From f746534e2e15e173f0100dbc6dbd9e428157f0fe Mon Sep 17 00:00:00 2001 From: Navan Chauhan Date: Wed, 4 Oct 2023 15:54:32 -0600 Subject: added phase 5 --- docs/feed.rss | 137 +++++++++++++++++++++++++++++++++-- docs/index.html | 4 +- docs/posts/2023-10-04-bomb-lab.html | 141 ++++++++++++++++++++++++++++++++++-- docs/posts/index.html | 4 +- 4 files changed, 268 insertions(+), 18 deletions(-) (limited to 'docs') diff --git a/docs/feed.rss b/docs/feed.rss index b212d4e..deeb637 100644 --- a/docs/feed.rss +++ b/docs/feed.rss @@ -4,8 +4,8 @@ Navan's Archive Rare Tips, Tricks and Posts https://web.navan.dev/en - Wed, 04 Oct 2023 15:21:02 -0000 - Wed, 04 Oct 2023 15:21:02 -0000 + Wed, 04 Oct 2023 15:54:23 -0000 + Wed, 04 Oct 2023 15:54:23 -0000 250 @@ -3212,14 +3212,14 @@ logger.info("rdkit-{} installation finished!".format(rdkit.__version__)) https://web.navan.dev/posts/2023-10-04-bomb-lab.html - Bomb Lab Phases 1-4 + Bomb Lab Phases 1-5 - Introduction, Phases 1-4 of Bomb Lab for CSCI 2400 Lab - 2 + Introduction, Phases 1-5 of Bomb Lab for CSCI 2400 Lab - 2 https://web.navan.dev/posts/2023-10-04-bomb-lab.html Wed, 04 Oct 2023 13:12:00 -0000 - Bomb Lab Phases 1-4 + Bomb Lab Phases 1-5

Introduction

@@ -3810,7 +3810,7 @@ jmp 0x5555555557b4 <func4+27> else: return 0 -for x in range(10): +for x in range(15): # We can limit to 14 if func4(x) == 2: print(f"answer is {x}") break @@ -3839,6 +3839,131 @@ Breakpoint 1, 0x00005555555557d3 in phase_4 () Continuing. So you got that one. Try this one. + +

Phase 5

+ +
So you got that one.  Try this one.
+test string
+
+Breakpoint 1, 0x0000555555555830 in phase_5 ()
+(gdb) disas phase_5
+Dump of assembler code for function phase_5:
+=> 0x0000555555555830 <+0>:     endbr64 
+   0x0000555555555834 <+4>:     push   %rbx
+   0x0000555555555835 <+5>:     sub    $0x10,%rsp
+   0x0000555555555839 <+9>:     mov    %rdi,%rbx
+   0x000055555555583c <+12>:    call   0x555555555b10 <string_length>
+   0x0000555555555841 <+17>:    cmp    $0x6,%eax
+   0x0000555555555844 <+20>:    jne    0x55555555588b <phase_5+91>
+   0x0000555555555846 <+22>:    mov    $0x0,%eax
+   0x000055555555584b <+27>:    lea    0x199e(%rip),%rcx        # 0x5555555571f0 <array.0>
+   0x0000555555555852 <+34>:    movzbl (%rbx,%rax,1),%edx
+   0x0000555555555856 <+38>:    and    $0xf,%edx
+   0x0000555555555859 <+41>:    movzbl (%rcx,%rdx,1),%edx
+   0x000055555555585d <+45>:    mov    %dl,0x9(%rsp,%rax,1)
+   0x0000555555555861 <+49>:    add    $0x1,%rax
+   0x0000555555555865 <+53>:    cmp    $0x6,%rax
+   0x0000555555555869 <+57>:    jne    0x555555555852 <phase_5+34>
+   0x000055555555586b <+59>:    movb   $0x0,0xf(%rsp)
+   0x0000555555555870 <+64>:    lea    0x9(%rsp),%rdi
+   0x0000555555555875 <+69>:    lea    0x1943(%rip),%rsi        # 0x5555555571bf
+   0x000055555555587c <+76>:    call   0x555555555b31 <strings_not_equal>
+   0x0000555555555881 <+81>:    test   %eax,%eax
+   0x0000555555555883 <+83>:    jne    0x555555555892 <phase_5+98>
+   0x0000555555555885 <+85>:    add    $0x10,%rsp
+   0x0000555555555889 <+89>:    pop    %rbx
+   0x000055555555588a <+90>:    ret    
+   0x000055555555588b <+91>:    call   0x555555555d4a <explode_bomb>
+   0x0000555555555890 <+96>:    jmp    0x555555555846 <phase_5+22>
+   0x0000555555555892 <+98>:    call   0x555555555d4a <explode_bomb>
+   0x0000555555555897 <+103>:   jmp    0x555555555885 <phase_5+85>
+End of assembler dump.
+(gdb) 
+
+ +
...
+   0x000055555555583c <+12>:    call   0x555555555b10 <string_length>
+   0x0000555555555841 <+17>:    cmp    $0x6,%eax
+   0x0000555555555844 <+20>:    jne    0x55555555588b <phase_5+91>
+...
+   0x000055555555588b <+91>:    call   0x555555555d4a <explode_bomb>
+...
+
+ +

First things first, these instructions check to make sure the passed string is of length 6, otherwise explode_bomb is called.

+ +

We can also see a similar pattern compared to Phase 2, where we had a loop:

+ +
    +
  • The looping part: +
      +
    • mov $0x0,%eax - Initialise %eax and set it to 0 (our counter/iterator)
      • +
    • movzbl (%rbx,%rax,1),%edx - Access %rbx + 1 * %rax and store it in %edx
      • +
    • and $0xf,%edx - Take the least significant 4 bits of the byte.
      • +
    • movzbl (%rcx,%rdx,1),%edx - Use the 4 bits as an index into another array and load the corresponding byte into %edx
      • +
    • mov %dl,0x9(%rsp,%rax,1) - Store the transformed byte into a buffer on the stack
      • +
    • add $0x1,%rax - Increment %rax
      • +
    • cmp $0x6,%rax - If the index is not yet 6, loop again
      • +
    • +
  • movb $0x0,0xf(%rsp) - Null-terminate the transformed string
    • +
  • lea 0x9(%rsp),%rdi and lea 0x1943(%rip),%rsi
    • +
  • all 0x555555555b31 <strings_not_equal> check if the two strings loaded up just before this are equal or not.
    • +
+ +

We can check the reference string we need, which gdb has marked as # 0x5555555571bf, and the lookup table marked as # 0x5555555571f0 <array.0>

+ +
(gdb) x/s 0x5555555571bf
+0x5555555571bf: "bruins"
+(gdb) x/s 0x5555555571f0
+0x5555555571f0 <array.0>:       "maduiersnfotvbylSo you think you can stop the bomb with ctrl-c, do you?"
+(gdb) 
+
+ +

To summarize the transformation process:

+ +
    +
  • The function takes each byte of the string
    • +
  • It keeps only the least significant 4 bits of each byte
    • +
  • It uses these 4 bits as an index into the lookup table (array.0)
    • +
  • The value from the array is then stored in a buffer
    • +
+ +

Here's how the transformation process can be reversed for each character in "bruins": +1. Find the index of b in the lookup table (in our case, it is 13 since we index starting 0) +2. Calculate binary representation of this index (in our case 13 can be written as 1101 in binary) +3. Find ASCII character whose least significant 4 bits match (in our case, m has binary representation 01101101)

+ +

Repeat for all 6 characters

+ +

Hint: Using an ASCII - Binary Table can save you time.

+ +

Thus, we can have the following transformation:

+ +
b -> m
+r -> f 
+u -> c
+i -> d
+n -> h
+s -> g
+
+ +

Let us try out this answer:

+ +
...
+That's number 2.  Keep going!
+Halfway there!
+So you got that one.  Try this one.
+mfcdhg
+
+Breakpoint 1, 0x0000555555555830 in phase_5 ()
+(gdb) continue
+Continuing.
+Good work!  On to the next...
+
+ +

Awesome!

+ +

Phase 6

]]> diff --git a/docs/index.html b/docs/index.html index 1f0b9d2..f743eee 100644 --- a/docs/index.html +++ b/docs/index.html @@ -59,9 +59,9 @@
    -
  • Bomb Lab Phases 1-4
    • +
  • Bomb Lab Phases 1-5
      • -
    • Introduction, Phases 1-4 of Bomb Lab for CSCI 2400 Lab - 2
      • +
    • Introduction, Phases 1-5 of Bomb Lab for CSCI 2400 Lab - 2
    • Published On: 2023-10-04 13:12
    • Tags: diff --git a/docs/posts/2023-10-04-bomb-lab.html b/docs/posts/2023-10-04-bomb-lab.html index 886c264..28ce317 100644 --- a/docs/posts/2023-10-04-bomb-lab.html +++ b/docs/posts/2023-10-04-bomb-lab.html @@ -6,16 +6,16 @@ - Bomb Lab Phases 1-4 + Bomb Lab Phases 1-5 - - - - - + + + + + @@ -54,7 +54,7 @@
      -

      Bomb Lab Phases 1-4

      +

      Bomb Lab Phases 1-5

      Introduction

      @@ -645,7 +645,7 @@ jmp 0x5555555557b4 <func4+27> else: return 0 -for x in range(10): +for x in range(15): # We can limit to 14 if func4(x) == 2: print(f"answer is {x}") break @@ -675,6 +675,131 @@ Continuing. So you got that one. Try this one. +

      Phase 5

      + +
      So you got that one.  Try this one.
+test string
+
+Breakpoint 1, 0x0000555555555830 in phase_5 ()
+(gdb) disas phase_5
+Dump of assembler code for function phase_5:
+=> 0x0000555555555830 <+0>:     endbr64 
+   0x0000555555555834 <+4>:     push   %rbx
+   0x0000555555555835 <+5>:     sub    $0x10,%rsp
+   0x0000555555555839 <+9>:     mov    %rdi,%rbx
+   0x000055555555583c <+12>:    call   0x555555555b10 <string_length>
+   0x0000555555555841 <+17>:    cmp    $0x6,%eax
+   0x0000555555555844 <+20>:    jne    0x55555555588b <phase_5+91>
+   0x0000555555555846 <+22>:    mov    $0x0,%eax
+   0x000055555555584b <+27>:    lea    0x199e(%rip),%rcx        # 0x5555555571f0 <array.0>
+   0x0000555555555852 <+34>:    movzbl (%rbx,%rax,1),%edx
+   0x0000555555555856 <+38>:    and    $0xf,%edx
+   0x0000555555555859 <+41>:    movzbl (%rcx,%rdx,1),%edx
+   0x000055555555585d <+45>:    mov    %dl,0x9(%rsp,%rax,1)
+   0x0000555555555861 <+49>:    add    $0x1,%rax
+   0x0000555555555865 <+53>:    cmp    $0x6,%rax
+   0x0000555555555869 <+57>:    jne    0x555555555852 <phase_5+34>
+   0x000055555555586b <+59>:    movb   $0x0,0xf(%rsp)
+   0x0000555555555870 <+64>:    lea    0x9(%rsp),%rdi
+   0x0000555555555875 <+69>:    lea    0x1943(%rip),%rsi        # 0x5555555571bf
+   0x000055555555587c <+76>:    call   0x555555555b31 <strings_not_equal>
+   0x0000555555555881 <+81>:    test   %eax,%eax
+   0x0000555555555883 <+83>:    jne    0x555555555892 <phase_5+98>
+   0x0000555555555885 <+85>:    add    $0x10,%rsp
+   0x0000555555555889 <+89>:    pop    %rbx
+   0x000055555555588a <+90>:    ret    
+   0x000055555555588b <+91>:    call   0x555555555d4a <explode_bomb>
+   0x0000555555555890 <+96>:    jmp    0x555555555846 <phase_5+22>
+   0x0000555555555892 <+98>:    call   0x555555555d4a <explode_bomb>
+   0x0000555555555897 <+103>:   jmp    0x555555555885 <phase_5+85>
+End of assembler dump.
+(gdb) 
+
      + +
      ...
+   0x000055555555583c <+12>:    call   0x555555555b10 <string_length>
+   0x0000555555555841 <+17>:    cmp    $0x6,%eax
+   0x0000555555555844 <+20>:    jne    0x55555555588b <phase_5+91>
+...
+   0x000055555555588b <+91>:    call   0x555555555d4a <explode_bomb>
+...
+
      + +

      First things first, these instructions check to make sure the passed string is of length 6, otherwise explode_bomb is called.

      + +

      We can also see a similar pattern compared to Phase 2, where we had a loop:

      + +
        +
      • The looping part: +
          +
        • mov $0x0,%eax - Initialise %eax and set it to 0 (our counter/iterator)
          • +
        • movzbl (%rbx,%rax,1),%edx - Access %rbx + 1 * %rax and store it in %edx
          • +
        • and $0xf,%edx - Take the least significant 4 bits of the byte.
          • +
        • movzbl (%rcx,%rdx,1),%edx - Use the 4 bits as an index into another array and load the corresponding byte into %edx
          • +
        • mov %dl,0x9(%rsp,%rax,1) - Store the transformed byte into a buffer on the stack
          • +
        • add $0x1,%rax - Increment %rax
          • +
        • cmp $0x6,%rax - If the index is not yet 6, loop again
          • +
        • +
      • movb $0x0,0xf(%rsp) - Null-terminate the transformed string
        • +
      • lea 0x9(%rsp),%rdi and lea 0x1943(%rip),%rsi
        • +
      • all 0x555555555b31 <strings_not_equal> check if the two strings loaded up just before this are equal or not.
        • +
      + +

      We can check the reference string we need, which gdb has marked as # 0x5555555571bf, and the lookup table marked as # 0x5555555571f0 <array.0>

      + +
      (gdb) x/s 0x5555555571bf
+0x5555555571bf: "bruins"
+(gdb) x/s 0x5555555571f0
+0x5555555571f0 <array.0>:       "maduiersnfotvbylSo you think you can stop the bomb with ctrl-c, do you?"
+(gdb) 
+
      + +

      To summarize the transformation process:

      + +
        +
      • The function takes each byte of the string
        • +
      • It keeps only the least significant 4 bits of each byte
        • +
      • It uses these 4 bits as an index into the lookup table (array.0)
        • +
      • The value from the array is then stored in a buffer
        • +
      + +

      Here's how the transformation process can be reversed for each character in "bruins": +1. Find the index of b in the lookup table (in our case, it is 13 since we index starting 0) +2. Calculate binary representation of this index (in our case 13 can be written as 1101 in binary) +3. Find ASCII character whose least significant 4 bits match (in our case, m has binary representation 01101101)

      + +

      Repeat for all 6 characters

      + +

      Hint: Using an ASCII - Binary Table can save you time.

      + +

      Thus, we can have the following transformation:

      + +
      b -> m
+r -> f 
+u -> c
+i -> d
+n -> h
+s -> g
+
      + +

      Let us try out this answer:

      + +
      ...
+That's number 2.  Keep going!
+Halfway there!
+So you got that one.  Try this one.
+mfcdhg
+
+Breakpoint 1, 0x0000555555555830 in phase_5 ()
+(gdb) continue
+Continuing.
+Good work!  On to the next...
+
      + +

      Awesome!

      + +

      Phase 6

      +
      If you have scrolled this far, consider subscribing to my mailing list here. You can subscribe to either a specific type of post you are interested in, or subscribe to everything with the "Everything" list.
      diff --git a/docs/posts/index.html b/docs/posts/index.html index 80c9dac..7a476b7 100644 --- a/docs/posts/index.html +++ b/docs/posts/index.html @@ -62,9 +62,9 @@
        -
      • Bomb Lab Phases 1-4
        • +
      • Bomb Lab Phases 1-5
          • -
        • Introduction, Phases 1-4 of Bomb Lab for CSCI 2400 Lab - 2
          • +
        • Introduction, Phases 1-5 of Bomb Lab for CSCI 2400 Lab - 2
        • Published On: 2023-10-04 13:12
        • Tags: -- cgit v1.2.3