15c7 +Breakpoint <span class="m">2</span> at 0x1d4a +Starting program: /home/joxxxn/lab2-bomblab-navanchauhan/bombbomb/bomb +<span class="o">[</span>Thread debugging using libthread_db enabled<span class="o">]</span> +Using host libthread_db library <span class="s2">"/lib/x86_64-linux-gnu/libthread_db.so.1"</span>. +Welcome to my fiendish little bomb. You have <span class="m">6</span> phases with which to blow yourself up. Have a nice day! -test string - -Breakpoint 1, 0x00005555555555c7 in phase_1 () -(gdb) dias phase_1 -Undefined command: "dias". Try "help". -(gdb) disas phase_1 -Dump of assembler code for function phase_1: -=> 0x00005555555555c7 <+0>: endbr64 - 0x00005555555555cb <+4>: sub $0x8,%rsp - 0x00005555555555cf <+8>: lea 0x1b7a(%rip),%rsi # 0x555555557150 +<span class="nb">test</span> string + +Breakpoint <span class="m">1</span>, 0x00005555555555c7 <span class="k">in</span> phase_1 <span class="o">()</span> +<span class="o">(</span>gdb<span class="o">)</span> dias phase_1 +Undefined command: <span class="s2">"dias"</span>. Try <span class="s2">"help"</span>. +<span class="o">(</span>gdb<span class="o">)</span> disas phase_1 +Dump of assembler code <span class="k">for</span> <span class="k">function</span> phase_1: +<span class="o">=</span>> 0x00005555555555c7 <+0>: endbr64 + 0x00005555555555cb <+4>: sub <span class="nv">$0</span>x8,%rsp + 0x00005555555555cf <+8>: lea 0x1b7a<span class="o">(</span>%rip<span class="o">)</span>,%rsi <span class="c1"># 0x555555557150</span> 0x00005555555555d6 <+15>: call 0x555555555b31 <strings_not_equal> - 0x00005555555555db <+20>: test %eax,%eax + 0x00005555555555db <+20>: <span class="nb">test</span> %eax,%eax 0x00005555555555dd <+22>: jne 0x5555555555e4 <phase_1+29> - 0x00005555555555df <+24>: add $0x8,%rsp + 0x00005555555555df <+24>: add <span class="nv">$0</span>x8,%rsp 0x00005555555555e3 <+28>: ret 0x00005555555555e4 <+29>: call 0x555555555d4a <explode_bomb> 0x00005555555555e9 <+34>: jmp 0x5555555555df <phase_1+24> End of assembler dump. -(gdb) print 0x555555557150 -$1 = 93824992244048 -(gdb) x/1s 0x555555557150 -0x555555557150: "Controlling complexity is the essence of computer programming." -(gdb) +<span class="o">(</span>gdb<span class="o">)</span> print 0x555555557150 +<span class="nv">$1</span> <span class="o">=</span> <span class="m">93824992244048</span> +<span class="o">(</span>gdb<span class="o">)</span> x/1s 0x555555557150 +0x555555557150: <span class="s2">"Controlling complexity is the essence of computer programming."</span> +<span class="o">(</span>gdb<span class="o">)</span> </code></pre> +</div> <h2>Phase 2</h2> -<pre><code>Phase 1 defused. How about the next one? -1 2 3 4 5 6 +<div class="codehilite"> +<pre><span></span><code>Phase <span class="m">1</span> defused. How about the next one? +<span class="m">1</span> <span class="m">2</span> <span class="m">3</span> <span class="m">4</span> <span class="m">5</span> <span class="m">6</span> -Breakpoint 1, 0x00005555555555eb in phase_2 () -(gdb) disas -Dump of assembler code for function phase_2: -=> 0x00005555555555eb <+0>: endbr64 +Breakpoint <span class="m">1</span>, 0x00005555555555eb <span class="k">in</span> phase_2 <span class="o">()</span> +<span class="o">(</span>gdb<span class="o">)</span> disas +Dump of assembler code <span class="k">for</span> <span class="k">function</span> phase_2: +<span class="o">=</span>> 0x00005555555555eb <+0>: endbr64 0x00005555555555ef <+4>: push %rbp 0x00005555555555f0 <+5>: push %rbx - 0x00005555555555f1 <+6>: sub $0x28,%rsp + 0x00005555555555f1 <+6>: sub <span class="nv">$0</span>x28,%rsp 0x00005555555555f5 <+10>: mov %rsp,%rsi 0x00005555555555f8 <+13>: call 0x555555555d97 <read_six_numbers> - 0x00005555555555fd <+18>: cmpl $0x0,(%rsp) + 0x00005555555555fd <+18>: cmpl <span class="nv">$0</span>x0,<span class="o">(</span>%rsp<span class="o">)</span> 0x0000555555555601 <+22>: js 0x55555555560d <phase_2+34> 0x0000555555555603 <+24>: mov %rsp,%rbp - 0x0000555555555606 <+27>: mov $0x1,%ebx + 0x0000555555555606 <+27>: mov <span class="nv">$0</span>x1,%ebx 0x000055555555560b <+32>: jmp 0x555555555620 <phase_2+53> 0x000055555555560d <+34>: call 0x555555555d4a <explode_bomb> 0x0000555555555612 <+39>: jmp 0x555555555603 <phase_2+24> - 0x0000555555555614 <+41>: add $0x1,%ebx - 0x0000555555555617 <+44>: add $0x4,%rbp - 0x000055555555561b <+48>: cmp $0x6,%ebx + 0x0000555555555614 <+41>: add <span class="nv">$0</span>x1,%ebx + 0x0000555555555617 <+44>: add <span class="nv">$0</span>x4,%rbp + 0x000055555555561b <+48>: cmp <span class="nv">$0</span>x6,%ebx 0x000055555555561e <+51>: je 0x555555555631 <phase_2+70> 0x0000555555555620 <+53>: mov %ebx,%eax - 0x0000555555555622 <+55>: add 0x0(%rbp),%eax - 0x0000555555555625 <+58>: cmp %eax,0x4(%rbp) + 0x0000555555555622 <+55>: add 0x0<span class="o">(</span>%rbp<span class="o">)</span>,%eax + 0x0000555555555625 <+58>: cmp %eax,0x4<span class="o">(</span>%rbp<span class="o">)</span> 0x0000555555555628 <+61>: je 0x555555555614 <phase_2+41> 0x000055555555562a <+63>: call 0x555555555d4a <explode_bomb> 0x000055555555562f <+68>: jmp 0x555555555614 <phase_2+41> - 0x0000555555555631 <+70>: add $0x28,%rsp + 0x0000555555555631 <+70>: add <span class="nv">$0</span>x28,%rsp 0x0000555555555635 <+74>: pop %rbx 0x0000555555555636 <+75>: pop %rbp 0x0000555555555637 <+76>: ret End of assembler dump. -(gdb) +<span class="o">(</span>gdb<span class="o">)</span> </code></pre> +</div> -<pre><code> 0x00005555555555fd <+18>: cmpl $0x0,(%rsp) +<div class="codehilite"> +<pre><span></span><code> 0x00005555555555fd <+18>: cmpl <span class="nv">$0</span>x0,<span class="o">(</span>%rsp<span class="o">)</span> 0x0000555555555601 <+22>: js 0x55555555560d <phase_2+34> ... 0x000055555555560d <+34>: call 0x555555555d4a <explode_bomb> </code></pre> +</div> -<p>The program first compares if the first number is not 0. If the number is not 0, then the <code>cmpl</code> instruction returns a negative value. The <code>js</code> instruction stands for jump if sign -> causing a jump to the specified address if the sign bit is set. This would result in the explode_bomb function being called.</p> - -<pre><code> 0x0000555555555603 <+24>: mov %rsp,%rbp - 0x0000555555555606 <+27>: mov $0x1,%ebx -</code></pre> +<p>The program first compares if the first number is not 0. If the number is not 0, then the <code>cmpl</code> instruction returns a negative value. The <code>js</code> instruction stands for jump if sign -> causing a jump to the specified address if the sign bit is set. This would result in the explode_bomb function being called. + <div class="codehilite"> + <pre><span></span><code>0x0000555555555603 <+24>: mov %rsp,%rbp + 0x0000555555555606 <+27>: mov <span class="nv">$0</span>x1,%ebx + </code></pre> + </div></p> <p><code>%rsp</code> in x86-64 asm, is the stack pointer i.e. it points to the top of the current stack frame. Since the program just read six numbers, the top of the stack (<code>%rsp</code>) contains the address of the first number.</p> <p>By executing <code>mov %rsp,%rbp</code> we are setting the base pointer (<code>%rbp</code>) to point to this address.</p> -<p>Now, for the second instruction <code>mov $0x1,%ebx</code>, we are initalising the <code>%ebx</code> register with the value 1. Based on the assembly code, you can see that this is being used as a counter/index for the loop.</p> - -<pre><code> 0x000055555555560b <+32>: jmp 0x555555555620 <phase_2+53> -</code></pre> - -<p>The program now jumps to <phase_2+53></p> - -<pre><code> 0x0000555555555620 <+53>: mov %ebx,%eax - 0x0000555555555622 <+55>: add 0x0(%rbp),%eax - 0x0000555555555625 <+58>: cmp %eax,0x4(%rbp) +<p>Now, for the second instruction <code>mov $0x1,%ebx</code>, we are initalising the <code>%ebx</code> register with the value 1. Based on the assembly code, you can see that this is being used as a counter/index for the loop. + <div class="codehilite"> + <pre><span></span><code>0x000055555555560b <+32>: jmp 0x555555555620 <phase_2+53> + </code></pre> + </div></p> + +<p>The program now jumps to <phase_2+53> + <div class="codehilite"> + <pre><span></span><code>0x0000555555555620 <+53>: mov %ebx,%eax + 0x0000555555555622 <+55>: add 0x0<span class="o">(</span>%rbp<span class="o">)</span>,%eax + 0x0000555555555625 <+58>: cmp %eax,0x4<span class="o">(</span>%rbp<span class="o">)</span> 0x0000555555555628 <+61>: je 0x555555555614 <phase_2+41> -</code></pre> + </code></pre> + </div></p> <p>Here, the value from <code>%ebx</code> is copied to the <code>%eax</code> register. For this iteration, the value should be 1.</p> @@ -189,17 +208,18 @@ End of assembler dump. <p><code>cmp %eax,0x4(%rbp)</code> - The instruction compares the value in %eax to the value at the memory address <code>%rbp + 4</code>. Since Integers in this context are stored using a word of memory of 4 bytes, this indicates it checks against the second number in the sequence.</p> -<p><code>je 0x555555555614 <phase_2+41></code> - The program will jump to <code>phase_2+41</code> if the previous <code>cmp</code> instruction determined the values as equal. </p> - -<pre><code> 0x0000555555555614 <+41>: add $0x1,%ebx - 0x0000555555555617 <+44>: add $0x4,%rbp - 0x000055555555561b <+48>: cmp $0x6,%ebx - 0x000055555555561e <+51>: je 0x555555555631 <phase_2+70> +<p><code>je 0x555555555614 <phase_2+41></code> - The program will jump to <code>phase_2+41</code> if the previous <code>cmp</code> instruction determined the values as equal. + <div class="codehilite"> + <pre><span></span><code>0x0000555555555614 <+41>: add <span class="nv">$0</span>x1,%ebx + 0x0000555555555617 <+44>: add <span class="nv">$0</span>x4,%rbp + 0x000055555555561b <+48>: cmp <span class="nv">$0</span>x6,%ebx + 0x000055555555561e <+51>: je 0x555555555631 <phase<em>2+70> 0x0000555555555620 <+53>: mov %ebx,%eax - 0x0000555555555622 <+55>: add 0x0(%rbp),%eax - 0x0000555555555625 <+58>: cmp %eax,0x4(%rbp) - 0x0000555555555628 <+61>: je 0x555555555614 <phase_2+41> -</code></pre> + 0x0000555555555622 <+55>: add 0x0<span class="o">(</span>%rbp<span class="o">)</span>,%eax + 0x0000555555555625 <+58>: cmp %eax,0x4<span class="o">(</span>%rbp<span class="o">)</span> + 0x0000555555555628 <+61>: je 0x555555555614 <phase</em>2+41> + </code></pre> + </div></p> <p>Here, we can see that the program increments <code>%ebx</code> by 1, adds a 4 byte offset to <code>%rbp</code> (the number we will be matching now), and checks if <code>%ebx</code> is equal to 6. If it is, it breaks the loop and jumps to <code><phase_2+70></code> succesfully finishing this stage.</p> @@ -214,208 +234,223 @@ End of assembler dump. <li>6th number = 10 (prev value) + 5 = 15</li> </ul> -<pre><code>... -Phase 1 defused. How about the next one? -0 1 3 6 10 15 +<div class="codehilite"> +<pre><span></span><code>... +Phase <span class="m">1</span> defused. How about the next one? +<span class="m">0</span> <span class="m">1</span> <span class="m">3</span> <span class="m">6</span> <span class="m">10</span> <span class="m">15</span> -Breakpoint 1, 0x00005555555555eb in phase_2 () -(gdb) continue +Breakpoint <span class="m">1</span>, 0x00005555555555eb <span class="k">in</span> phase_2 <span class="o">()</span> +<span class="o">(</span>gdb<span class="o">)</span> <span class="k">continue</span> Continuing. -That's number 2. Keep going! +That<span class="err">'</span>s number <span class="m">2</span>. Keep going! </code></pre> +</div> <h2>Phase 3</h2> <p>Let us look at the disassembled code first</p> -<pre><code>0000000000001638 <phase_3>: - 1638: f3 0f 1e fa endbr64 - 163c: 48 83 ec 18 sub $0x18,%rsp - 1640: 48 8d 4c 24 07 lea 0x7(%rsp),%rcx - 1645: 48 8d 54 24 0c lea 0xc(%rsp),%rdx - 164a: 4c 8d 44 24 08 lea 0x8(%rsp),%r8 - 164f: 48 8d 35 60 1b 00 00 lea 0x1b60(%rip),%rsi # 31b6 <_IO_stdin_used+0x1b6> - 1656: b8 00 00 00 00 mov $0x0,%eax - 165b: e8 80 fc ff ff call 12e0 <__isoc99_sscanf@plt> - 1660: 83 f8 02 cmp $0x2,%eax - 1663: 7e 20 jle 1685 <phase_3+0x4d> - 1665: 83 7c 24 0c 07 cmpl $0x7,0xc(%rsp) - 166a: 0f 87 0d 01 00 00 ja 177d <phase_3+0x145> - 1670: 8b 44 24 0c mov 0xc(%rsp),%eax - 1674: 48 8d 15 55 1b 00 00 lea 0x1b55(%rip),%rdx # 31d0 <_IO_stdin_used+0x1d0> - 167b: 48 63 04 82 movslq (%rdx,%rax,4),%rax - 167f: 48 01 d0 add %rdx,%rax - 1682: 3e ff e0 notrack jmp *%rax - 1685: e8 c0 06 00 00 call 1d4a <explode_bomb> - 168a: eb d9 jmp 1665 <phase_3+0x2d> - 168c: b8 63 00 00 00 mov $0x63,%eax - 1691: 81 7c 24 08 3d 02 00 cmpl $0x23d,0x8(%rsp) - 1698: 00 - 1699: 0f 84 e8 00 00 00 je 1787 <phase_3+0x14f> - 169f: e8 a6 06 00 00 call 1d4a <explode_bomb> - 16a4: b8 63 00 00 00 mov $0x63,%eax - 16a9: e9 d9 00 00 00 jmp 1787 <phase_3+0x14f> - 16ae: b8 61 00 00 00 mov $0x61,%eax - 16b3: 81 7c 24 08 27 01 00 cmpl $0x127,0x8(%rsp) - 16ba: 00 - 16bb: 0f 84 c6 00 00 00 je 1787 <phase_3+0x14f> - 16c1: e8 84 06 00 00 call 1d4a <explode_bomb> - 16c6: b8 61 00 00 00 mov $0x61,%eax - 16cb: e9 b7 00 00 00 jmp 1787 <phase_3+0x14f> - 16d0: b8 78 00 00 00 mov $0x78,%eax - 16d5: 81 7c 24 08 e7 02 00 cmpl $0x2e7,0x8(%rsp) - 16dc: 00 - 16dd: 0f 84 a4 00 00 00 je 1787 <phase_3+0x14f> - 16e3: e8 62 06 00 00 call 1d4a <explode_bomb> - 16e8: b8 78 00 00 00 mov $0x78,%eax - 16ed: e9 95 00 00 00 jmp 1787 <phase_3+0x14f> - 16f2: b8 64 00 00 00 mov $0x64,%eax - 16f7: 81 7c 24 08 80 02 00 cmpl $0x280,0x8(%rsp) - 16fe: 00 - 16ff: 0f 84 82 00 00 00 je 1787 <phase_3+0x14f> - 1705: e8 40 06 00 00 call 1d4a <explode_bomb> - 170a: b8 64 00 00 00 mov $0x64,%eax - 170f: eb 76 jmp 1787 <phase_3+0x14f> - 1711: b8 6d 00 00 00 mov $0x6d,%eax - 1716: 81 7c 24 08 ff 02 00 cmpl $0x2ff,0x8(%rsp) - 171d: 00 - 171e: 74 67 je 1787 <phase_3+0x14f> - 1720: e8 25 06 00 00 call 1d4a <explode_bomb> - 1725: b8 6d 00 00 00 mov $0x6d,%eax - 172a: eb 5b jmp 1787 <phase_3+0x14f> - 172c: b8 71 00 00 00 mov $0x71,%eax - 1731: 81 7c 24 08 75 03 00 cmpl $0x375,0x8(%rsp) - 1738: 00 - 1739: 74 4c je 1787 <phase_3+0x14f> - 173b: e8 0a 06 00 00 call 1d4a <explode_bomb> - 1740: b8 71 00 00 00 mov $0x71,%eax - 1745: eb 40 jmp 1787 <phase_3+0x14f> - 1747: b8 79 00 00 00 mov $0x79,%eax - 174c: 81 7c 24 08 94 02 00 cmpl $0x294,0x8(%rsp) - 1753: 00 - 1754: 74 31 je 1787 <phase_3+0x14f> - 1756: e8 ef 05 00 00 call 1d4a <explode_bomb> - 175b: b8 79 00 00 00 mov $0x79,%eax - 1760: eb 25 jmp 1787 <phase_3+0x14f> - 1762: b8 79 00 00 00 mov $0x79,%eax - 1767: 81 7c 24 08 88 02 00 cmpl $0x288,0x8(%rsp) - 176e: 00 - 176f: 74 16 je 1787 <phase_3+0x14f> - 1771: e8 d4 05 00 00 call 1d4a <explode_bomb> - 1776: b8 79 00 00 00 mov $0x79,%eax - 177b: eb 0a jmp 1787 <phase_3+0x14f> - 177d: e8 c8 05 00 00 call 1d4a <explode_bomb> - 1782: b8 68 00 00 00 mov $0x68,%eax - 1787: 38 44 24 07 cmp %al,0x7(%rsp) - 178b: 75 05 jne 1792 <phase_3+0x15a> - 178d: 48 83 c4 18 add $0x18,%rsp - 1791: c3 ret - 1792: e8 b3 05 00 00 call 1d4a <explode_bomb> - 1797: eb f4 jmp 178d <phase_3+0x155> +<div class="codehilite"> +<pre><span></span><code><span class="m">0000000000001638</span> <phase_3>: + <span class="m">1638</span>: f3 0f 1e fa endbr64 + 163c: <span class="m">48</span> <span class="m">83</span> ec <span class="m">18</span> sub <span class="nv">$0</span>x18,%rsp + <span class="m">1640</span>: <span class="m">48</span> 8d 4c <span class="m">24</span> <span class="m">07</span> lea 0x7<span class="o">(</span>%rsp<span class="o">)</span>,%rcx + <span class="m">1645</span>: <span class="m">48</span> 8d <span class="m">54</span> <span class="m">24</span> 0c lea 0xc<span class="o">(</span>%rsp<span class="o">)</span>,%rdx + 164a: 4c 8d <span class="m">44</span> <span class="m">24</span> <span class="m">08</span> lea 0x8<span class="o">(</span>%rsp<span class="o">)</span>,%r8 + 164f: <span class="m">48</span> 8d <span class="m">35</span> <span class="m">60</span> 1b <span class="m">00</span> <span class="m">00</span> lea 0x1b60<span class="o">(</span>%rip<span class="o">)</span>,%rsi <span class="c1"># 31b6 <_IO_stdin_used+0x1b6></span> + <span class="m">1656</span>: b8 <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> mov <span class="nv">$0</span>x0,%eax + 165b: e8 <span class="m">80</span> <span class="nb">fc</span> ff ff call 12e0 <__isoc99_sscanf@plt> + <span class="m">1660</span>: <span class="m">83</span> f8 <span class="m">02</span> cmp <span class="nv">$0</span>x2,%eax + <span class="m">1663</span>: 7e <span class="m">20</span> jle <span class="m">1685</span> <phase_3+0x4d> + <span class="m">1665</span>: <span class="m">83</span> 7c <span class="m">24</span> 0c <span class="m">07</span> cmpl <span class="nv">$0</span>x7,0xc<span class="o">(</span>%rsp<span class="o">)</span> + 166a: 0f <span class="m">87</span> 0d <span class="m">01</span> <span class="m">00</span> <span class="m">00</span> ja 177d <phase_3+0x145> + <span class="m">1670</span>: 8b <span class="m">44</span> <span class="m">24</span> 0c mov 0xc<span class="o">(</span>%rsp<span class="o">)</span>,%eax + <span class="m">1674</span>: <span class="m">48</span> 8d <span class="m">15</span> <span class="m">55</span> 1b <span class="m">00</span> <span class="m">00</span> lea 0x1b55<span class="o">(</span>%rip<span class="o">)</span>,%rdx <span class="c1"># 31d0 <_IO_stdin_used+0x1d0></span> + 167b: <span class="m">48</span> <span class="m">63</span> <span class="m">04</span> <span class="m">82</span> movslq <span class="o">(</span>%rdx,%rax,4<span class="o">)</span>,%rax + 167f: <span class="m">48</span> <span class="m">01</span> d0 add %rdx,%rax + <span class="m">1682</span>: 3e ff e0 notrack jmp *%rax + <span class="m">1685</span>: e8 c0 <span class="m">06</span> <span class="m">00</span> <span class="m">00</span> call 1d4a <explode_bomb> + 168a: eb d9 jmp <span class="m">1665</span> <phase_3+0x2d> + 168c: b8 <span class="m">63</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> mov <span class="nv">$0</span>x63,%eax + <span class="m">1691</span>: <span class="m">81</span> 7c <span class="m">24</span> <span class="m">08</span> 3d <span class="m">02</span> <span class="m">00</span> cmpl <span class="nv">$0</span>x23d,0x8<span class="o">(</span>%rsp<span class="o">)</span> + <span class="m">1698</span>: <span class="m">00</span> + <span class="m">1699</span>: 0f <span class="m">84</span> e8 <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> je <span class="m">1787</span> <phase_3+0x14f> + 169f: e8 a6 <span class="m">06</span> <span class="m">00</span> <span class="m">00</span> call 1d4a <explode_bomb> + 16a4: b8 <span class="m">63</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> mov <span class="nv">$0</span>x63,%eax + 16a9: e9 d9 <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> jmp <span class="m">1787</span> <phase_3+0x14f> + 16ae: b8 <span class="m">61</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> mov <span class="nv">$0</span>x61,%eax + 16b3: <span class="m">81</span> 7c <span class="m">24</span> <span class="m">08</span> <span class="m">27</span> <span class="m">01</span> <span class="m">00</span> cmpl <span class="nv">$0</span>x127,0x8<span class="o">(</span>%rsp<span class="o">)</span> + 16ba: <span class="m">00</span> + 16bb: 0f <span class="m">84</span> c6 <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> je <span class="m">1787</span> <phase_3+0x14f> + 16c1: e8 <span class="m">84</span> <span class="m">06</span> <span class="m">00</span> <span class="m">00</span> call 1d4a <explode_bomb> + 16c6: b8 <span class="m">61</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> mov <span class="nv">$0</span>x61,%eax + 16cb: e9 b7 <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> jmp <span class="m">1787</span> <phase_3+0x14f> + 16d0: b8 <span class="m">78</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> mov <span class="nv">$0</span>x78,%eax + 16d5: <span class="m">81</span> 7c <span class="m">24</span> <span class="m">08</span> e7 <span class="m">02</span> <span class="m">00</span> cmpl <span class="nv">$0</span>x2e7,0x8<span class="o">(</span>%rsp<span class="o">)</span> + 16dc: <span class="m">00</span> + 16dd: 0f <span class="m">84</span> a4 <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> je <span class="m">1787</span> <phase_3+0x14f> + 16e3: e8 <span class="m">62</span> <span class="m">06</span> <span class="m">00</span> <span class="m">00</span> call 1d4a <explode_bomb> + 16e8: b8 <span class="m">78</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> mov <span class="nv">$0</span>x78,%eax + 16ed: e9 <span class="m">95</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> jmp <span class="m">1787</span> <phase_3+0x14f> + 16f2: b8 <span class="m">64</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> mov <span class="nv">$0</span>x64,%eax + 16f7: <span class="m">81</span> 7c <span class="m">24</span> <span class="m">08</span> <span class="m">80</span> <span class="m">02</span> <span class="m">00</span> cmpl <span class="nv">$0</span>x280,0x8<span class="o">(</span>%rsp<span class="o">)</span> + 16fe: <span class="m">00</span> + 16ff: 0f <span class="m">84</span> <span class="m">82</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> je <span class="m">1787</span> <phase_3+0x14f> + <span class="m">1705</span>: e8 <span class="m">40</span> <span class="m">06</span> <span class="m">00</span> <span class="m">00</span> call 1d4a <explode_bomb> + 170a: b8 <span class="m">64</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> mov <span class="nv">$0</span>x64,%eax + 170f: eb <span class="m">76</span> jmp <span class="m">1787</span> <phase_3+0x14f> + <span class="m">1711</span>: b8 6d <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> mov <span class="nv">$0</span>x6d,%eax + <span class="m">1716</span>: <span class="m">81</span> 7c <span class="m">24</span> <span class="m">08</span> ff <span class="m">02</span> <span class="m">00</span> cmpl <span class="nv">$0</span>x2ff,0x8<span class="o">(</span>%rsp<span class="o">)</span> + 171d: <span class="m">00</span> + 171e: <span class="m">74</span> <span class="m">67</span> je <span class="m">1787</span> <phase_3+0x14f> + <span class="m">1720</span>: e8 <span class="m">25</span> <span class="m">06</span> <span class="m">00</span> <span class="m">00</span> call 1d4a <explode_bomb> + <span class="m">1725</span>: b8 6d <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> mov <span class="nv">$0</span>x6d,%eax + 172a: eb 5b jmp <span class="m">1787</span> <phase_3+0x14f> + 172c: b8 <span class="m">71</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> mov <span class="nv">$0</span>x71,%eax + <span class="m">1731</span>: <span class="m">81</span> 7c <span class="m">24</span> <span class="m">08</span> <span class="m">75</span> <span class="m">03</span> <span class="m">00</span> cmpl <span class="nv">$0</span>x375,0x8<span class="o">(</span>%rsp<span class="o">)</span> + <span class="m">1738</span>: <span class="m">00</span> + <span class="m">1739</span>: <span class="m">74</span> 4c je <span class="m">1787</span> <phase_3+0x14f> + 173b: e8 0a <span class="m">06</span> <span class="m">00</span> <span class="m">00</span> call 1d4a <explode_bomb> + <span class="m">1740</span>: b8 <span class="m">71</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> mov <span class="nv">$0</span>x71,%eax + <span class="m">1745</span>: eb <span class="m">40</span> jmp <span class="m">1787</span> <phase_3+0x14f> + <span class="m">1747</span>: b8 <span class="m">79</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> mov <span class="nv">$0</span>x79,%eax + 174c: <span class="m">81</span> 7c <span class="m">24</span> <span class="m">08</span> <span class="m">94</span> <span class="m">02</span> <span class="m">00</span> cmpl <span class="nv">$0</span>x294,0x8<span class="o">(</span>%rsp<span class="o">)</span> + <span class="m">1753</span>: <span class="m">00</span> + <span class="m">1754</span>: <span class="m">74</span> <span class="m">31</span> je <span class="m">1787</span> <phase_3+0x14f> + <span class="m">1756</span>: e8 ef <span class="m">05</span> <span class="m">00</span> <span class="m">00</span> call 1d4a <explode_bomb> + 175b: b8 <span class="m">79</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> mov <span class="nv">$0</span>x79,%eax + <span class="m">1760</span>: eb <span class="m">25</span> jmp <span class="m">1787</span> <phase_3+0x14f> + <span class="m">1762</span>: b8 <span class="m">79</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> mov <span class="nv">$0</span>x79,%eax + <span class="m">1767</span>: <span class="m">81</span> 7c <span class="m">24</span> <span class="m">08</span> <span class="m">88</span> <span class="m">02</span> <span class="m">00</span> cmpl <span class="nv">$0</span>x288,0x8<span class="o">(</span>%rsp<span class="o">)</span> + 176e: <span class="m">00</span> + 176f: <span class="m">74</span> <span class="m">16</span> je <span class="m">1787</span> <phase_3+0x14f> + <span class="m">1771</span>: e8 d4 <span class="m">05</span> <span class="m">00</span> <span class="m">00</span> call 1d4a <explode_bomb> + <span class="m">1776</span>: b8 <span class="m">79</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> mov <span class="nv">$0</span>x79,%eax + 177b: eb 0a jmp <span class="m">1787</span> <phase_3+0x14f> + 177d: e8 c8 <span class="m">05</span> <span class="m">00</span> <span class="m">00</span> call 1d4a <explode_bomb> + <span class="m">1782</span>: b8 <span class="m">68</span> <span class="m">00</span> <span class="m">00</span> <span class="m">00</span> mov <span class="nv">$0</span>x68,%eax + <span class="m">1787</span>: <span class="m">38</span> <span class="m">44</span> <span class="m">24</span> <span class="m">07</span> cmp %al,0x7<span class="o">(</span>%rsp<span class="o">)</span> + 178b: <span class="m">75</span> <span class="m">05</span> jne <span class="m">1792</span> <phase_3+0x15a> + 178d: <span class="m">48</span> <span class="m">83</span> c4 <span class="m">18</span> add <span class="nv">$0</span>x18,%rsp + <span class="m">1791</span>: c3 ret + <span class="m">1792</span>: e8 b3 <span class="m">05</span> <span class="m">00</span> <span class="m">00</span> call 1d4a <explode_bomb> + <span class="m">1797</span>: eb f4 jmp 178d <phase_3+0x155> </code></pre> +</div> -<pre><code>... - 165b: e8 80 fc ff ff call 12e0 <__isoc99_sscanf@plt> +<div class="codehilite"> +<pre><span></span><code>... + 165b: e8 <span class="m">80</span> <span class="nb">fc</span> ff ff call 12e0 <__isoc99_sscanf@plt> ... </code></pre> +</div> <p>We can see that <code>scanf</code> is being called which means we need to figure out what datatype(s) the program is expecting.</p> <p>Because I do not want to enter the solutions to phases 1 and 2 again and again, I am goig to pass a file which has these solutions.</p> -<pre><code>jovyan@jupyter-nach6988:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex 'break phase_3' -ex 'break explode_bomb' -ex 'run' -args ./bomb sol.txt -GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1 -Copyright (C) 2022 Free Software Foundation, Inc. -License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> +<div class="codehilite"> +<pre><span></span><code>joxxxn@jupyter-nxxh6xx8:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex <span class="s1">'break phase_3'</span> -ex <span class="s1">'break explode_bomb'</span> -ex <span class="s1">'run'</span> -args ./bomb sol.txt +GNU gdb <span class="o">(</span>Ubuntu <span class="m">12</span>.1-0ubuntu1~22.04<span class="o">)</span> <span class="m">12</span>.1 +Copyright <span class="o">(</span>C<span class="o">)</span> <span class="m">2022</span> Free Software Foundation, Inc. +License GPLv3+: GNU GPL version <span class="m">3</span> or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. -Type "show copying" and "show warranty" for details. -This GDB was configured as "x86_64-linux-gnu". -Type "show configuration" for configuration details. +Type <span class="s2">"show copying"</span> and <span class="s2">"show warranty"</span> <span class="k">for</span> details. +This GDB was configured as <span class="s2">"x86_64-linux-gnu"</span>. +Type <span class="s2">"show configuration"</span> <span class="k">for</span> configuration details. For bug reporting instructions, please see: <https://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. -For help, type "help". -Type "apropos word" to search for commands related to "word"... +For help, <span class="nb">type</span> <span class="s2">"help"</span>. +Type <span class="s2">"apropos word"</span> to search <span class="k">for</span> commands related to <span class="s2">"word"</span>... Reading symbols from ./bomb... -Breakpoint 1 at 0x1638 -Breakpoint 2 at 0x1d4a -Starting program: /home/jovyan/lab2-bomblab-navanchauhan/bombbomb/bomb sol.txt -[Thread debugging using libthread_db enabled] -Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". -Welcome to my fiendish little bomb. You have 6 phases with +Breakpoint <span class="m">1</span> at 0x1638 +Breakpoint <span class="m">2</span> at 0x1d4a +Starting program: /home/joxxxn/lab2-bomblab-navanchauhan/bombbomb/bomb sol.txt +<span class="o">[</span>Thread debugging using libthread_db enabled<span class="o">]</span> +Using host libthread_db library <span class="s2">"/lib/x86_64-linux-gnu/libthread_db.so.1"</span>. +Welcome to my fiendish little bomb. You have <span class="m">6</span> phases with which to blow yourself up. Have a nice day! -Phase 1 defused. How about the next one? -That's number 2. Keep going! +Phase <span class="m">1</span> defused. How about the next one? +That<span class="err">'</span>s number <span class="m">2</span>. Keep going! random string -Breakpoint 1, 0x0000555555555638 in phase_3 () -(gdb) disas -Dump of assembler code for function phase_3: -=> 0x0000555555555638 <+0>: endbr64 - 0x000055555555563c <+4>: sub $0x18,%rsp - 0x0000555555555640 <+8>: lea 0x7(%rsp),%rcx - 0x0000555555555645 <+13>: lea 0xc(%rsp),%rdx - 0x000055555555564a <+18>: lea 0x8(%rsp),%r8 - 0x000055555555564f <+23>: lea 0x1b60(%rip),%rsi # 0x5555555571b6 - 0x0000555555555656 <+30>: mov $0x0,%eax +Breakpoint <span class="m">1</span>, 0x0000555555555638 <span class="k">in</span> phase_3 <span class="o">()</span> +<span class="o">(</span>gdb<span class="o">)</span> disas +Dump of assembler code <span class="k">for</span> <span class="k">function</span> phase_3: +<span class="o">=</span>> 0x0000555555555638 <+0>: endbr64 + 0x000055555555563c <+4>: sub <span class="nv">$0</span>x18,%rsp + 0x0000555555555640 <+8>: lea 0x7<span class="o">(</span>%rsp<span class="o">)</span>,%rcx + 0x0000555555555645 <+13>: lea 0xc<span class="o">(</span>%rsp<span class="o">)</span>,%rdx + 0x000055555555564a <+18>: lea 0x8<span class="o">(</span>%rsp<span class="o">)</span>,%r8 + 0x000055555555564f <+23>: lea 0x1b60<span class="o">(</span>%rip<span class="o">)</span>,%rsi <span class="c1"># 0x5555555571b6</span> + 0x0000555555555656 <+30>: mov <span class="nv">$0</span>x0,%eax 0x000055555555565b <+35>: call 0x5555555552e0 <__isoc99_sscanf@plt> - 0x0000555555555660 <+40>: cmp $0x2,%eax + 0x0000555555555660 <+40>: cmp <span class="nv">$0</span>x2,%eax 0x0000555555555663 <+43>: jle 0x555555555685 <phase_3+77> - 0x0000555555555665 <+45>: cmpl $0x7,0xc(%rsp) + 0x0000555555555665 <+45>: cmpl <span class="nv">$0</span>x7,0xc<span class="o">(</span>%rsp<span class="o">)</span> 0x000055555555566a <+50>: ja 0x55555555577d <phase_3+325> - 0x0000555555555670 <+56>: mov 0xc(%rsp),%eax - 0x0000555555555674 <+60>: lea 0x1b55(%rip),%rdx # 0x5555555571d0 - 0x000055555555567b <+67>: movslq (%rdx,%rax,4),%rax + 0x0000555555555670 <+56>: mov 0xc<span class="o">(</span>%rsp<span class="o">)</span>,%eax + 0x0000555555555674 <+60>: lea 0x1b55<span class="o">(</span>%rip<span class="o">)</span>,%rdx <span class="c1"># 0x5555555571d0</span> + 0x000055555555567b <+67>: movslq <span class="o">(</span>%rdx,%rax,4<span class="o">)</span>,%rax 0x000055555555567f <+71>: add %rdx,%rax 0x0000555555555682 <+74>: notrack jmp *%rax 0x0000555555555685 <+77>: call 0x555555555d4a <explode_bomb> 0x000055555555568a <+82>: jmp 0x555555555665 <phase_3+45> - 0x000055555555568c <+84>: mov $0x63,%eax - 0x0000555555555691 <+89>: cmpl $0x23d,0x8(%rsp) + 0x000055555555568c <+84>: mov <span class="nv">$0</span>x63,%eax + 0x0000555555555691 <+89>: cmpl <span class="nv">$0</span>x23d,0x8<span class="o">(</span>%rsp<span class="o">)</span> 0x0000555555555699 <+97>: je 0x555555555787 <phase_3+335> 0x000055555555569f <+103>: call 0x555555555d4a <explode_bomb> - 0x00005555555556a4 <+108>: mov $0x63,%eax + 0x00005555555556a4 <+108>: mov <span class="nv">$0</span>x63,%eax 0x00005555555556a9 <+113>: jmp 0x555555555787 <phase_3+335> ---Type <RET> for more, q to quit, c to continue without paging-- +--Type <RET> <span class="k">for</span> more, q to quit, c to <span class="k">continue</span> without paging-- </code></pre> +</div> <p><code>gdb</code> has thankfully marked the address which is being passed to <code>scanf</code>. We can access the value:</p> -<pre><code>(gdb) x/1s 0x5555555571b6 -0x5555555571b6: "%d %c %d" -(gdb) +<div class="codehilite"> +<pre><span></span><code><span class="o">(</span>gdb<span class="o">)</span> x/1s 0x5555555571b6 +0x5555555571b6: <span class="s2">"%d %c %d"</span> +<span class="o">(</span>gdb<span class="o">)</span> </code></pre> +</div> <p>BINGO! The program expects an integer, character, and another integer. Onwards.</p> -<pre><code> 0x0000555555555660 <+40>: cmp $0x2,%eax +<div class="codehilite"> +<pre><span></span><code> 0x0000555555555660 <+40>: cmp <span class="nv">$0</span>x2,%eax 0x0000555555555663 <+43>: jle 0x555555555685 <phase_3+77> ... 0x0000555555555685 <+77>: call 0x555555555d4a <explode_bomb> </code></pre> +</div> <p>The program checks whether <code>scanf</code> returns a value <= 2, if it does then it calls the <code>explode_bomb</code> function. </p> <p><em>Note: <code>scanf</code> returns the number of fields that were succesfully converted and assigned</em></p> -<pre><code> 0x0000555555555665 <+45>: cmpl $0x7,0xc(%rsp) +<div class="codehilite"> +<pre><span></span><code> 0x0000555555555665 <+45>: cmpl <span class="nv">$0</span>x7,0xc<span class="o">(</span>%rsp<span class="o">)</span> 0x000055555555566a <+50>: ja 0x55555555577d <phase_3+325> ... 0x000055555555577d <+325>: call 0x555555555d4a <explode_bomb> </code></pre> +</div> -<p>Similarly, the program checks and ensures the returned value is not > 7. </p> - -<pre><code> 0x0000555555555670 <+56>: mov 0xc(%rsp),%eax - 0x0000555555555674 <+60>: lea 0x1b55(%rip),%rdx # 0x5555555571d0 - 0x000055555555567b <+67>: movslq (%rdx,%rax,4),%rax +<p>Similarly, the program checks and ensures the returned value is not > 7. + <div class="codehilite"> + <pre><span></span><code>0x0000555555555670 <+56>: mov 0xc<span class="o">(</span>%rsp<span class="o">)</span>,%eax + 0x0000555555555674 <+60>: lea 0x1b55<span class="o">(</span>%rip<span class="o">)</span>,%rdx <span class="c1"># 0x5555555571d0</span> + 0x000055555555567b <+67>: movslq <span class="o">(</span>%rdx,%rax,4<span class="o">)</span>,%rax 0x000055555555567f <+71>: add %rdx,%rax 0x0000555555555682 <+74>: notrack jmp *%rax 0x0000555555555685 <+77>: call 0x555555555d4a <explode_bomb> -</code></pre> + </code></pre> + </div></p> <ul> <li><code>0x0000555555555670 <+56>: mov 0xc(%rsp),%eax</code> - Moves value located at <code>0xc</code> (12 in Decimal) bytes above the stack pointer to <code>%eax</code> register. </li> @@ -445,137 +480,151 @@ $1 = 3 <p><img src="/assets/bomb-lab/phase-3.png" alt="Screenshot of GDB terminal depicting us checking the value of the instruction to be jumped to" /></p> -<p>We can see that this makes us jump to <code><phase_3+186></code> (Continue to step through the code by using <code>ni</code>)</p> - -<pre><code> 0x00005555555556f2 <+186>: mov $0x64,%eax - 0x00005555555556f7 <+191>: cmpl $0x280,0x8(%rsp) - 0x00005555555556ff <+199>: je 0x555555555787 <phase_3+335> - 0x0000555555555705 <+205>: call 0x555555555d4a <explode_bomb> -</code></pre> - -<p>We see that <code>0x64</code> (Decimal 100) is being stored in <code>%eax</code>. Then, the program compares <code>0x280</code> (Decimal 640) with memory address <code>0x8</code> bytes above the stack pointer (<code>%rsp</code>). If the values are equal, then it jumps to <code><phase_3+335></code>, otherwise <code>explode_bomb</code> is called.</p> - -<pre><code> 0x0000555555555787 <+335>: cmp %al,0x7(%rsp) - 0x000055555555578b <+339>: jne 0x555555555792 <phase_3+346> - 0x000055555555578d <+341>: add $0x18,%rsp - 0x0000555555555791 <+345>: ret - 0x0000555555555792 <+346>: call 0x555555555d4a <explode_bomb> -</code></pre> +<p>We can see that this makes us jump to <code><phase_3+186></code> (Continue to step through the code by using <code>ni</code>) + <div class="codehilite"> + <pre><span></span><code>0x00005555555556f2 <+186>: mov <span class="nv">$0</span>x64,%eax + 0x00005555555556f7 <+191>: cmpl <span class="nv">$0</span>x280,0x8<span class="o">(</span>%rsp<span class="o">)</span> + 0x00005555555556ff <+199>: je 0x555555555787 <phase<em>3+335> + 0x0000555555555705 <+205>: call 0x555555555d4a <explode</em>bomb> + </code></pre> + </div></p> + +<p>We see that <code>0x64</code> (Decimal 100) is being stored in <code>%eax</code>. Then, the program compares <code>0x280</code> (Decimal 640) with memory address <code>0x8</code> bytes above the stack pointer (<code>%rsp</code>). If the values are equal, then it jumps to <code><phase_3+335></code>, otherwise <code>explode_bomb</code> is called. + <div class="codehilite"> + <pre><span></span><code>0x0000555555555787 <+335>: cmp %al,0x7<span class="o">(</span>%rsp<span class="o">)</span> + 0x000055555555578b <+339>: jne 0x555555555792 <phase<em>3+346> + 0x000055555555578d <+341>: add <span class="nv">$0</span>x18,%rsp + 0x0000555555555791 <+345>: ret <br /> + 0x0000555555555792 <+346>: call 0x555555555d4a <explode</em>bomb> + </code></pre> + </div></p> <p>Here, the program is comparing the value of our given character to the value stored in <code>%al</code> (lower 8 bits of <code>EAX</code>), and checks if they are not equal.</p> <p>Knowing that the character is stored at an offset of 7 bytes to <code>%rsp</code>, we can print and check the value by running:</p> -<pre><code>(gdb) x/1cw $rsp+7 +<div class="codehilite"> +<pre><span></span><code><span class="o">(</span>gdb<span class="o">)</span> x/1cw <span class="nv">$rsp</span>+7 c -(gdb) print $al -$1 = 100 +<span class="o">(</span>gdb<span class="o">)</span> print <span class="nv">$al</span> +<span class="nv">$1</span> <span class="o">=</span> <span class="m">100</span> </code></pre> +</div> <p>We can simply lookup the <a rel="noopener" target="_blank" href="https://www.cs.cmu.edu/~pattis/15-1XX/common/handouts/ascii.html">ASCII table</a>, and see that 100 in decimal stands for the character <code>d</code>. Let us try this answer:</p> -<pre><code>... -That's number 2. Keep going! -3 d 640 +<div class="codehilite"> +<pre><span></span><code>... +That<span class="err">'</span>s number <span class="m">2</span>. Keep going! +<span class="m">3</span> d <span class="m">640</span> -Breakpoint 1, 0x0000555555555638 in phase_3 () -(gdb) continue +Breakpoint <span class="m">1</span>, 0x0000555555555638 <span class="k">in</span> phase_3 <span class="o">()</span> +<span class="o">(</span>gdb<span class="o">)</span> <span class="k">continue</span> Continuing. Halfway there! </code></pre> +</div> <h2>Phase 4</h2> -<pre><code>jovyan@jupyter-nach6988:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex 'break phase_4' -ex 'break explode_bomb' -ex 'run' -args ./bomb sol.txt -GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1 -Copyright (C) 2022 Free Software Foundation, Inc. -License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> +<div class="codehilite"> +<pre><span></span><code>joxxxn@jupyter-nxxh6xx8:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex <span class="s1">'break phase_4'</span> -ex <span class="s1">'break explode_bomb'</span> -ex <span class="s1">'run'</span> -args ./bomb sol.txt +GNU gdb <span class="o">(</span>Ubuntu <span class="m">12</span>.1-0ubuntu1~22.04<span class="o">)</span> <span class="m">12</span>.1 +Copyright <span class="o">(</span>C<span class="o">)</span> <span class="m">2022</span> Free Software Foundation, Inc. +License GPLv3+: GNU GPL version <span class="m">3</span> or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. -Type "show copying" and "show warranty" for details. -This GDB was configured as "x86_64-linux-gnu". -Type "show configuration" for configuration details. +Type <span class="s2">"show copying"</span> and <span class="s2">"show warranty"</span> <span class="k">for</span> details. +This GDB was configured as <span class="s2">"x86_64-linux-gnu"</span>. +Type <span class="s2">"show configuration"</span> <span class="k">for</span> configuration details. For bug reporting instructions, please see: <https://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. -For help, type "help". -Type "apropos word" to search for commands related to "word"... +For help, <span class="nb">type</span> <span class="s2">"help"</span>. +Type <span class="s2">"apropos word"</span> to search <span class="k">for</span> commands related to <span class="s2">"word"</span>... Reading symbols from ./bomb... -Breakpoint 1 at 0x17d3 -Breakpoint 2 at 0x1d4a -Starting program: /home/jovyan/lab2-bomblab-navanchauhan/bombbomb/bomb sol.txt -[Thread debugging using libthread_db enabled] -Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". -Welcome to my fiendish little bomb. You have 6 phases with +Breakpoint <span class="m">1</span> at 0x17d3 +Breakpoint <span class="m">2</span> at 0x1d4a +Starting program: /home/joxxxn/lab2-bomblab-navanchauhan/bombbomb/bomb sol.txt +<span class="o">[</span>Thread debugging using libthread_db enabled<span class="o">]</span> +Using host libthread_db library <span class="s2">"/lib/x86_64-linux-gnu/libthread_db.so.1"</span>. +Welcome to my fiendish little bomb. You have <span class="m">6</span> phases with which to blow yourself up. Have a nice day! -Phase 1 defused. How about the next one? -That's number 2. Keep going! +Phase <span class="m">1</span> defused. How about the next one? +That<span class="err">'</span>s number <span class="m">2</span>. Keep going! Halfway there! -test string - -Breakpoint 1, 0x00005555555557d3 in phase_4 () -(gdb) disas phase_4 -Dump of assembler code for function phase_4: -=> 0x00005555555557d3 <+0>: endbr64 - 0x00005555555557d7 <+4>: sub $0x18,%rsp - 0x00005555555557db <+8>: lea 0x8(%rsp),%rcx - 0x00005555555557e0 <+13>: lea 0xc(%rsp),%rdx - 0x00005555555557e5 <+18>: lea 0x1bba(%rip),%rsi # 0x5555555573a6 - 0x00005555555557ec <+25>: mov $0x0,%eax +<span class="nb">test</span> string + +Breakpoint <span class="m">1</span>, 0x00005555555557d3 <span class="k">in</span> phase_4 <span class="o">()</span> +<span class="o">(</span>gdb<span class="o">)</span> disas phase_4 +Dump of assembler code <span class="k">for</span> <span class="k">function</span> phase_4: +<span class="o">=</span>> 0x00005555555557d3 <+0>: endbr64 + 0x00005555555557d7 <+4>: sub <span class="nv">$0</span>x18,%rsp + 0x00005555555557db <+8>: lea 0x8<span class="o">(</span>%rsp<span class="o">)</span>,%rcx + 0x00005555555557e0 <+13>: lea 0xc<span class="o">(</span>%rsp<span class="o">)</span>,%rdx + 0x00005555555557e5 <+18>: lea 0x1bba<span class="o">(</span>%rip<span class="o">)</span>,%rsi <span class="c1"># 0x5555555573a6</span> + 0x00005555555557ec <+25>: mov <span class="nv">$0</span>x0,%eax 0x00005555555557f1 <+30>: call 0x5555555552e0 <__isoc99_sscanf@plt> - 0x00005555555557f6 <+35>: cmp $0x2,%eax + 0x00005555555557f6 <+35>: cmp <span class="nv">$0</span>x2,%eax 0x00005555555557f9 <+38>: jne 0x555555555802 <phase_4+47> - 0x00005555555557fb <+40>: cmpl $0xe,0xc(%rsp) + 0x00005555555557fb <+40>: cmpl <span class="nv">$0</span>xe,0xc<span class="o">(</span>%rsp<span class="o">)</span> 0x0000555555555800 <+45>: jbe 0x555555555807 <phase_4+52> 0x0000555555555802 <+47>: call 0x555555555d4a <explode_bomb> - 0x0000555555555807 <+52>: mov $0xe,%edx - 0x000055555555580c <+57>: mov $0x0,%esi - 0x0000555555555811 <+62>: mov 0xc(%rsp),%edi + 0x0000555555555807 <+52>: mov <span class="nv">$0</span>xe,%edx + 0x000055555555580c <+57>: mov <span class="nv">$0</span>x0,%esi + 0x0000555555555811 <+62>: mov 0xc<span class="o">(</span>%rsp<span class="o">)</span>,%edi 0x0000555555555815 <+66>: call 0x555555555799 <func4> - 0x000055555555581a <+71>: cmp $0x2,%eax + 0x000055555555581a <+71>: cmp <span class="nv">$0</span>x2,%eax 0x000055555555581d <+74>: jne 0x555555555826 <phase_4+83> - 0x000055555555581f <+76>: cmpl $0x2,0x8(%rsp) + 0x000055555555581f <+76>: cmpl <span class="nv">$0</span>x2,0x8<span class="o">(</span>%rsp<span class="o">)</span> 0x0000555555555824 <+81>: je 0x55555555582b <phase_4+88> 0x0000555555555826 <+83>: call 0x555555555d4a <explode_bomb> - 0x000055555555582b <+88>: add $0x18,%rsp + 0x000055555555582b <+88>: add <span class="nv">$0</span>x18,%rsp 0x000055555555582f <+92>: ret End of assembler dump. -(gdb) +<span class="o">(</span>gdb<span class="o">)</span> </code></pre> +</div> <p>Again, <code>gdb</code> has marked the string being passed to <code>scanf</code></p> -<pre><code>(gdb) x/1s 0x5555555573a6 -0x5555555573a6: "%d %d" +<div class="codehilite"> +<pre><span></span><code><span class="o">(</span>gdb<span class="o">)</span> x/1s 0x5555555573a6 +0x5555555573a6: <span class="s2">"%d %d"</span> </code></pre> +</div> -<p>Okay, so this time we are supposed to enter 2 numbers.</p> - -<pre><code> 0x00005555555557f6 <+35>: cmp $0x2,%eax +<p>Okay, so this time we are supposed to enter 2 numbers. + <div class="codehilite"> + <pre><span></span><code>0x00005555555557f6 <+35>: cmp <span class="nv">$0</span>x2,%eax 0x00005555555557f9 <+38>: jne 0x555555555802 <phase_4+47> -</code></pre> + </code></pre> + </div></p> -<p>Checks if there were 2 values read from calling <code>scanf</code>, if not -> jump to <code><phase_4+47></code> which calls <code><explode_bomb></code>.</p> - -<pre><code> 0x00005555555557fb <+40>: cmpl $0xe,0xc(%rsp) +<p>Checks if there were 2 values read from calling <code>scanf</code>, if not -> jump to <code><phase_4+47></code> which calls <code><explode_bomb></code>. + <div class="codehilite"> + <pre><span></span><code>0x00005555555557fb <+40>: cmpl <span class="nv">$0</span>xe,0xc<span class="o">(</span>%rsp<span class="o">)</span> 0x0000555555555800 <+45>: jbe 0x555555555807 <phase_4+52> -</code></pre> + </code></pre> + </div></p> <p>Compare <code>0xe</code> (14 in Decimal) and value stored at <code>$rsp</code> + <code>0xc</code> bytes (Decimal 12). If this condition is met (<= 14), jump to <code><phase_4+52></code>. If not, then explode bomb.</p> -<pre><code>... - 0x0000555555555807 <+52>: mov $0xe,%edx - 0x000055555555580c <+57>: mov $0x0,%esi - 0x0000555555555811 <+62>: mov 0xc(%rsp),%edi +<div class="codehilite"> +<pre><span></span><code>... + 0x0000555555555807 <+52>: mov <span class="nv">$0</span>xe,%edx + 0x000055555555580c <+57>: mov <span class="nv">$0</span>x0,%esi + 0x0000555555555811 <+62>: mov 0xc<span class="o">(</span>%rsp<span class="o">)</span>,%edi 0x0000555555555815 <+66>: call 0x555555555799 <func4> - 0x000055555555581a <+71>: cmp $0x2,%eax + 0x000055555555581a <+71>: cmp <span class="nv">$0</span>x2,%eax 0x000055555555581d <+74>: jne 0x555555555826 <phase_4+83> - 0x000055555555581f <+76>: cmpl $0x2,0x8(%rsp) + 0x000055555555581f <+76>: cmpl <span class="nv">$0</span>x2,0x8<span class="o">(</span>%rsp<span class="o">)</span> 0x0000555555555824 <+81>: je 0x55555555582b <phase_4+88> 0x0000555555555826 <+83>: call 0x555555555d4a <explode_bomb> </code></pre> +</div> <ul> <li><code>0x0000555555555815 <+66>: call 0x555555555799 <func4></code> calls another function called <code>func4</code></li> @@ -584,55 +633,59 @@ End of assembler dump. <p>Let us look into <code>func4</code></p> -<pre><code>(gdb) disas func4 -Dump of assembler code for function func4: +<div class="codehilite"> +<pre><span></span><code><span class="o">(</span>gdb<span class="o">)</span> disas func4 +Dump of assembler code <span class="k">for</span> <span class="k">function</span> func4: 0x0000555555555799 <+0>: endbr64 - 0x000055555555579d <+4>: sub $0x8,%rsp + 0x000055555555579d <+4>: sub <span class="nv">$0</span>x8,%rsp 0x00005555555557a1 <+8>: mov %edx,%ecx 0x00005555555557a3 <+10>: sub %esi,%ecx 0x00005555555557a5 <+12>: shr %ecx 0x00005555555557a7 <+14>: add %esi,%ecx 0x00005555555557a9 <+16>: cmp %edi,%ecx 0x00005555555557ab <+18>: ja 0x5555555557b9 <func4+32> - 0x00005555555557ad <+20>: mov $0x0,%eax + 0x00005555555557ad <+20>: mov <span class="nv">$0</span>x0,%eax 0x00005555555557b2 <+25>: jb 0x5555555557c5 <func4+44> - 0x00005555555557b4 <+27>: add $0x8,%rsp + 0x00005555555557b4 <+27>: add <span class="nv">$0</span>x8,%rsp 0x00005555555557b8 <+31>: ret - 0x00005555555557b9 <+32>: lea -0x1(%rcx),%edx + 0x00005555555557b9 <+32>: lea -0x1<span class="o">(</span>%rcx<span class="o">)</span>,%edx 0x00005555555557bc <+35>: call 0x555555555799 <func4> 0x00005555555557c1 <+40>: add %eax,%eax 0x00005555555557c3 <+42>: jmp 0x5555555557b4 <func4+27> - 0x00005555555557c5 <+44>: lea 0x1(%rcx),%esi + 0x00005555555557c5 <+44>: lea 0x1<span class="o">(</span>%rcx<span class="o">)</span>,%esi 0x00005555555557c8 <+47>: call 0x555555555799 <func4> - 0x00005555555557cd <+52>: lea 0x1(%rax,%rax,1),%eax + 0x00005555555557cd <+52>: lea 0x1<span class="o">(</span>%rax,%rax,1<span class="o">)</span>,%eax 0x00005555555557d1 <+56>: jmp 0x5555555557b4 <func4+27> </code></pre> +</div> <p>This looks like a recursive function :( (I hate recursive functions)</p> <p>Let's annotate the instructions.</p> -<pre><code>endbr64 -sub $0x8,%rsp // subtract 8 bytes from the stack pointer -mov %edx,%ecx // Move the value in register %edx to %ecx -sub %esi,%ecx // Subtract the value in %esi from %ecx -shr %ecx // Right shift the value in %ecx by one bit (dividing the value by 2) -add %esi,%ecx // Add the value in %esi to %ecx +<div class="codehilite"> +<pre><span></span><code>endbr64 +sub <span class="nv">$0</span>x8,%rsp // subtract <span class="m">8</span> bytes from the stack pointer +mov %edx,%ecx // Move the value <span class="k">in</span> register %edx to %ecx +sub %esi,%ecx // Subtract the value <span class="k">in</span> %esi from %ecx +shr %ecx // Right <span class="nb">shift</span> the value <span class="k">in</span> %ecx by one bit <span class="o">(</span>dividing the value by <span class="m">2</span><span class="o">)</span> +add %esi,%ecx // Add the value <span class="k">in</span> %esi to %ecx cmp %edi,%ecx // Compare ja 0x5555555557b9 <func4+32> // If %ecx > %edi -> jump to instruction at offset +32 -mov $0x0,%eax // Move 0 to %eax +mov <span class="nv">$0</span>x0,%eax // Move <span class="m">0</span> to %eax jb 0x5555555557c5 <func4+44> // If %ecx < %edi -> jump to instruction at offset +44. -add $0x8,%rsp // add 8 bytes to the stack pointer -ret // return -lea -0x1(%rcx),%edx // LEA of $rxc - 1 into $edx +add <span class="nv">$0</span>x8,%rsp // add <span class="m">8</span> bytes to the stack pointer +ret // <span class="k">return</span> +lea -0x1<span class="o">(</span>%rcx<span class="o">)</span>,%edx // LEA of <span class="nv">$rxc</span> - <span class="m">1</span> into <span class="nv">$edx</span> call 0x555555555799 <func4> // Call itself -add %eax,%eax // Double the value in %eax +add %eax,%eax // Double the value <span class="k">in</span> %eax jmp 0x5555555557b4 <func4+27> // jump to the instruction at offset +27 -lea 0x1(%rcx),%esi +lea 0x1<span class="o">(</span>%rcx<span class="o">)</span>,%esi call 0x555555555799 <func4> -lea 0x1(%rax,%rax,1),%eax // LEA of %rax * 2 + 1 into $eax +lea 0x1<span class="o">(</span>%rax,%rax,1<span class="o">)</span>,%eax // LEA of %rax * <span class="m">2</span> + <span class="m">1</span> into <span class="nv">$eax</span> jmp 0x5555555557b4 <func4+27> </code></pre> +</div> <p>We can either try to compute the values by hand, or write a simple script in Python to get the answer.</p> @@ -657,57 +710,61 @@ jmp 0x5555555557b4 <func4+27> <p>Okay, so we know that the number needed to be passed to <code>func4</code> is 5. But, what about the second digit?</p> -<p>If we go back to the code for <code><phase_4></code>, we can see that:</p> - -<pre><code> 0x000055555555581f <+76>: cmpl $0x2,0x8(%rsp) +<p>If we go back to the code for <code><phase_4></code>, we can see that: + <div class="codehilite"> + <pre><span></span><code>0x000055555555581f <+76>: cmpl <span class="nv">$0</span>x2,0x8<span class="o">(</span>%rsp<span class="o">)</span> 0x0000555555555824 <+81>: je 0x55555555582b <phase_4+88> -</code></pre> + </code></pre> + </div></p> <p>The value at <code>$rsp+8</code> should be equal to 2. So, let us try passing <code>5 2</code> as our input.</p> -<pre><code>... -Phase 1 defused. How about the next one? -That's number 2. Keep going! +<div class="codehilite"> +<pre><span></span><code>... +Phase <span class="m">1</span> defused. How about the next one? +That<span class="err">'</span>s number <span class="m">2</span>. Keep going! Halfway there! -5 2 +<span class="m">5</span> <span class="m">2</span> -Breakpoint 1, 0x00005555555557d3 in phase_4 () -(gdb) continue +Breakpoint <span class="m">1</span>, 0x00005555555557d3 <span class="k">in</span> phase_4 <span class="o">()</span> +<span class="o">(</span>gdb<span class="o">)</span> <span class="k">continue</span> Continuing. So you got that one. Try this one. </code></pre> +</div> <h2>Phase 5</h2> -<pre><code>So you got that one. Try this one. -test string +<div class="codehilite"> +<pre><span></span><code>So you got that one. Try this one. +<span class="nb">test</span> string -Breakpoint 1, 0x0000555555555830 in phase_5 () -(gdb) disas phase_5 -Dump of assembler code for function phase_5: -=> 0x0000555555555830 <+0>: endbr64 +Breakpoint <span class="m">1</span>, 0x0000555555555830 <span class="k">in</span> phase_5 <span class="o">()</span> +<span class="o">(</span>gdb<span class="o">)</span> disas phase_5 +Dump of assembler code <span class="k">for</span> <span class="k">function</span> phase_5: +<span class="o">=</span>> 0x0000555555555830 <+0>: endbr64 0x0000555555555834 <+4>: push %rbx - 0x0000555555555835 <+5>: sub $0x10,%rsp + 0x0000555555555835 <+5>: sub <span class="nv">$0</span>x10,%rsp 0x0000555555555839 <+9>: mov %rdi,%rbx 0x000055555555583c <+12>: call 0x555555555b10 <string_length> - 0x0000555555555841 <+17>: cmp $0x6,%eax + 0x0000555555555841 <+17>: cmp <span class="nv">$0</span>x6,%eax 0x0000555555555844 <+20>: jne 0x55555555588b <phase_5+91> - 0x0000555555555846 <+22>: mov $0x0,%eax - 0x000055555555584b <+27>: lea 0x199e(%rip),%rcx # 0x5555555571f0 <array.0> - 0x0000555555555852 <+34>: movzbl (%rbx,%rax,1),%edx - 0x0000555555555856 <+38>: and $0xf,%edx - 0x0000555555555859 <+41>: movzbl (%rcx,%rdx,1),%edx - 0x000055555555585d <+45>: mov %dl,0x9(%rsp,%rax,1) - 0x0000555555555861 <+49>: add $0x1,%rax - 0x0000555555555865 <+53>: cmp $0x6,%rax + 0x0000555555555846 <+22>: mov <span class="nv">$0</span>x0,%eax + 0x000055555555584b <+27>: lea 0x199e<span class="o">(</span>%rip<span class="o">)</span>,%rcx <span class="c1"># 0x5555555571f0 <array.0></span> + 0x0000555555555852 <+34>: movzbl <span class="o">(</span>%rbx,%rax,1<span class="o">)</span>,%edx + 0x0000555555555856 <+38>: and <span class="nv">$0</span>xf,%edx + 0x0000555555555859 <+41>: movzbl <span class="o">(</span>%rcx,%rdx,1<span class="o">)</span>,%edx + 0x000055555555585d <+45>: mov %dl,0x9<span class="o">(</span>%rsp,%rax,1<span class="o">)</span> + 0x0000555555555861 <+49>: add <span class="nv">$0</span>x1,%rax + 0x0000555555555865 <+53>: cmp <span class="nv">$0</span>x6,%rax 0x0000555555555869 <+57>: jne 0x555555555852 <phase_5+34> - 0x000055555555586b <+59>: movb $0x0,0xf(%rsp) - 0x0000555555555870 <+64>: lea 0x9(%rsp),%rdi - 0x0000555555555875 <+69>: lea 0x1943(%rip),%rsi # 0x5555555571bf + 0x000055555555586b <+59>: movb <span class="nv">$0</span>x0,0xf<span class="o">(</span>%rsp<span class="o">)</span> + 0x0000555555555870 <+64>: lea 0x9<span class="o">(</span>%rsp<span class="o">)</span>,%rdi + 0x0000555555555875 <+69>: lea 0x1943<span class="o">(</span>%rip<span class="o">)</span>,%rsi <span class="c1"># 0x5555555571bf</span> 0x000055555555587c <+76>: call 0x555555555b31 <strings_not_equal> - 0x0000555555555881 <+81>: test %eax,%eax + 0x0000555555555881 <+81>: <span class="nb">test</span> %eax,%eax 0x0000555555555883 <+83>: jne 0x555555555892 <phase_5+98> - 0x0000555555555885 <+85>: add $0x10,%rsp + 0x0000555555555885 <+85>: add <span class="nv">$0</span>x10,%rsp 0x0000555555555889 <+89>: pop %rbx 0x000055555555588a <+90>: ret 0x000055555555588b <+91>: call 0x555555555d4a <explode_bomb> @@ -715,17 +772,20 @@ Dump of assembler code for function phase_5: 0x0000555555555892 <+98>: call 0x555555555d4a <explode_bomb> 0x0000555555555897 <+103>: jmp 0x555555555885 <phase_5+85> End of assembler dump. -(gdb) +<span class="o">(</span>gdb<span class="o">)</span> </code></pre> +</div> -<pre><code>... +<div class="codehilite"> +<pre><span></span><code>... 0x000055555555583c <+12>: call 0x555555555b10 <string_length> - 0x0000555555555841 <+17>: cmp $0x6,%eax + 0x0000555555555841 <+17>: cmp <span class="nv">$0</span>x6,%eax 0x0000555555555844 <+20>: jne 0x55555555588b <phase_5+91> ... 0x000055555555588b <+91>: call 0x555555555d4a <explode_bomb> ... </code></pre> +</div> <p>First things first, these instructions check to make sure the passed string is of length 6, otherwise <code>explode_bomb</code> is called.</p> @@ -749,12 +809,14 @@ End of assembler dump. <p>We can check the reference string we need, which <code>gdb</code> has marked as <code># 0x5555555571bf</code>, and the lookup table marked as <code># 0x5555555571f0 <array.0></code></p> -<pre><code>(gdb) x/s 0x5555555571bf -0x5555555571bf: "bruins" -(gdb) x/s 0x5555555571f0 -0x5555555571f0 <array.0>: "maduiersnfotvbylSo you think you can stop the bomb with ctrl-c, do you?" -(gdb) +<div class="codehilite"> +<pre><span></span><code><span class="o">(</span>gdb<span class="o">)</span> x/s 0x5555555571bf +0x5555555571bf: <span class="s2">"bruins"</span> +<span class="o">(</span>gdb<span class="o">)</span> x/s 0x5555555571f0 +0x5555555571f0 <array.0>: <span class="s2">"maduiersnfotvbylSo you think you can stop the bomb with ctrl-c, do you?"</span> +<span class="o">(</span>gdb<span class="o">)</span> </code></pre> +</div> <p>To summarize the transformation process:</p> @@ -786,115 +848,118 @@ s -> g <p>Let us try out this answer:</p> -<pre><code>... -That's number 2. Keep going! +<div class="codehilite"> +<pre><span></span><code>... +That<span class="err">'</span>s number <span class="m">2</span>. Keep going! Halfway there! So you got that one. Try this one. mfcdhg -Breakpoint 1, 0x0000555555555830 in phase_5 () -(gdb) continue +Breakpoint <span class="m">1</span>, 0x0000555555555830 <span class="k">in</span> phase_5 <span class="o">()</span> +<span class="o">(</span>gdb<span class="o">)</span> <span class="k">continue</span> Continuing. Good work! On to the next... </code></pre> +</div> <p>Awesome!</p> <h2>Phase 6</h2> -<pre><code>Good work! On to the next... -test string +<div class="codehilite"> +<pre><span></span><code>Good work! On to the next... +<span class="nb">test</span> string -Breakpoint 1, 0x0000555555555899 in phase_6 () -(gdb) disas phase_6 -Dump of assembler code for function phase_6: -=> 0x0000555555555899 <+0>: endbr64 +Breakpoint <span class="m">1</span>, 0x0000555555555899 <span class="k">in</span> phase_6 <span class="o">()</span> +<span class="o">(</span>gdb<span class="o">)</span> disas phase_6 +Dump of assembler code <span class="k">for</span> <span class="k">function</span> phase_6: +<span class="o">=</span>> 0x0000555555555899 <+0>: endbr64 0x000055555555589d <+4>: push %r15 0x000055555555589f <+6>: push %r14 0x00005555555558a1 <+8>: push %r13 0x00005555555558a3 <+10>: push %r12 0x00005555555558a5 <+12>: push %rbp 0x00005555555558a6 <+13>: push %rbx - 0x00005555555558a7 <+14>: sub $0x68,%rsp - 0x00005555555558ab <+18>: lea 0x40(%rsp),%rax + 0x00005555555558a7 <+14>: sub <span class="nv">$0</span>x68,%rsp + 0x00005555555558ab <+18>: lea 0x40<span class="o">(</span>%rsp<span class="o">)</span>,%rax 0x00005555555558b0 <+23>: mov %rax,%r14 - 0x00005555555558b3 <+26>: mov %rax,0x8(%rsp) + 0x00005555555558b3 <+26>: mov %rax,0x8<span class="o">(</span>%rsp<span class="o">)</span> 0x00005555555558b8 <+31>: mov %rax,%rsi 0x00005555555558bb <+34>: call 0x555555555d97 <read_six_numbers> 0x00005555555558c0 <+39>: mov %r14,%r12 - 0x00005555555558c3 <+42>: mov $0x1,%r15d + 0x00005555555558c3 <+42>: mov <span class="nv">$0</span>x1,%r15d 0x00005555555558c9 <+48>: mov %r14,%r13 0x00005555555558cc <+51>: jmp 0x555555555997 <phase_6+254> 0x00005555555558d1 <+56>: call 0x555555555d4a <explode_bomb> 0x00005555555558d6 <+61>: jmp 0x5555555559a9 <phase_6+272> - 0x00005555555558db <+66>: add $0x1,%rbx - 0x00005555555558df <+70>: cmp $0x5,%ebx + 0x00005555555558db <+66>: add <span class="nv">$0</span>x1,%rbx + 0x00005555555558df <+70>: cmp <span class="nv">$0</span>x5,%ebx 0x00005555555558e2 <+73>: jg 0x55555555598f <phase_6+246> - 0x00005555555558e8 <+79>: mov 0x0(%r13,%rbx,4),%eax - 0x00005555555558ed <+84>: cmp %eax,0x0(%rbp) + 0x00005555555558e8 <+79>: mov 0x0<span class="o">(</span>%r13,%rbx,4<span class="o">)</span>,%eax + 0x00005555555558ed <+84>: cmp %eax,0x0<span class="o">(</span>%rbp<span class="o">)</span> 0x00005555555558f0 <+87>: jne 0x5555555558db <phase_6+66> 0x00005555555558f2 <+89>: call 0x555555555d4a <explode_bomb> 0x00005555555558f7 <+94>: jmp 0x5555555558db <phase_6+66> - 0x00005555555558f9 <+96>: mov 0x8(%rsp),%rdx - 0x00005555555558fe <+101>: add $0x18,%rdx - 0x0000555555555902 <+105>: mov $0x7,%ecx + 0x00005555555558f9 <+96>: mov 0x8<span class="o">(</span>%rsp<span class="o">)</span>,%rdx + 0x00005555555558fe <+101>: add <span class="nv">$0</span>x18,%rdx + 0x0000555555555902 <+105>: mov <span class="nv">$0</span>x7,%ecx 0x0000555555555907 <+110>: mov %ecx,%eax - 0x0000555555555909 <+112>: sub (%r12),%eax - 0x000055555555590d <+116>: mov %eax,(%r12) - 0x0000555555555911 <+120>: add $0x4,%r12 + 0x0000555555555909 <+112>: sub <span class="o">(</span>%r12<span class="o">)</span>,%eax + 0x000055555555590d <+116>: mov %eax,<span class="o">(</span>%r12<span class="o">)</span> + 0x0000555555555911 <+120>: add <span class="nv">$0</span>x4,%r12 0x0000555555555915 <+124>: cmp %r12,%rdx 0x0000555555555918 <+127>: jne 0x555555555907 <phase_6+110> - 0x000055555555591a <+129>: mov $0x0,%esi - 0x000055555555591f <+134>: mov 0x40(%rsp,%rsi,4),%ecx - 0x0000555555555923 <+138>: mov $0x1,%eax - 0x0000555555555928 <+143>: lea 0x3d01(%rip),%rdx # 0x555555559630 <node1> ---Type <RET> for more, q to quit, c to continue without paging-- - 0x000055555555592f <+150>: cmp $0x1,%ecx + 0x000055555555591a <+129>: mov <span class="nv">$0</span>x0,%esi + 0x000055555555591f <+134>: mov 0x40<span class="o">(</span>%rsp,%rsi,4<span class="o">)</span>,%ecx + 0x0000555555555923 <+138>: mov <span class="nv">$0</span>x1,%eax + 0x0000555555555928 <+143>: lea 0x3d01<span class="o">(</span>%rip<span class="o">)</span>,%rdx <span class="c1"># 0x555555559630 <node1></span> +--Type <RET> <span class="k">for</span> more, q to quit, c to <span class="k">continue</span> without paging-- + 0x000055555555592f <+150>: cmp <span class="nv">$0</span>x1,%ecx 0x0000555555555932 <+153>: jle 0x55555555593f <phase_6+166> - 0x0000555555555934 <+155>: mov 0x8(%rdx),%rdx - 0x0000555555555938 <+159>: add $0x1,%eax + 0x0000555555555934 <+155>: mov 0x8<span class="o">(</span>%rdx<span class="o">)</span>,%rdx + 0x0000555555555938 <+159>: add <span class="nv">$0</span>x1,%eax 0x000055555555593b <+162>: cmp %ecx,%eax 0x000055555555593d <+164>: jne 0x555555555934 <phase_6+155> - 0x000055555555593f <+166>: mov %rdx,0x10(%rsp,%rsi,8) - 0x0000555555555944 <+171>: add $0x1,%rsi - 0x0000555555555948 <+175>: cmp $0x6,%rsi + 0x000055555555593f <+166>: mov %rdx,0x10<span class="o">(</span>%rsp,%rsi,8<span class="o">)</span> + 0x0000555555555944 <+171>: add <span class="nv">$0</span>x1,%rsi + 0x0000555555555948 <+175>: cmp <span class="nv">$0</span>x6,%rsi 0x000055555555594c <+179>: jne 0x55555555591f <phase_6+134> - 0x000055555555594e <+181>: mov 0x10(%rsp),%rbx - 0x0000555555555953 <+186>: mov 0x18(%rsp),%rax - 0x0000555555555958 <+191>: mov %rax,0x8(%rbx) - 0x000055555555595c <+195>: mov 0x20(%rsp),%rdx - 0x0000555555555961 <+200>: mov %rdx,0x8(%rax) - 0x0000555555555965 <+204>: mov 0x28(%rsp),%rax - 0x000055555555596a <+209>: mov %rax,0x8(%rdx) - 0x000055555555596e <+213>: mov 0x30(%rsp),%rdx - 0x0000555555555973 <+218>: mov %rdx,0x8(%rax) - 0x0000555555555977 <+222>: mov 0x38(%rsp),%rax - 0x000055555555597c <+227>: mov %rax,0x8(%rdx) - 0x0000555555555980 <+231>: movq $0x0,0x8(%rax) - 0x0000555555555988 <+239>: mov $0x5,%ebp + 0x000055555555594e <+181>: mov 0x10<span class="o">(</span>%rsp<span class="o">)</span>,%rbx + 0x0000555555555953 <+186>: mov 0x18<span class="o">(</span>%rsp<span class="o">)</span>,%rax + 0x0000555555555958 <+191>: mov %rax,0x8<span class="o">(</span>%rbx<span class="o">)</span> + 0x000055555555595c <+195>: mov 0x20<span class="o">(</span>%rsp<span class="o">)</span>,%rdx + 0x0000555555555961 <+200>: mov %rdx,0x8<span class="o">(</span>%rax<span class="o">)</span> + 0x0000555555555965 <+204>: mov 0x28<span class="o">(</span>%rsp<span class="o">)</span>,%rax + 0x000055555555596a <+209>: mov %rax,0x8<span class="o">(</span>%rdx<span class="o">)</span> + 0x000055555555596e <+213>: mov 0x30<span class="o">(</span>%rsp<span class="o">)</span>,%rdx + 0x0000555555555973 <+218>: mov %rdx,0x8<span class="o">(</span>%rax<span class="o">)</span> + 0x0000555555555977 <+222>: mov 0x38<span class="o">(</span>%rsp<span class="o">)</span>,%rax + 0x000055555555597c <+227>: mov %rax,0x8<span class="o">(</span>%rdx<span class="o">)</span> + 0x0000555555555980 <+231>: movq <span class="nv">$0</span>x0,0x8<span class="o">(</span>%rax<span class="o">)</span> + 0x0000555555555988 <+239>: mov <span class="nv">$0</span>x5,%ebp 0x000055555555598d <+244>: jmp 0x5555555559c4 <phase_6+299> - 0x000055555555598f <+246>: add $0x1,%r15 - 0x0000555555555993 <+250>: add $0x4,%r14 + 0x000055555555598f <+246>: add <span class="nv">$0</span>x1,%r15 + 0x0000555555555993 <+250>: add <span class="nv">$0</span>x4,%r14 0x0000555555555997 <+254>: mov %r14,%rbp - 0x000055555555599a <+257>: mov (%r14),%eax - 0x000055555555599d <+260>: sub $0x1,%eax - 0x00005555555559a0 <+263>: cmp $0x5,%eax + 0x000055555555599a <+257>: mov <span class="o">(</span>%r14<span class="o">)</span>,%eax + 0x000055555555599d <+260>: sub <span class="nv">$0</span>x1,%eax + 0x00005555555559a0 <+263>: cmp <span class="nv">$0</span>x5,%eax 0x00005555555559a3 <+266>: ja 0x5555555558d1 <phase_6+56> - 0x00005555555559a9 <+272>: cmp $0x5,%r15d + 0x00005555555559a9 <+272>: cmp <span class="nv">$0</span>x5,%r15d 0x00005555555559ad <+276>: jg 0x5555555558f9 <phase_6+96> 0x00005555555559b3 <+282>: mov %r15,%rbx 0x00005555555559b6 <+285>: jmp 0x5555555558e8 <phase_6+79> - 0x00005555555559bb <+290>: mov 0x8(%rbx),%rbx - 0x00005555555559bf <+294>: sub $0x1,%ebp + 0x00005555555559bb <+290>: mov 0x8<span class="o">(</span>%rbx<span class="o">)</span>,%rbx + 0x00005555555559bf <+294>: sub <span class="nv">$0</span>x1,%ebp 0x00005555555559c2 <+297>: je 0x5555555559d5 <phase_6+316> - 0x00005555555559c4 <+299>: mov 0x8(%rbx),%rax - 0x00005555555559c8 <+303>: mov (%rax),%eax - 0x00005555555559ca <+305>: cmp %eax,(%rbx) ---Type <RET> for more, q to quit, c to continue without paging-- + 0x00005555555559c4 <+299>: mov 0x8<span class="o">(</span>%rbx<span class="o">)</span>,%rax + 0x00005555555559c8 <+303>: mov <span class="o">(</span>%rax<span class="o">)</span>,%eax + 0x00005555555559ca <+305>: cmp %eax,<span class="o">(</span>%rbx<span class="o">)</span> +--Type <RET> <span class="k">for</span> more, q to quit, c to <span class="k">continue</span> without paging-- 0x00005555555559cc <+307>: jge 0x5555555559bb <phase_6+290> 0x00005555555559ce <+309>: call 0x555555555d4a <explode_bomb> 0x00005555555559d3 <+314>: jmp 0x5555555559bb <phase_6+290> - 0x00005555555559d5 <+316>: add $0x68,%rsp + 0x00005555555559d5 <+316>: add <span class="nv">$0</span>x68,%rsp 0x00005555555559d9 <+320>: pop %rbx 0x00005555555559da <+321>: pop %rbp 0x00005555555559db <+322>: pop %r12 @@ -903,19 +968,21 @@ Dump of assembler code for function phase_6: 0x00005555555559e1 <+328>: pop %r15 0x00005555555559e3 <+330>: ret End of assembler dump. -(gdb) +<span class="o">(</span>gdb<span class="o">)</span> </code></pre> +</div> <p>Again, we see the familiar <code>read_six_digits</code> function.</p> -<p>Let us analyse this function in chunks:</p> - -<pre><code> 0x00005555555558bb <+34>: call 0x555555555d97 <read_six_numbers> +<p>Let us analyse this function in chunks: + <div class="codehilite"> + <pre><span></span><code>0x00005555555558bb <+34>: call 0x555555555d97 <read<em>six</em>numbers> 0x00005555555558c0 <+39>: mov %r14,%r12 - 0x00005555555558c3 <+42>: mov $0x1,%r15d + 0x00005555555558c3 <+42>: mov <span class="nv">$0</span>x1,%r15d 0x00005555555558c9 <+48>: mov %r14,%r13 0x00005555555558cc <+51>: jmp 0x555555555997 <phase_6+254> -</code></pre> + </code></pre> + </div></p> <ol> <li>Read six numbers</li> @@ -923,18 +990,17 @@ End of assembler dump. 2.1. <code>mov %r14,%r12</code>: <code>%r14</code> should be pointing to the location of the stack where the numbers were read into. This address is copied onto <code>%r12</code> 2.2. <code>mov $0x1,%r15d</code>: The value <code>1</code> is moved into <code>%r15</code> register (probably acting like a counter) 2.3. <code>mov %r14,%r13</code>: The value is also copied to <code>%r13</code></li> -<li>Jump to start of loop:</li> -</ol> +<li><p>Jump to start of loop:</p> -<pre><code> 0x0000555555555997 <+254>: mov %r14,%rbp - 0x000055555555599a <+257>: mov (%r14),%eax - 0x000055555555599d <+260>: sub $0x1,%eax - 0x00005555555559a0 <+263>: cmp $0x5,%eax - 0x00005555555559a3 <+266>: ja 0x5555555558d1 <phase_6+56> +<div class="codehilite"> +<pre><span></span><code>0x0000555555555997 <+254>: mov %r14,%rbp +0x000055555555599a <+257>: mov <span class="o">(</span>%r14<span class="o">)</span>,%eax +0x000055555555599d <+260>: sub <span class="nv">$0</span>x1,%eax +0x00005555555559a0 <+263>: cmp <span class="nv">$0</span>x5,%eax +0x00005555555559a3 <+266>: ja 0x5555555558d1 <phase_6+56> </code></pre> - -<ol> -<li>Initialise register and point to first number in sequence</li> +</div></li> +<li><p>Initialise register and point to first number in sequence</p></li> <li>Adjust number(s): 2.1. <code>mov (%r14),%eax</code> -> load the current number in the sequence 2.2. <code>sub $0x1,%eax</code> -> decrement number by 1</li> @@ -943,36 +1009,40 @@ End of assembler dump. 3.2. <code>ja 0x5555555558d1 <phase_6+56></code>: jump if given value is > 5 or < 0</li> </ol> -<p>=> All numbers should be between 1 and 6.</p> - -<pre><code> 0x00005555555559a9 <+272>: cmp $0x5,%r15d +<p>=> All numbers should be between 1 and 6. + <div class="codehilite"> + <pre><span></span><code>0x00005555555559a9 <+272>: cmp <span class="nv">$0</span>x5,%r15d 0x00005555555559ad <+276>: jg 0x5555555558f9 <phase_6+96> -</code></pre> + </code></pre> + </div></p> -<p>This checks if the value stored in <code>%r15</code> is > 5, if it is then it jumps somewhere else. This validates our assumption that <code>%r15</code> is acting as a counter.</p> - -<pre><code> 0x00005555555559b3 <+282>: mov %r15,%rbx +<p>This checks if the value stored in <code>%r15</code> is > 5, if it is then it jumps somewhere else. This validates our assumption that <code>%r15</code> is acting as a counter. + <div class="codehilite"> + <pre><span></span><code>0x00005555555559b3 <+282>: mov %r15,%rbx 0x00005555555559b6 <+285>: jmp 0x5555555558e8 <phase_6+79> -</code></pre> - -<p>Let us jump to +79</p> - -<pre><code> 0x00005555555558e8 <+79>: mov 0x0(%r13,%rbx,4),%eax - 0x00005555555558ed <+84>: cmp %eax,0x0(%rbp) - 0x00005555555558f0 <+87>: jne 0x5555555558db <phase_6+66> - 0x00005555555558f2 <+89>: call 0x555555555d4a <explode_bomb> + </code></pre> + </div></p> + +<p>Let us jump to +79 + <div class="codehilite"> + <pre><span></span><code>0x00005555555558e8 <+79>: mov 0x0<span class="o">(</span>%r13,%rbx,4<span class="o">)</span>,%eax + 0x00005555555558ed <+84>: cmp %eax,0x0<span class="o">(</span>%rbp<span class="o">)</span> + 0x00005555555558f0 <+87>: jne 0x5555555558db <phase<em>6+66> + 0x00005555555558f2 <+89>: call 0x555555555d4a <explode</em>bomb> 0x00005555555558f7 <+94>: jmp 0x5555555558db <phase_6+66> -</code></pre> - -<p>This section deals with checking if all the numbers in the sequence are unique or not. Thus, we need to ensure out 6 digits are unique</p> - -<pre><code> 0x00005555555558db <+66>: add $0x1,%rbx // Increments by 1 - 0x00005555555558df <+70>: cmp $0x5,%ebx - 0x00005555555558e2 <+73>: jg 0x55555555598f <phase_6+246> // Jump if > 5 (Loop iterations are complete) - 0x00005555555558e8 <+79>: mov 0x0(%r13,%rbx,4),%eax - 0x00005555555558ed <+84>: cmp %eax,0x0(%rbp) - 0x00005555555558f0 <+87>: jne 0x5555555558db <phase_6+66> // Again, check if the number being seen is unique -</code></pre> + </code></pre> + </div></p> + +<p>This section deals with checking if all the numbers in the sequence are unique or not. Thus, we need to ensure out 6 digits are unique + <div class="codehilite"> + <pre><span></span><code>0x00005555555558db <+66>: add <span class="nv">$0</span>x1,%rbx // Increments by <span class="m">1</span> + 0x00005555555558df <+70>: cmp <span class="nv">$0</span>x5,%ebx + 0x00005555555558e2 <+73>: jg 0x55555555598f <phase<em>6+246> // Jump <span class="k">if</span> > <span class="m">5</span> <span class="o">(</span>Loop iterations are <span class="nb">complete</span><span class="o">)</span> + 0x00005555555558e8 <+79>: mov 0x0<span class="o">(</span>%r13,%rbx,4<span class="o">)</span>,%eax + 0x00005555555558ed <+84>: cmp %eax,0x0<span class="o">(</span>%rbp<span class="o">)</span> + 0x00005555555558f0 <+87>: jne 0x5555555558db <phase</em>6+66> // Again, check <span class="k">if</span> the number being seen is unique + </code></pre> + </div></p> <p>Now we know that the numbers are unique, between 1-6 (inclusive).</p> @@ -982,7 +1052,8 @@ End of assembler dump. <p>Let us try to figure out what <code>0x0000555555555928 <+143>: lea 0x3d01(%rip),%rdx # 0x555555559630 <node1></code> is:</p> -<pre><code>(gdb) x/30wx 0x555555559630 +<div class="codehilite"> +<pre><span></span><code><span class="o">(</span>gdb<span class="o">)</span> x/30wx 0x555555559630 0x555555559630 <node1>: 0x000000d9 0x00000001 0x55559640 0x00005555 0x555555559640 <node2>: 0x000003ab 0x00000002 0x55559650 0x00005555 0x555555559650 <node3>: 0x0000014f 0x00000003 0x55559660 0x00005555 @@ -991,7 +1062,7 @@ End of assembler dump. 0x555555559680 <host_table>: 0x555573f5 0x00005555 0x5555740f 0x00005555 0x555555559690 <host_table+16>: 0x55557429 0x00005555 0x00000000 0x00000000 0x5555555596a0 <host_table+32>: 0x00000000 0x00000000 -(gdb) x/30wx 0x555555559120 +<span class="o">(</span>gdb<span class="o">)</span> x/30wx 0x555555559120 0x555555559120 <node6>: 0x000002da 0x00000006 0x00000000 0x00000000 0x555555559130: 0x00000000 0x00000000 0x00000000 0x00000000 0x555555559140 <userid>: 0x61767861 0x38383535 0x00000000 0x00000000 @@ -1000,8 +1071,9 @@ End of assembler dump. 0x555555559170 <userid+48>: 0x00000000 0x00000000 0x00000000 0x00000000 0x555555559180 <userid+64>: 0x00000000 0x00000000 0x00000000 0x00000000 0x555555559190 <userid+80>: 0x00000000 0x00000000 -(gdb) +<span class="o">(</span>gdb<span class="o">)</span> </code></pre> +</div> <p>It appears that this is a linked list. With roughly the following structure:</p> @@ -1014,7 +1086,48 @@ End of assembler dump. </code></pre> </div> -<p>Let us convert the values into decimal</p> +<p>Let us convert the values into decimal:</p> + +<pre><code>0x000000d9 -> 217 +0x000003ab -> 939 +0x0000014f -> 335 +0x000000a1 -> 161 +0x000001b3 -> 435 +0x000002da -> 730 +</code></pre> + +<p><strong>Missing Notes</strong></p> + +<p>To re-arrange this linked list in descending order, we would arrange it as follows:</p> + +<pre><code>Node 2 -> Node 6 -> Node 5 -> Node 3 -> Node 1 -> Node 4 +</code></pre> + +<p>Since we also need to apply the transformation: <code>7 - x</code>:</p> + +<pre><code>(7-2) -> (7-6) -> ... -> (7-4) +</code></pre> + +<p>Final answer: <code>5 1 2 4 6 3</code></p> + +<p>Let us try the answer:</p> + +<pre><code>... +That's number 2. Keep going! +Halfway there! +So you got that one. Try this one. +Good work! On to the next... +5 1 2 4 6 3 + +Breakpoint 1, 0x0000555555555899 in phase_6 () +(gdb) continue +Continuing. +Congratulations! You've defused the bomb! +Your instructor has been notified and will verify your solution. +[Inferior 1 (process 1754) exited normally] +</code></pre> + +<p>But, what about the secret phase?</p> <blockquote>If you have scrolled this far, consider subscribing to my mailing list <a href="https://listmonk.navan.dev/subscription/form">here.</a> You can subscribe to either a specific type of post you are interested in, or subscribe to everything with the "Everything" list.</blockquote> <script data-isso="//comments.navan.dev/" diff --git a/docs/posts/index.html b/docs/posts/index.html index 7a476b7..3a479fa 100644 --- a/docs/posts/index.html +++ b/docs/posts/index.html @@ -62,9 +62,9 @@ <ul> - <li><a href="/posts/2023-10-04-bomb-lab.html">Bomb Lab Phases 1-5</a></li> + <li><a href="/posts/2023-10-04-bomb-lab.html">Bomb Lab</a></li> <ul> - <li>Introduction, Phases 1-5 of Bomb Lab for CSCI 2400 Lab - 2</li> + <li>Walkthrough of Phases 1-6 of Bomb Lab for CSCI 2400 Computer Systems Lab 2</li> <li>Published On: 2023-10-04 13:12</li> <li>Tags: |