From f746534e2e15e173f0100dbc6dbd9e428157f0fe Mon Sep 17 00:00:00 2001 From: Navan Chauhan Date: Wed, 4 Oct 2023 15:54:32 -0600 Subject: added phase 5 --- docs/posts/2023-10-04-bomb-lab.html | 141 ++++++++++++++++++++++++++++++++++-- 1 file changed, 133 insertions(+), 8 deletions(-) (limited to 'docs/posts/2023-10-04-bomb-lab.html') diff --git a/docs/posts/2023-10-04-bomb-lab.html b/docs/posts/2023-10-04-bomb-lab.html index 886c264..28ce317 100644 --- a/docs/posts/2023-10-04-bomb-lab.html +++ b/docs/posts/2023-10-04-bomb-lab.html @@ -6,16 +6,16 @@ - Bomb Lab Phases 1-4 + Bomb Lab Phases 1-5 - - - - - + + + + + @@ -54,7 +54,7 @@
-

Bomb Lab Phases 1-4

+

Bomb Lab Phases 1-5

Introduction

@@ -645,7 +645,7 @@ jmp 0x5555555557b4 <func4+27> else: return 0 -for x in range(10): +for x in range(15): # We can limit to 14 if func4(x) == 2: print(f"answer is {x}") break @@ -675,6 +675,131 @@ Continuing. So you got that one. Try this one. +

Phase 5

+ +
So you got that one.  Try this one.
+test string
+
+Breakpoint 1, 0x0000555555555830 in phase_5 ()
+(gdb) disas phase_5
+Dump of assembler code for function phase_5:
+=> 0x0000555555555830 <+0>:     endbr64 
+   0x0000555555555834 <+4>:     push   %rbx
+   0x0000555555555835 <+5>:     sub    $0x10,%rsp
+   0x0000555555555839 <+9>:     mov    %rdi,%rbx
+   0x000055555555583c <+12>:    call   0x555555555b10 <string_length>
+   0x0000555555555841 <+17>:    cmp    $0x6,%eax
+   0x0000555555555844 <+20>:    jne    0x55555555588b <phase_5+91>
+   0x0000555555555846 <+22>:    mov    $0x0,%eax
+   0x000055555555584b <+27>:    lea    0x199e(%rip),%rcx        # 0x5555555571f0 <array.0>
+   0x0000555555555852 <+34>:    movzbl (%rbx,%rax,1),%edx
+   0x0000555555555856 <+38>:    and    $0xf,%edx
+   0x0000555555555859 <+41>:    movzbl (%rcx,%rdx,1),%edx
+   0x000055555555585d <+45>:    mov    %dl,0x9(%rsp,%rax,1)
+   0x0000555555555861 <+49>:    add    $0x1,%rax
+   0x0000555555555865 <+53>:    cmp    $0x6,%rax
+   0x0000555555555869 <+57>:    jne    0x555555555852 <phase_5+34>
+   0x000055555555586b <+59>:    movb   $0x0,0xf(%rsp)
+   0x0000555555555870 <+64>:    lea    0x9(%rsp),%rdi
+   0x0000555555555875 <+69>:    lea    0x1943(%rip),%rsi        # 0x5555555571bf
+   0x000055555555587c <+76>:    call   0x555555555b31 <strings_not_equal>
+   0x0000555555555881 <+81>:    test   %eax,%eax
+   0x0000555555555883 <+83>:    jne    0x555555555892 <phase_5+98>
+   0x0000555555555885 <+85>:    add    $0x10,%rsp
+   0x0000555555555889 <+89>:    pop    %rbx
+   0x000055555555588a <+90>:    ret    
+   0x000055555555588b <+91>:    call   0x555555555d4a <explode_bomb>
+   0x0000555555555890 <+96>:    jmp    0x555555555846 <phase_5+22>
+   0x0000555555555892 <+98>:    call   0x555555555d4a <explode_bomb>
+   0x0000555555555897 <+103>:   jmp    0x555555555885 <phase_5+85>
+End of assembler dump.
+(gdb) 
+
+ +
...
+   0x000055555555583c <+12>:    call   0x555555555b10 <string_length>
+   0x0000555555555841 <+17>:    cmp    $0x6,%eax
+   0x0000555555555844 <+20>:    jne    0x55555555588b <phase_5+91>
+...
+   0x000055555555588b <+91>:    call   0x555555555d4a <explode_bomb>
+...
+
+ +

First things first, these instructions check to make sure the passed string is of length 6, otherwise explode_bomb is called.

+ +

We can also see a similar pattern compared to Phase 2, where we had a loop:

+ + + +

We can check the reference string we need, which gdb has marked as # 0x5555555571bf, and the lookup table marked as # 0x5555555571f0 <array.0>

+ +
(gdb) x/s 0x5555555571bf
+0x5555555571bf: "bruins"
+(gdb) x/s 0x5555555571f0
+0x5555555571f0 <array.0>:       "maduiersnfotvbylSo you think you can stop the bomb with ctrl-c, do you?"
+(gdb) 
+
+ +

To summarize the transformation process:

+ + + +

Here's how the transformation process can be reversed for each character in "bruins": +1. Find the index of b in the lookup table (in our case, it is 13 since we index starting 0) +2. Calculate binary representation of this index (in our case 13 can be written as 1101 in binary) +3. Find ASCII character whose least significant 4 bits match (in our case, m has binary representation 01101101)

+ +

Repeat for all 6 characters

+ +

Hint: Using an ASCII - Binary Table can save you time.

+ +

Thus, we can have the following transformation:

+ +
b -> m
+r -> f 
+u -> c
+i -> d
+n -> h
+s -> g
+
+ +

Let us try out this answer:

+ +
...
+That's number 2.  Keep going!
+Halfway there!
+So you got that one.  Try this one.
+mfcdhg
+
+Breakpoint 1, 0x0000555555555830 in phase_5 ()
+(gdb) continue
+Continuing.
+Good work!  On to the next...
+
+ +

Awesome!

+ +

Phase 6

+
If you have scrolled this far, consider subscribing to my mailing list here. You can subscribe to either a specific type of post you are interested in, or subscribe to everything with the "Everything" list.
-- cgit v1.2.3