1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
|
<!DOCTYPE html>
<html lang="en">
<head>
<link rel="stylesheet" href="/assets/main.css" />
<link rel="stylesheet" href="/assets/sakura.css" />
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Bomb Lab Phases 1-3</title>
<meta name="og:site_name" content="Navan Chauhan" />
<link rel="canonical" href="https://web.navan.dev/" />
<meta name="twitter:url" content="https://web.navan.dev/" />
<meta name="og:url" content="https://web.navan.dev/" />
<meta name="twitter:title" content="Bomb Lab Phases 1-3" />
<meta name="og:title" content="Bomb Lab Phases 1-3" />
<meta name="description" content="Introduction, Phases 1-3 of Bomb Lab for CSCI 2400 Lab - 2" />
<meta name="twitter:description" content="Introduction, Phases 1-3 of Bomb Lab for CSCI 2400 Lab - 2" />
<meta name="og:description" content="Introduction, Phases 1-3 of Bomb Lab for CSCI 2400 Lab - 2" />
<meta name="twitter:card" content="summary_large_image" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<link rel="shortcut icon" href="/images/favicon.png" type="image/png" />
<link rel="alternate" href="/feed.rss" type="application/rss+xml" title="Subscribe to Navan Chauhan" />
<meta name="twitter:image" content="https://web.navan.dev/images/opengraph/posts/2023-10-04-bomb-lab.png" />
<meta name="og:image" content="https://web.navan.dev/images/opengraph/posts/2023-10-04-bomb-lab.png" />
<link rel="manifest" href="manifest.json" />
<meta name="google-site-verification" content="LVeSZxz-QskhbEjHxOi7-BM5dDxTg53x2TwrjFxfL0k" />
<script data-goatcounter="https://navanchauhan.goatcounter.com/count"
async src="//gc.zgo.at/count.js"></script>
<script defer data-domain="web.navan.dev" src="https://plausible.io/js/plausible.js"></script>
<script defer data-domain="web.navan.dev" src="https://plausible.navan.dev/js/plausible.js"></script>
<!-- Begin Inspectlet Asynchronous Code. Only for some testing, will be removed soon -->
<script type="text/javascript">
(function() {
window.__insp = window.__insp || [];
__insp.push(['wid', 1038401947]);
var ldinsp = function(){
if(typeof window.__inspld != "undefined") return; window.__inspld = 1; var insp = document.createElement('script'); insp.type = 'text/javascript'; insp.async = true; insp.id = "inspsync"; insp.src = ('https:' == document.location.protocol ? 'https' : 'http') + '://cdn.inspectlet.com/inspectlet.js?wid=1038401947&r=' + Math.floor(new Date().getTime()/3600000); var x = document.getElementsByTagName('script')[0]; x.parentNode.insertBefore(insp, x); };
setTimeout(ldinsp, 0);
})();
</script>
<!-- End Inspectlet Asynchronous Code -->
</head>
<body>
<nav style="display: block;">
|
<a href="/">home</a> |
<a href="/about/">about/links</a> |
<a href="/posts/">posts</a> |
<a href="/publications/">publications</a> |
<a href="/repo/">iOS repo</a> |
<a href="/feed.rss">RSS Feed</a> |
</nav>
<main>
<h1>Bomb Lab Phases 1-3</h1>
<h2>Introduction</h2>
<p>Lab 2 for CSCI 2400 - Computer Systems. </p>
<p>I like using objdump to disassemble the code and see a broad overview of what is happening. </p>
<p><code>objdump -d bomb > dis.txt</code></p>
<h2>Phase 1</h2>
<pre><code>jovyan@jupyter-nach6988:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex 'break phase_1' -ex 'break explode_bomb' -ex 'run' ./bomb
GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./bomb...
Breakpoint 1 at 0x15c7
Breakpoint 2 at 0x1d4a
Starting program: /home/jovyan/lab2-bomblab-navanchauhan/bombbomb/bomb
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Welcome to my fiendish little bomb. You have 6 phases with
which to blow yourself up. Have a nice day!
test string
Breakpoint 1, 0x00005555555555c7 in phase_1 ()
(gdb) dias phase_1
Undefined command: "dias". Try "help".
(gdb) disas phase_1
Dump of assembler code for function phase_1:
=> 0x00005555555555c7 <+0>: endbr64
0x00005555555555cb <+4>: sub $0x8,%rsp
0x00005555555555cf <+8>: lea 0x1b7a(%rip),%rsi # 0x555555557150
0x00005555555555d6 <+15>: call 0x555555555b31 <strings_not_equal>
0x00005555555555db <+20>: test %eax,%eax
0x00005555555555dd <+22>: jne 0x5555555555e4 <phase_1+29>
0x00005555555555df <+24>: add $0x8,%rsp
0x00005555555555e3 <+28>: ret
0x00005555555555e4 <+29>: call 0x555555555d4a <explode_bomb>
0x00005555555555e9 <+34>: jmp 0x5555555555df <phase_1+24>
End of assembler dump.
(gdb) print 0x555555557150
$1 = 93824992244048
(gdb) x/1s 0x555555557150
0x555555557150: "Controlling complexity is the essence of computer programming."
(gdb)
</code></pre>
<h2>Phase 2</h2>
<pre><code>Phase 1 defused. How about the next one?
1 2 3 4 5 6
Breakpoint 1, 0x00005555555555eb in phase_2 ()
(gdb) disas
Dump of assembler code for function phase_2:
=> 0x00005555555555eb <+0>: endbr64
0x00005555555555ef <+4>: push %rbp
0x00005555555555f0 <+5>: push %rbx
0x00005555555555f1 <+6>: sub $0x28,%rsp
0x00005555555555f5 <+10>: mov %rsp,%rsi
0x00005555555555f8 <+13>: call 0x555555555d97 <read_six_numbers>
0x00005555555555fd <+18>: cmpl $0x0,(%rsp)
0x0000555555555601 <+22>: js 0x55555555560d <phase_2+34>
0x0000555555555603 <+24>: mov %rsp,%rbp
0x0000555555555606 <+27>: mov $0x1,%ebx
0x000055555555560b <+32>: jmp 0x555555555620 <phase_2+53>
0x000055555555560d <+34>: call 0x555555555d4a <explode_bomb>
0x0000555555555612 <+39>: jmp 0x555555555603 <phase_2+24>
0x0000555555555614 <+41>: add $0x1,%ebx
0x0000555555555617 <+44>: add $0x4,%rbp
0x000055555555561b <+48>: cmp $0x6,%ebx
0x000055555555561e <+51>: je 0x555555555631 <phase_2+70>
0x0000555555555620 <+53>: mov %ebx,%eax
0x0000555555555622 <+55>: add 0x0(%rbp),%eax
0x0000555555555625 <+58>: cmp %eax,0x4(%rbp)
0x0000555555555628 <+61>: je 0x555555555614 <phase_2+41>
0x000055555555562a <+63>: call 0x555555555d4a <explode_bomb>
0x000055555555562f <+68>: jmp 0x555555555614 <phase_2+41>
0x0000555555555631 <+70>: add $0x28,%rsp
0x0000555555555635 <+74>: pop %rbx
0x0000555555555636 <+75>: pop %rbp
0x0000555555555637 <+76>: ret
End of assembler dump.
(gdb)
</code></pre>
<pre><code> 0x00005555555555fd <+18>: cmpl $0x0,(%rsp)
0x0000555555555601 <+22>: js 0x55555555560d <phase_2+34>
...
0x000055555555560d <+34>: call 0x555555555d4a <explode_bomb>
</code></pre>
<p>The program first compares if the first number is not 0. If the number is not 0, then the <code>cmpl</code> instruction returns a negative value. The <code>js</code> instruction stands for jump if sign -> causing a jump to the specified address if the sign bit is set. This would result in the explode_bomb function being called.</p>
<pre><code> 0x0000555555555603 <+24>: mov %rsp,%rbp
0x0000555555555606 <+27>: mov $0x1,%ebx
</code></pre>
<p><code>%rsp</code> in x86-64 asm, is the stack pointer i.e. it points to the top of the current stack frame. Since the program just read six numbers, the top of the stack (<code>%rsp</code>) contains the address of the first number.</p>
<p>By executing <code>mov %rsp,%rbp</code> we are setting the base pointer (<code>%rbp</code>) to point to this address.</p>
<p>Now, for the second instruction <code>mov $0x1,%ebx</code>, we are initalising the <code>%ebx</code> register with the value 1. Based on the assembly code, you can see that this is being used as a counter/index for the loop.</p>
<pre><code> 0x000055555555560b <+32>: jmp 0x555555555620 <phase_2+53>
</code></pre>
<p>The program now jumps to <phase_2+53></p>
<pre><code> 0x0000555555555620 <+53>: mov %ebx,%eax
0x0000555555555622 <+55>: add 0x0(%rbp),%eax
0x0000555555555625 <+58>: cmp %eax,0x4(%rbp)
0x0000555555555628 <+61>: je 0x555555555614 <phase_2+41>
</code></pre>
<p>Here, the value from <code>%ebx</code> is copied to the <code>%eax</code> register. For this iteration, the value should be 1.</p>
<p>Then, the value at the memory location pointed by <code>%rbp</code> is added to the value in <code>%eax</code>. For now, 0 is added (the first number that we read).</p>
<p><code>cmp %eax,0x4(%rbp)</code> - The instruction compares the value in %eax to the value at the memory address <code>%rbp + 4</code>. Since Integers in this context are stored using a word of memory of 4 bytes, this indicates it checks against the second number in the sequence.</p>
<p><code>je 0x555555555614 <phase_2+41></code> - The program will jump to <code>phase_2+41</code> if the previous <code>cmp</code> instruction determined the values as equal. </p>
<pre><code> 0x0000555555555614 <+41>: add $0x1,%ebx
0x0000555555555617 <+44>: add $0x4,%rbp
0x000055555555561b <+48>: cmp $0x6,%ebx
0x000055555555561e <+51>: je 0x555555555631 <phase_2+70>
0x0000555555555620 <+53>: mov %ebx,%eax
0x0000555555555622 <+55>: add 0x0(%rbp),%eax
0x0000555555555625 <+58>: cmp %eax,0x4(%rbp)
0x0000555555555628 <+61>: je 0x555555555614 <phase_2+41>
</code></pre>
<p>Here, we can see that the program increments <code>%ebx</code> by 1, adds a 4 byte offset to <code>%rbp</code> (the number we will be matching now), and checks if <code>%ebx</code> is equal to 6. If it is, it breaks the loop and jumps to <code><phase_2+70></code> succesfully finishing this stage.</p>
<p>Now, given that we know the first two numbers in the sequence are <code>0 1</code>, we can calculate the other numbers by following the pattern of adding the counter and the value of the previous number.</p>
<p>Thus,</p>
<ul>
<li>3rd number = 1 (previous value) + 2 = 3</li>
<li>4th number = 3 (prev value) + 3 = 6</li>
<li>5th number = 6 (prev value) + 4 = 10</li>
<li>6th number = 10 (prev value) + 5 = 15</li>
</ul>
<pre><code>...
Phase 1 defused. How about the next one?
0 1 3 6 10 15
Breakpoint 1, 0x00005555555555eb in phase_2 ()
(gdb) continue
Continuing.
That's number 2. Keep going!
</code></pre>
<h2>Phase 3</h2>
<p>Let us look at the disassembled code first</p>
<pre><code>0000000000001638 <phase_3>:
1638: f3 0f 1e fa endbr64
163c: 48 83 ec 18 sub $0x18,%rsp
1640: 48 8d 4c 24 07 lea 0x7(%rsp),%rcx
1645: 48 8d 54 24 0c lea 0xc(%rsp),%rdx
164a: 4c 8d 44 24 08 lea 0x8(%rsp),%r8
164f: 48 8d 35 60 1b 00 00 lea 0x1b60(%rip),%rsi # 31b6 <_IO_stdin_used+0x1b6>
1656: b8 00 00 00 00 mov $0x0,%eax
165b: e8 80 fc ff ff call 12e0 <__isoc99_sscanf@plt>
1660: 83 f8 02 cmp $0x2,%eax
1663: 7e 20 jle 1685 <phase_3+0x4d>
1665: 83 7c 24 0c 07 cmpl $0x7,0xc(%rsp)
166a: 0f 87 0d 01 00 00 ja 177d <phase_3+0x145>
1670: 8b 44 24 0c mov 0xc(%rsp),%eax
1674: 48 8d 15 55 1b 00 00 lea 0x1b55(%rip),%rdx # 31d0 <_IO_stdin_used+0x1d0>
167b: 48 63 04 82 movslq (%rdx,%rax,4),%rax
167f: 48 01 d0 add %rdx,%rax
1682: 3e ff e0 notrack jmp *%rax
1685: e8 c0 06 00 00 call 1d4a <explode_bomb>
168a: eb d9 jmp 1665 <phase_3+0x2d>
168c: b8 63 00 00 00 mov $0x63,%eax
1691: 81 7c 24 08 3d 02 00 cmpl $0x23d,0x8(%rsp)
1698: 00
1699: 0f 84 e8 00 00 00 je 1787 <phase_3+0x14f>
169f: e8 a6 06 00 00 call 1d4a <explode_bomb>
16a4: b8 63 00 00 00 mov $0x63,%eax
16a9: e9 d9 00 00 00 jmp 1787 <phase_3+0x14f>
16ae: b8 61 00 00 00 mov $0x61,%eax
16b3: 81 7c 24 08 27 01 00 cmpl $0x127,0x8(%rsp)
16ba: 00
16bb: 0f 84 c6 00 00 00 je 1787 <phase_3+0x14f>
16c1: e8 84 06 00 00 call 1d4a <explode_bomb>
16c6: b8 61 00 00 00 mov $0x61,%eax
16cb: e9 b7 00 00 00 jmp 1787 <phase_3+0x14f>
16d0: b8 78 00 00 00 mov $0x78,%eax
16d5: 81 7c 24 08 e7 02 00 cmpl $0x2e7,0x8(%rsp)
16dc: 00
16dd: 0f 84 a4 00 00 00 je 1787 <phase_3+0x14f>
16e3: e8 62 06 00 00 call 1d4a <explode_bomb>
16e8: b8 78 00 00 00 mov $0x78,%eax
16ed: e9 95 00 00 00 jmp 1787 <phase_3+0x14f>
16f2: b8 64 00 00 00 mov $0x64,%eax
16f7: 81 7c 24 08 80 02 00 cmpl $0x280,0x8(%rsp)
16fe: 00
16ff: 0f 84 82 00 00 00 je 1787 <phase_3+0x14f>
1705: e8 40 06 00 00 call 1d4a <explode_bomb>
170a: b8 64 00 00 00 mov $0x64,%eax
170f: eb 76 jmp 1787 <phase_3+0x14f>
1711: b8 6d 00 00 00 mov $0x6d,%eax
1716: 81 7c 24 08 ff 02 00 cmpl $0x2ff,0x8(%rsp)
171d: 00
171e: 74 67 je 1787 <phase_3+0x14f>
1720: e8 25 06 00 00 call 1d4a <explode_bomb>
1725: b8 6d 00 00 00 mov $0x6d,%eax
172a: eb 5b jmp 1787 <phase_3+0x14f>
172c: b8 71 00 00 00 mov $0x71,%eax
1731: 81 7c 24 08 75 03 00 cmpl $0x375,0x8(%rsp)
1738: 00
1739: 74 4c je 1787 <phase_3+0x14f>
173b: e8 0a 06 00 00 call 1d4a <explode_bomb>
1740: b8 71 00 00 00 mov $0x71,%eax
1745: eb 40 jmp 1787 <phase_3+0x14f>
1747: b8 79 00 00 00 mov $0x79,%eax
174c: 81 7c 24 08 94 02 00 cmpl $0x294,0x8(%rsp)
1753: 00
1754: 74 31 je 1787 <phase_3+0x14f>
1756: e8 ef 05 00 00 call 1d4a <explode_bomb>
175b: b8 79 00 00 00 mov $0x79,%eax
1760: eb 25 jmp 1787 <phase_3+0x14f>
1762: b8 79 00 00 00 mov $0x79,%eax
1767: 81 7c 24 08 88 02 00 cmpl $0x288,0x8(%rsp)
176e: 00
176f: 74 16 je 1787 <phase_3+0x14f>
1771: e8 d4 05 00 00 call 1d4a <explode_bomb>
1776: b8 79 00 00 00 mov $0x79,%eax
177b: eb 0a jmp 1787 <phase_3+0x14f>
177d: e8 c8 05 00 00 call 1d4a <explode_bomb>
1782: b8 68 00 00 00 mov $0x68,%eax
1787: 38 44 24 07 cmp %al,0x7(%rsp)
178b: 75 05 jne 1792 <phase_3+0x15a>
178d: 48 83 c4 18 add $0x18,%rsp
1791: c3 ret
1792: e8 b3 05 00 00 call 1d4a <explode_bomb>
1797: eb f4 jmp 178d <phase_3+0x155>
</code></pre>
<pre><code>...
165b: e8 80 fc ff ff call 12e0 <__isoc99_sscanf@plt>
...
</code></pre>
<p>We can see that <code>scanf</code> is being called which means we need to figure out what datatype(s) the program is expecting.</p>
<p>Because I do not want to enter the solutions to phases 1 and 2 again and again, I am goig to pass a file which has these solutions.</p>
<pre><code>jovyan@jupyter-nach6988:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex 'break phase_3' -ex 'break explode_bomb' -ex 'run' -args ./bomb sol.txt
GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./bomb...
Breakpoint 1 at 0x1638
Breakpoint 2 at 0x1d4a
Starting program: /home/jovyan/lab2-bomblab-navanchauhan/bombbomb/bomb sol.txt
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Welcome to my fiendish little bomb. You have 6 phases with
which to blow yourself up. Have a nice day!
Phase 1 defused. How about the next one?
That's number 2. Keep going!
random string
Breakpoint 1, 0x0000555555555638 in phase_3 ()
(gdb) disas
Dump of assembler code for function phase_3:
=> 0x0000555555555638 <+0>: endbr64
0x000055555555563c <+4>: sub $0x18,%rsp
0x0000555555555640 <+8>: lea 0x7(%rsp),%rcx
0x0000555555555645 <+13>: lea 0xc(%rsp),%rdx
0x000055555555564a <+18>: lea 0x8(%rsp),%r8
0x000055555555564f <+23>: lea 0x1b60(%rip),%rsi # 0x5555555571b6
0x0000555555555656 <+30>: mov $0x0,%eax
0x000055555555565b <+35>: call 0x5555555552e0 <__isoc99_sscanf@plt>
0x0000555555555660 <+40>: cmp $0x2,%eax
0x0000555555555663 <+43>: jle 0x555555555685 <phase_3+77>
0x0000555555555665 <+45>: cmpl $0x7,0xc(%rsp)
0x000055555555566a <+50>: ja 0x55555555577d <phase_3+325>
0x0000555555555670 <+56>: mov 0xc(%rsp),%eax
0x0000555555555674 <+60>: lea 0x1b55(%rip),%rdx # 0x5555555571d0
0x000055555555567b <+67>: movslq (%rdx,%rax,4),%rax
0x000055555555567f <+71>: add %rdx,%rax
0x0000555555555682 <+74>: notrack jmp *%rax
0x0000555555555685 <+77>: call 0x555555555d4a <explode_bomb>
0x000055555555568a <+82>: jmp 0x555555555665 <phase_3+45>
0x000055555555568c <+84>: mov $0x63,%eax
0x0000555555555691 <+89>: cmpl $0x23d,0x8(%rsp)
0x0000555555555699 <+97>: je 0x555555555787 <phase_3+335>
0x000055555555569f <+103>: call 0x555555555d4a <explode_bomb>
0x00005555555556a4 <+108>: mov $0x63,%eax
0x00005555555556a9 <+113>: jmp 0x555555555787 <phase_3+335>
--Type <RET> for more, q to quit, c to continue without paging--
</code></pre>
<p><code>gdb</code> has thankfully marked the address which is being passed to <code>scanf</code>. We can access the value:</p>
<pre><code>(gdb) x/1s 0x5555555571b6
0x5555555571b6: "%d %c %d"
(gdb)
</code></pre>
<p>BINGO! The program expects an integer, character, and another integer. Onwards.</p>
<pre><code> 0x0000555555555660 <+40>: cmp $0x2,%eax
0x0000555555555663 <+43>: jle 0x555555555685 <phase_3+77>
...
0x0000555555555685 <+77>: call 0x555555555d4a <explode_bomb>
</code></pre>
<p>The program checks whether <code>scanf</code> returns a value <= 2, if it does then it calls the <code>explode_bomb</code> function. </p>
<p><em>Note: <code>scanf</code> returns the number of fields that were succesfully converted and assigned</em></p>
<pre><code> 0x0000555555555665 <+45>: cmpl $0x7,0xc(%rsp)
0x000055555555566a <+50>: ja 0x55555555577d <phase_3+325>
...
0x000055555555577d <+325>: call 0x555555555d4a <explode_bomb>
</code></pre>
<p>Similarly, the program checks and ensures the returned value is not > 7. </p>
<pre><code> 0x0000555555555670 <+56>: mov 0xc(%rsp),%eax
0x0000555555555674 <+60>: lea 0x1b55(%rip),%rdx # 0x5555555571d0
0x000055555555567b <+67>: movslq (%rdx,%rax,4),%rax
0x000055555555567f <+71>: add %rdx,%rax
0x0000555555555682 <+74>: notrack jmp *%rax
0x0000555555555685 <+77>: call 0x555555555d4a <explode_bomb>
</code></pre>
<ul>
<li><code>0x0000555555555670 <+56>: mov 0xc(%rsp),%eax</code> - Moves value located at <code>0xc</code> (12 in Decimal) bytes above the stack pointer to <code>%eax</code> register. </li>
<li><code>0x0000555555555674 <+60>: lea 0x1b55(%rip),%rdx # 0x5555555571d0</code> - This instruction calculates an effective address by adding <code>0x1b55</code> to the current instruction pointer (<code>%rip</code>). The result is stored in the <code>%rdx</code> register. </li>
<li><code>0x000055555555567b <+67>: movslq (%rdx,%rax,4),%rax</code>
<ul>
<li><code>movslq</code> stands for "move with sign-extension from a 32-bit value to a 64-bit value." (if the 32-bit value is negative, the 64-bit result will have all its upper 32 bits set to 1; otherwise, they'll be set to 0). </li>
<li><code>(%rdx,%rax,4)</code> - First start with the value in the %rdx register, then add to it the value in the %rax register multiplied by 4.</li>
<li><code>%rax</code> - Destination Register</li>
</ul></li>
<li><code>0x000055555555567f <+71>: add %rdx,%rax</code> - Adds base address in <code>%rdx</code> to the offset in <code>%rax</code> </li>
<li><code>0x0000555555555682 <+74>: notrack jmp *%rax</code> - Jumps to the address stored in <code>%rax</code></li>
<li><code>0x0000555555555685 <+77>: call 0x555555555d4a <explode_bomb></code> - If we are unable to jump to the specified instruction, call <code>explode_bomb</code></li>
</ul>
<p>Let us try to run the program again with a valid input for the first number and see what the program is computing for the address.</p>
<p>I used the input: <code>3 c 123</code>.</p>
<p>To check what is the computed address, we can switch to the asm layout by running <code>layout asm</code>, and then going through instructions <code>ni</code> or <code>si</code> until we reach the line <code>movslq (%rdx,%rax,4),%rax</code></p>
<p><code>%rax</code> should hold the value 3.</p>
<pre><code>(gdb) print $rax
$1 = 3
</code></pre>
<p><img src="/assets/bomb-lab/phase-3.png" alt="Screenshot of GDB terminal depicting us checking the value of the instruction to be jumped to" /></p>
<p>We can see that this makes us jump to <code><phase_3+186></code> (Continue to step through the code by using <code>ni</code>)</p>
<pre><code> 0x00005555555556f2 <+186>: mov $0x64,%eax
0x00005555555556f7 <+191>: cmpl $0x280,0x8(%rsp)
0x00005555555556ff <+199>: je 0x555555555787 <phase_3+335>
0x0000555555555705 <+205>: call 0x555555555d4a <explode_bomb>
</code></pre>
<p>We see that <code>0x64</code> (Decimal 100) is being stored in <code>%eax</code>. Then, the program compares <code>0x280</code> (Decimal 640) with memory address <code>0x8</code> bytes above the stack pointer (<code>%rsp</code>). If the values are equal, then it jumps to <code><phase_3+335></code>, otherwise <code>explode_bomb</code> is called.</p>
<pre><code> 0x0000555555555787 <+335>: cmp %al,0x7(%rsp)
0x000055555555578b <+339>: jne 0x555555555792 <phase_3+346>
0x000055555555578d <+341>: add $0x18,%rsp
0x0000555555555791 <+345>: ret
0x0000555555555792 <+346>: call 0x555555555d4a <explode_bomb>
</code></pre>
<p>Here, the program is comparing the value of our given character to the value stored in <code>%al</code> (lower 8 bits of <code>EAX</code>), and checks if they are not equal.</p>
<p>Knowing that the character is stored at an offset of 7 bytes to <code>%rsp</code>, we can print and check the value by running:</p>
<pre><code>(gdb) x/1cw $rsp+7
c
(gdb) print $al
$1 = 100
</code></pre>
<p>We can simply lookup the <a rel="noopener" target="_blank" href="https://www.cs.cmu.edu/~pattis/15-1XX/common/handouts/ascii.html">ASCII table</a>, and see that 100 in decimal stands for the character <code>d</code>. Let us try this answer:</p>
<pre><code>...
That's number 2. Keep going!
3 d 640
Breakpoint 1, 0x0000555555555638 in phase_3 ()
(gdb) continue
Continuing.
Halfway there!
</code></pre>
<blockquote>If you have scrolled this far, consider subscribing to my mailing list <a href="https://listmonk.navan.dev/subscription/form">here.</a> You can subscribe to either a specific type of post you are interested in, or subscribe to everything with the "Everything" list.</blockquote>
<script data-isso="//comments.navan.dev/"
src="//comments.navan.dev/js/embed.min.js"></script>
<section id="isso-thread">
<noscript>Javascript needs to be activated to view comments.</noscript>
</section>
</main>
<script src="assets/manup.min.js"></script>
<script src="/pwabuilder-sw-register.js"></script>
</body>
</html>
|
